Insecure Use of Cryptography

Why is this important?

Cryptography is hard. And when it is used in an application, it's usually to make sure user data is secure in transit and at rest. Cryptographic libraries are not always easy to use and can even contain insecurities. They often require the Developer to have a good understanding of the primitives available and expect the Developer to make the right choices. A great cryptographic library has minimal knobs and dials and uses the best cryptographic primitives by default thus freeing the Developer from having to understand the primitives and make the right decisions.

Check out this video for a high-level explanation:

Fixing Insecure Use of Cryptography

ios_sha1_collision ios_weak_hash

Option A: Use a strong hashing function

The algorithms SHA-1, MD2, MD4 and MD5 are not a recommended MessageDigest. The security of the MD5 hash function is severely compromised. A collision attack exists that can find collisions within seconds on a computer with a 2.6 GHz Pentium 4 processor. Further, there is also a chosen-prefix collision attack that can produce a collision for two inputs with specified prefixes within hours, using off-the-shelf computing hardware.

PBKDF2 with SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, or SHA-512/256 are acceptable for all hash function use-cases.

Detailed Instructions

1. Go through the issues that GuardRails identified in the PR.
2. Identify patterns like MD3/MD4/MD5/SHA1
3. And replace them with the secure alternative CC_SHA256.
4. Test it
5. Ship it 🚢 and relax 🌴

References

• Insecure or Deprecated Crypto
• Qualys blog: SHA1 Deprecation: What You Need to Know
• Google Online Security Blog: Gradually sunsetting SHA-1
• NIST: Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths
• Stackoverflow: Reliable implementation of PBKDF2-HMAC-SHA256 for Java
• CWE-327: Use of a Broken or Risky Cryptographic Algorithm

Option B: Use Strong Ciphers

Cryptography is a complex topic and there are many ways it can be used insecurely.

The following issues are identified by GuardRails and can be easily avoided.

Padding Oracle

This specific mode of CBC with PKCS5Padding is susceptible to padding oracle attacks. An adversary could potentially decrypt the message if the system exposed the difference between plaintext with invalid padding or valid padding. The distinction between valid and invalid padding is usually revealed through distinct error messages being returned for each condition.

Detailed Instructions

1. Go through the issues that GuardRails identified in the PR.
2. Identify the code that uses kCCAlgorithmAES with kCCOptionECBMode
3. And replace it with kCCOptionPKCS7Padding.
4. Test it
5. Ship it 🚢 and relax 🌴

References

• Inadequate AES Configuration

More information:

• OWASP Top 10 - A02 Cryptographic Failures
• Cryptographic Storage Cheat Sheet
• Common Weakness Enumeration (CWE-326)