Fortify Software – Business Software Assurance
Crypto Manifesto Fortify Security Research Group January 9, 2002
Fortify Software WWW.FORTIFY.COM 1
Fortify Software – Business Software Assurance
Contents
Overview...... 3 Cryptographic Hash Functions...... 4 Encryption and Encoding Standards...... 5 Guidelines for Encryption Key Lengths ...... 6 Pseudo-Random Number Generators ...... 7 References ...... 8
Fortify Software WWW.FORTIFY.COM 2
Fortify Software – Business Software Assurance
Overview
Many of the more commonly-used cryptographic algorithms have come under the scrutiny of Security space leaders, including the Security Research Group (SRG) group of Fortify Software. These algorithms have either been broken or found to be less resilient to various types of attacks made possible by the evolution of the hardware used to break Security algorithms. This document provides best-practice guidelines to use when considering and deploying modern cryptography. These guidelines are provided by SRG and are backed up by the research of the security community. Best practice guidelines provided by this document include: . Cryptographic hash functions . Encryption and encoding standards . Encryption key length guidelines . Pseudo-Random Number Generators (PRNGs) This document assumes that you are familiar with the above concepts and their general application as well as general computer security. Use the following table as best practice guidelines:
Avoid Use Hash functions MD2, MD4, MD5, SHA-1 SHA-224, SHA-256, SHA- 384, SHA-512 Encryption and Encoding RC2, RC4, DES, Base 64 3DES, AES Functions Encoding Functions Symmetric Keys (AES) < 128 bits >= 128 bits Public Keys (RSA) < 2048 bits >= 2048 bits PRNGs Statistical PRNGs Cryptographic PRNGs
The remainder of this document provides details on each of the areas.
Fortify Software WWW.FORTIFY.COM 3
Fortify Software – Business Software Assurance
Cryptographic Hash Functions
The Cryptographic hash functions MD2, MD4, MD5, and the SHA family such as SHA-1 SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512 are some of the most widely know and used cryptographic hash functions. There are, however security issues associated with these functions. For example, collisions have been found in MD2 as early as 1997 [10][10]. In 2005 MD2 was found vulnerable to pre-image attacks that enable the recovery of the original value based on its hash [9]. These findings clearly illustrate that MD2 is no longer appropriate. Researchers at Shandong University discovered attacks on a number of cryptographic functions, including HAVAL-128, MD4, MD5, RIPEMD, and SHA-0. These findings described collisions in about 15 minutes [16]. This was the wake-up- call that caused security-space leaders such as Microsoft to ban the use of MD4 and MD5 algorithms by their development teams. Furthermore, a recent research project determined that it was possible to mound a man-in-the-middle attack on SSL by creating certificates issues by creating rogue certificates issues by rogue Certification Authorities (CAs) with homegrown array machines [12]. This attack exploited the weakness that the Shandong researchers had found in MD5. This discovery together with Domain Name System (DNS) weakness demonstrated in the summer of 2008 [5], results in undetectable phishing attacks on the internet. This vulnerability was picked up by the United States Computer Emergency Response Team (US-CERT), which now urges software developers, CAs, Website owners, and users to avoid implementing MD5 in any capacity [14][14]. Once the weaknesses in MD4 and MD5 had been illustrated, some proposed switching to SHA-1. However, the same researchers from Shandong University found that collisions are found in SHA-1 as well, with complexities less than the theoretical bound [15]. Microsoft at this point banned SHA-1 [4]. The National Institute for Standards and Technology (NIST) to suggest phasing out the use of SHA-1 by 2010 [11] Fortify SRG suggests that Fortify customers stop using MD2, MD4, MD5, and SHA- 1 for computing hashes on sensitive information such as passwords, certificates or any other kind of digital-security credentials. Fortify Source Code Analyzer (SCA) enforces this by issuing a warning against code that uses any of these algorithms. The use of these algorithms might be acceptable in cases where the hash is computed for non-sensitive information. For example, one of these algorithms for computing a hash on a file that is not connected in any way to a user’s identity is acceptable. Unfortunately, the nature of static analysis prevents it from understanding the exact context in which these algorithms are being used, which is why it is advisable to have a security expert familiar with the application being scanned to audit the warnings generated by the Fortify SCA.
Fortify Software WWW.FORTIFY.COM 4
Fortify Software – Business Software Assurance
Encryption and Encoding Standards
There are a number of encryption algorithms that can be used to stop attackers from accessing secrets. Some of the most popular encryption algorithms are RC2, RC4, DES, triple DES (3DES), AES, among others. Microsoft now prohibits the use of RC4 in code development [4]. Microsoft developers misused the cipher on various occasions. One such incident is described by Hongjun Wu [17]: because initialization vector (IV) used together with the key to encrypt two different documents remained the same, encryption could be broken by simply XOR-ing two ciphertexts. A number of other attacks on RC4 are known to the security community. One of them breaks the Wired Equivalent Privacy (WEP) protocol that uses RC4 in less than a minute [13]. Microsoft also has also banned the use of the DES encryption protocol [4], because it has been broken [3]. Although there are attacks on 3DES, the best attack requires around 232 known plaintexts, 2113 steps, 290 single DES encryptions, and 288 memory, which is currently impractical [8]. The National Institute of Standards and Technology (NIST) suggests phasing out 2-key 3DES by 2010, and 3-key 3DES – by 2030 [1]. There is also some controversy concerning the security of RC2. Also research suggested that RC2 is resistant to different cryptanalysis, it is still unclear how resistant it is to linear cryptanalysis [7]. RC2 has also demonstrated a vulnerability to related-key attacks. Microsoft advises against its use [2]. Many people mistakenly think of base 64 encoding as an encryption scheme. Base 64 encoding is useful when there is a need to transmit binary data over a communication channel designed to transmit character data. However, considering that its character size space is only size 64, the scheme does not provide the same security guarantees as strong cryptographic encryption algorithms. For this reason, it should not be used for protecting secrets. Fortify SCA issues warnings when it finds RC2, RC4, or DES algorithms in code scans. It also issues warnings whenever passwords get base-64-decoded before being used.
Fortify Software WWW.FORTIFY.COM 5
Fortify Software – Business Software Assurance
Guidelines for Encryption Key Lengths
Because hardware has become more advanced in recent years, it is crucial to use the right encryption algorithm to protect sensitive data. It is also important to generate the appropriate keys to use with these schemes. The suggested length for symmetric keys (particularly, AES keys) is no less than 128 bits, while the suggested length for RSA keys is no less than 2048 bits [4][11]. These guidelines are enforced through the Fortify SCA rules.
Fortify Software WWW.FORTIFY.COM 6
Fortify Software – Business Software Assurance
Pseudo-Random Number Generators
The last topic covered by this document is pseudo-random number generators (PRNGs). When unpredictability is critical, which is the case in security-sensitive contexts, it is important to use strong cryptographic rather than statistical PRNGs. Unlike cryptographic PRNGs, statistical pseudo-random number generators produce highly predictable output, which makes it trivial for an attacker to guess the values of generated strings. However, statistical PRNGs are acceptable when predictability is not a concern – for example, for generating the order in which images are displayed in a slideshow application. Once again, because it is impossible for a static source code analyzer to determine the context in which pseudo-random number generators are used, the Fortify SCA reports a warning every time it scans the code that uses a statistical PRNG. It is up to an auditor to decide how relevant these warnings are in the context of a particular application.
Fortify Software WWW.FORTIFY.COM 7
Fortify Software – Business Software Assurance
References [1] Elaine Barker, William Barker, William Burr, William Polk, and Miles Smid. “Recommendation for Key Management – Part 1: General (Revised)”. NIST Special Publication 800-57. http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57- Part1.pdf . [2] Andrew Cushman. “Microsoft Security Fundamentals”. EUSecWest, London, February 20, 2006. http://eusecwest.com/esw06/esw06-cushman.ppt . [3] Electronic Frontier Foundation. “Cracking DES”. http://w2.eff.org/Privacy/Crypto/Crypto_misc/DESCracker/HTML/19980716_eff_des _faq.html . [4] Michael Howard. “Security Development Lifecycle: Development Practices”. http://download.microsoft.com/download/8/4/7/8471a3cb-e4bf-442a-bba4- c0c907d598c5/Michael%20Howard%20SDL%20Development%20Practices.ppsx . [5] Dan Kaminsky,"Black Ops 2008: It's the end of the cache as we know it", August 2008, http://www.doxpara.com/DMK_BO2K8.ppt . [6] John Kelsey, Bruce Schneier, and David Wagner. “Related-key cryptanalysis of 3-WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA”. ICICS, 1997, pp 233–246. [7] Lars R. Knudsen, Vincent Rijmen, Ronald L. Rivest, Matthew J. B. Robshaw. “On the Design and Security of RC2”. Fast Software Encryption, 1998, pp 206–221. [8] Stefan Lucks. “Attacking Triple Encryption”. Fast Software Encryption, 1998, pp 239–253. [9] Frédéric Muller. “The MD2 Hash Function is Not One-Way”. ASIACRYPT 2004, pp 214–229. [10] N. Rogier, Pascal Chauvaud. “MD2 is not Secure without the Checksum Byte”. Designs, Codes and Cryptography, 12(3), pp 245–251, 1997. [11] W. Timothy Polk, Donna F. Dodson, and William E. Burr. “Cryptographic Algorithms and Key Sizes for Personal Identity Verification”. NIST Special Publication 800-78-1. http://csrc.nist.gov/publications/nistpubs/800-78-1/SP-800-78- 1_final2.pdf . [12] Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, and Benne de Weger. “MD5 considered harmful today”. 25th Annual Chaos Communication Congress, Berlin, December 30, 2008. http://www.win.tue.nl/hashclash/rogue-ca/ . [13] Erik Tews, Ralf-Philipp Weinmann, and Andrei Pyshkin. “Breaking 104 bit WEP in less than 60 seconds”. http://eprint.iacr.org/2007/120.pdf . [14] United States Computer Emergency Response Team. “Vulnerability Note VU#836068”. http://www.kb.cert.org/vuls/id/836068 . [15] Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu.“Finding Collisions in the Full SHA-1”. http://people.csail.mit.edu/yiqun/SHA1AttackProceedingVersion.pdf . [16] Xiaoyun Wang and Hongbo Yu. “How to Break MD5 and Other Hash Functions”. EUROCRYPT 2005, LNCS 3494, pp. 19–35, 2005. http://www.infosec.sdu.edu.cn/uploadfile/papers/How%20to%20Break%20MD5%20 and%20Other%20Hash%20Functions.pdf . [17] Hongjun Wu. “The Misuse of RC4 in Microsoft Word and Excel”. http://eprint.iacr.org/2005/007.pdf .
Fortify Software WWW.FORTIFY.COM 8