-
-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Port MASTG-TEST-0015 to v2 (by @guardsquare) #3036
base: master
Are you sure you want to change the base?
Conversation
Most likely needs to be broken down in some atomic tests, according to what is being checked now: 1. For asymmetric keys is the key pair being used for mutiple activities (e.g. signatures vs encryption) 2. For symmetric keys, are those being used for multiple business purposes? (hard to automate) Case (1.) is easy to automate, (2.) is not so much Then, there are some other checks to be discussed: - are all keys used according to the purpose defined during its creation? (it is relevant to KeyStore keys, which can have KeyProperties defined) <-- the APIs ensure that this is done properly, maybe can be removed - is cryptography used according to its business purpose? <-- To be discussed if it is really different from the remaining
I like how you split them and I agree with the mapping to "MASWE-0012: Insecure or Wrong Usage of Cryptographic Key". So we can have 2 tests here at least:
See https://crypto.stackexchange.com/questions/33751/aes-key-reuse-and-guessing-the-key (Ideally we'd find another source from NIST for example)
|
Addressed your comments according to what we discussed live yesterday. |
Thank you for submitting a Pull Request to the OWASP MASTG. Please make sure that:
This PR closes #2948.