Remove duplicates and tidy tags to resolve #2523 #2536
Conversation
|
Missing "should" vs "must"? Level 1 really depends on context. |
|
Fixed those 3 issues @elarlang |
tghosth
deleted the
2523-redundant-requirement-about-secure-hash-functions
branch
| @@ -96,10 +96,9 @@ Cryptographic hashes are used in a wide variety of cryptographic protocols, such | |||
|
|
|||
| | # | Description | L1 | L2 | L3 | CWE | | |||
| | :---: | :--- | :---: | :---: | :---: | :---: | | |||
| | **6.6.1** | [ADDED] Verify that only approved hash functions are used for general cryptographic use cases, including digital signatures, HMAC, KDF, and random bit generation. | | ✓ | ✓ | | | |||
| | **6.6.1** | [ADDED, SPLIT FROM 6.2.5, COVERS 6.2.3] Verify that only approved hash functions are used for general cryptographic use cases, including digital signatures, HMAC, KDF, and random bit generation. Disallowed hash functions, such as MD5, SHA-1, must not be used for any cryptographic purpose. | | ✓ | ✓ | | | |||
There was a problem hiding this comment.
Disallowed hash functions, such as MD5, SHA-1, must not be used for any cryptographic purpose.
There is some inconsitency here as HMAC-SHA-1 is currently allowed.
There was a problem hiding this comment.
Therefore I would suggest using:
[ADDED, SPLIT FROM 6.2.5, COVERS 6.2.3] Verify that only approved hash functions are used for general cryptographic use cases, including digital signatures, HMAC, KDF, and random bit generation. Disallowed hash functions, such as MD5, must not be used for any cryptographic purpose.
There was a problem hiding this comment.
Is there any situation where MD5 would be allowed? Can you open a PR @randomstuff ?
|
While sha1 has collisions HMAC-sha1 does not. HMAC-sha1 is only a security problem as quantum computers come online.
|
|
@jmanico, Yes my point was that we are saying in one place that “SHA-1 must not be used for any cryptographic purpose” but in some other place that using SHA-1 as part of the HMAC construct is allowed. |
This Pull Request relates to issue #2523