Análise de criptografia no contexto da avaliação da conformidade
Resumo
Para proteger informações sensíveis processadas por sistemas embarcados, os desenvolvedores precisam confiar na criptografia. Embora os mecanismos criptográficos estejam cada vez mais avançados, muitas violações de segurança ocorrem porque os desenvolvedores usam a criptografia incorretamente. Este artigo apresenta uma lista (não exaustiva) de uso incorreto de criptografia em sistemas embarcados para incrementar as análises realizadas num processo de avaliação da conformidade destes sistemas.
Referências
Arzt, S., Nadi, S., Ali, K., Bodden, E., Erdweg, S., and Mezini, M. (2015). Towards secure integration of cryptographic software. In 2015 ACM International Symposium on New Ideas, New Paradigms, and Reections on Programming and Software, Onward! 2015, pages 1–13, New York, NY, USA. ACM.
Aumasson, J.-P. (2017). Serious Cryptography: A Practical Introduction to Modern Encryption. No Starch Press, San Francisco, CA, USA.
Barker, E., Chen, L., Roginsky, A., Vassilev, A., and Davis, R. (2018). Sp 800-56a. recommendation for pair-wise key-establishment schemes using discrete logarithm cryptography - revision 3. Technical report, NIST, Gaithersburg, MD, United States.
Barker, E., Chen, L., Roginsky, A., Vassilev, A., Davis, R., and Simon, S. (2019). Sp 800-56b. recommen- dation for pair-wise key-establishment schemes using integer factorization cryptography - revision 2. Technical report, NIST, Gaithersburg, MD, United States.
Barker, E., Smid, M., and Chokhani, B. S. (2013). Nist special publication 800-131a. a framework for designing cryptographic key management systems. Technical report, NIST, Gaithersburg, MD, United States.
Barker, E. B. (2006). Sp 800-89. recommendation for obtaining assurances for digital signature applicati- ons. Technical report, NIST, Gaithersburg, MD, United States.
Barker, E. B. (2016). Sp 800-57. recommendation for key management, part 1: General revision 4. Tech- nical report, NIST, Gaithersburg, MD, United States.
Barker, E. B. and Roginsky, A. L. (2019). Draft nist special publication 800-131a revision 2, [forthcoming]. transitioning the use of cryptographic algorithms and key lengths. Technical report, NIST, Gaithersburg, MD, United States.
Bassham III, L. E., Rukhin, A. L., Soto, J., Nechvatal, J. R., Smid, M. E., Barker, E. B., Leigh, S. D., Levenson, M., Vangel, M., Banks, D. L., Heckert, N. A., Dray, J. F., and Vo, S. (2010). Sp 800- 22 rev. 1a. a statistical test suite for random and pseudorandom number generators for cryptographic applications. Technical report, NIST, Gaithersburg, MD, United States.
Braga, A. and Dahab, R. (2015). A survey on tools and techniques for the programming and verication of secure cryptographic software. In Anais do XV Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais (SBSeg 2015), pages 30–43.
Braga, A., Dahab, R., Antunes, N., Laranjeiro, N., and Vieira, M. (2017). Practical evaluation of static analysis tools for cryptography: Benchmarking method and case study. In 2017 IEEE 28th International Symposium on Software Reliability Engineering (ISSRE), pages 170–181.
BSI (2019). Bsi tr-02102-1 - cryptographic mechanisms: Recommendations and key lengths. Technical report, Federal Ofce for Information Security, Bonn, Germany.
DCSSI (2006). Mécanismes cryptographiques: Règles et recommandations concernant le choix et le di- mensionnement des mécanismes cryptographiques de niveau de robustesse standard. Technical report, Laboratoire de Cryptographie de la DCSSI, Paris, France.
Dworkin, M. (2005). Sp 800-38b. recommendation for block cipher modes of operation: The cmac mode for authentication. Technical report, NIST, Gaithersburg, MD, United States.
Dworkin, M. (2007a). Sp 800-38c. recommendation for block cipher modes of operation: The ccm mode for authentication and condentiality. Technical report, NIST, Gaithersburg, MD, United States.
Dworkin, M. (2007b). Sp 800-38d. recommendation for block cipher modes of operation: Galois/counter mode (gcm) and gmac. Technical report, NIST, Gaithersburg, MD, United States.
Dworkin, M. (2010a). Sp 800-38a. recommendation for block cipher modes of operation: Three variants of ciphertext stealing for cbc mode. Technical report, NIST, Gaithersburg, MD, United States.
Dworkin, M. (2010b). Sp 800-38e. recommendation for block cipher modes of operation: The xts-aes mode for condentiality on storage devices. Technical report, NIST, Gaithersburg, MD, United States.
Dworkin, M. (2012). Sp 800-38f. recommendation for block cipher modes of operation: Methods for key wrapping. Technical report, NIST, Gaithersburg, MD, United States.
Institute, A. N. S. and Association, A. B. (1998). ANSI X9.31:1998: Digital Signatures Using Reversible Public Key Cryptography for the Financial Services Industry (rDSA). American Bankers Association.
Lazar, D., Chen, H., Wang, X., and Zeldovich, N. (2014). Why does cryptographic software fail?: A case study and open problems. In Proceedings of 5th Asia-Pacic Workshop on Systems, APSys '14, pages 7:1–7:7, New York, NY, USA. ACM.
MITRE (2019). Cwe list version 3.3. https://cwe.mitre.org/.
NIST (2000). Fips pub 186-2, digital signature standard (dss). U.S.Department of Commerce/National Institute of Standards and Technology.
NIST (2002). Fips pub 140-2, security requirements for cryptographic modules. U.S.Department of Com- merce/National Institute of Standards and Technology.
NIST (2015). Fips pub 180-4, secure hash standard (shs). U.S.Department of Commerce/National Institute of Standards and Technology.
OWASP (2018). Open web application security project – top 10-2017 top 10. https://www.owasp.org/index.php/Top_10-2017_Top_10.
Shuai, S., Guowei, D., Tao, G., Tianchang, Y., and Chenjie, S. (2014). Modelling analysis and auto- detection of cryptographic misuse in android applications. In 2014 IEEE 12th International Conference on Dependable, Autonomic and Secure Computing, pages 75–80.
Turan, M. S., Barker, E. B., Burr, W. E., and Chen, L. (2010). Sp 800-132. recommendation for password- based key derivation: Part 1: Storage applications. Technical report, NIST, Gaithersburg, MD, United States.
Aumasson, J.-P. (2017). Serious Cryptography: A Practical Introduction to Modern Encryption. No Starch Press, San Francisco, CA, USA.
Barker, E., Chen, L., Roginsky, A., Vassilev, A., and Davis, R. (2018). Sp 800-56a. recommendation for pair-wise key-establishment schemes using discrete logarithm cryptography - revision 3. Technical report, NIST, Gaithersburg, MD, United States.
Barker, E., Chen, L., Roginsky, A., Vassilev, A., Davis, R., and Simon, S. (2019). Sp 800-56b. recommen- dation for pair-wise key-establishment schemes using integer factorization cryptography - revision 2. Technical report, NIST, Gaithersburg, MD, United States.
Barker, E., Smid, M., and Chokhani, B. S. (2013). Nist special publication 800-131a. a framework for designing cryptographic key management systems. Technical report, NIST, Gaithersburg, MD, United States.
Barker, E. B. (2006). Sp 800-89. recommendation for obtaining assurances for digital signature applicati- ons. Technical report, NIST, Gaithersburg, MD, United States.
Barker, E. B. (2016). Sp 800-57. recommendation for key management, part 1: General revision 4. Tech- nical report, NIST, Gaithersburg, MD, United States.
Barker, E. B. and Roginsky, A. L. (2019). Draft nist special publication 800-131a revision 2, [forthcoming]. transitioning the use of cryptographic algorithms and key lengths. Technical report, NIST, Gaithersburg, MD, United States.
Bassham III, L. E., Rukhin, A. L., Soto, J., Nechvatal, J. R., Smid, M. E., Barker, E. B., Leigh, S. D., Levenson, M., Vangel, M., Banks, D. L., Heckert, N. A., Dray, J. F., and Vo, S. (2010). Sp 800- 22 rev. 1a. a statistical test suite for random and pseudorandom number generators for cryptographic applications. Technical report, NIST, Gaithersburg, MD, United States.
Braga, A. and Dahab, R. (2015). A survey on tools and techniques for the programming and verication of secure cryptographic software. In Anais do XV Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais (SBSeg 2015), pages 30–43.
Braga, A., Dahab, R., Antunes, N., Laranjeiro, N., and Vieira, M. (2017). Practical evaluation of static analysis tools for cryptography: Benchmarking method and case study. In 2017 IEEE 28th International Symposium on Software Reliability Engineering (ISSRE), pages 170–181.
BSI (2019). Bsi tr-02102-1 - cryptographic mechanisms: Recommendations and key lengths. Technical report, Federal Ofce for Information Security, Bonn, Germany.
DCSSI (2006). Mécanismes cryptographiques: Règles et recommandations concernant le choix et le di- mensionnement des mécanismes cryptographiques de niveau de robustesse standard. Technical report, Laboratoire de Cryptographie de la DCSSI, Paris, France.
Dworkin, M. (2005). Sp 800-38b. recommendation for block cipher modes of operation: The cmac mode for authentication. Technical report, NIST, Gaithersburg, MD, United States.
Dworkin, M. (2007a). Sp 800-38c. recommendation for block cipher modes of operation: The ccm mode for authentication and condentiality. Technical report, NIST, Gaithersburg, MD, United States.
Dworkin, M. (2007b). Sp 800-38d. recommendation for block cipher modes of operation: Galois/counter mode (gcm) and gmac. Technical report, NIST, Gaithersburg, MD, United States.
Dworkin, M. (2010a). Sp 800-38a. recommendation for block cipher modes of operation: Three variants of ciphertext stealing for cbc mode. Technical report, NIST, Gaithersburg, MD, United States.
Dworkin, M. (2010b). Sp 800-38e. recommendation for block cipher modes of operation: The xts-aes mode for condentiality on storage devices. Technical report, NIST, Gaithersburg, MD, United States.
Dworkin, M. (2012). Sp 800-38f. recommendation for block cipher modes of operation: Methods for key wrapping. Technical report, NIST, Gaithersburg, MD, United States.
Institute, A. N. S. and Association, A. B. (1998). ANSI X9.31:1998: Digital Signatures Using Reversible Public Key Cryptography for the Financial Services Industry (rDSA). American Bankers Association.
Lazar, D., Chen, H., Wang, X., and Zeldovich, N. (2014). Why does cryptographic software fail?: A case study and open problems. In Proceedings of 5th Asia-Pacic Workshop on Systems, APSys '14, pages 7:1–7:7, New York, NY, USA. ACM.
MITRE (2019). Cwe list version 3.3. https://cwe.mitre.org/.
NIST (2000). Fips pub 186-2, digital signature standard (dss). U.S.Department of Commerce/National Institute of Standards and Technology.
NIST (2002). Fips pub 140-2, security requirements for cryptographic modules. U.S.Department of Com- merce/National Institute of Standards and Technology.
NIST (2015). Fips pub 180-4, secure hash standard (shs). U.S.Department of Commerce/National Institute of Standards and Technology.
OWASP (2018). Open web application security project – top 10-2017 top 10. https://www.owasp.org/index.php/Top_10-2017_Top_10.
Shuai, S., Guowei, D., Tao, G., Tianchang, Y., and Chenjie, S. (2014). Modelling analysis and auto- detection of cryptographic misuse in android applications. In 2014 IEEE 12th International Conference on Dependable, Autonomic and Secure Computing, pages 75–80.
Turan, M. S., Barker, E. B., Burr, W. E., and Chen, L. (2010). Sp 800-132. recommendation for password- based key derivation: Part 1: Storage applications. Technical report, NIST, Gaithersburg, MD, United States.
Publicado
02/09/2019
Como Citar
BENTO, Lucila Maria; MACHADO, Raphael Carlos.
Análise de criptografia no contexto da avaliação da conformidade. In: WORKSHOP DE REGULAÇÃO, AVALIAÇÃO DA CONFORMIDADE E CERTIFICAÇÃO DE SEGURANÇA, 5. , 2019, São Paulo.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2019
.
p. 33-42.
DOI: https://doi.org/10.5753/wrac.2019.14035.
