Hi, I'm tl2cents. I'm now researching the crypto misuses in the real world and conducting academic research on Java Cryptography API based misuse using your tool. I'd like to list several rules for reference that might be implemented in your tool.
DSA
Nowadays, DSA might be an insecure signature algorithm. Attackers can use the randomness of nonce to implement a side-channel attack to get server's private key. For more details, refer to this paper: Timing and Lattice Attacks on a Remote ECDSA OpenSSL Server: How Practical Are They Really?. It's hard to avoid oracles in real application.
OpenSSH 7.0 and above versions disabled the ssh-dss (DSA) public key algorithm by default. The official did not give a specific explanation, but there may be reasons for the generation of OpenSSH and DSA key digits. At the same time, the randomness of the nonce when generating the signature is poor, and the private key may be leaked. With the computing power of the current computer, DSA 1024-bit is actually crackable, so it is not recommended to use it.
Maybe we can add it to the broken cipher list. Or at least , we should check the key size of DSA. In java, the DSA key size is upper bounded by 1024.
Poodle Attack
This rule is mainly concerned with the leakage of the validity of padding and checksum. A typical attack is Poodle Attack. A malicious attacker can decrypt any message by sending well-constructed messages to the server which can reveal the correctness of the message to the attacker. Thus, we should check whether the java program throws an exception or explicit notion after padding or unpadding. Implementation of this rule might be complicated.
RSA/ECB/PKCS1Padding && RSA public exponent too small
I find that java uses RSA/ECB/PKCS1Padding by default. This padding is not secure when the RSA public exponent is small. Generally, e is 65537 in java program. (I'm not clear whether we can select the public exponent of RSA in javax.crypto, I'll research it later.) Bleichenbacher's attack : attackers can forge RSA signatures with PKCS1Padding when e is small . Actually, small RSA public exponent causes many security issues.
Hi, I'm tl2cents. I'm now researching the crypto misuses in the real world and conducting academic research on Java Cryptography API based misuse using your tool. I'd like to list several rules for reference that might be implemented in your tool.
DSA
Nowadays, DSA might be an insecure signature algorithm. Attackers can use the randomness of nonce to implement a side-channel attack to get server's private key. For more details, refer to this paper:
Timing and Lattice Attacks on a Remote ECDSA OpenSSL Server: How Practical Are They Really?. It's hard to avoid oracles in real application.OpenSSH 7.0 and above versions disabled the ssh-dss (DSA) public key algorithm by default. The official did not give a specific explanation, but there may be reasons for the generation of OpenSSH and DSA key digits. At the same time, the randomness of the nonce when generating the signature is poor, and the private key may be leaked. With the computing power of the current computer, DSA 1024-bit is actually crackable, so it is not recommended to use it.
Maybe we can add it to the broken cipher list. Or at least , we should check the key size of DSA. In java, the DSA key size is upper bounded by 1024.
Poodle Attack
This rule is mainly concerned with the leakage of the validity of padding and checksum. A typical attack is
Poodle Attack. A malicious attacker can decrypt any message by sending well-constructed messages to the server which can reveal the correctness of the message to the attacker. Thus, we should check whether the java program throws an exception or explicit notion after padding or unpadding. Implementation of this rule might be complicated.RSA/ECB/PKCS1Padding && RSA public exponent too small
I find that
javausesRSA/ECB/PKCS1Paddingby default. This padding is not secure when the RSA public exponent is small. Generally,eis 65537 in java program. (I'm not clear whether we can select the public exponent of RSA injavax.crypto, I'll research it later.) Bleichenbacher's attack : attackers can forge RSA signatures withPKCS1Paddingwheneis small . Actually, small RSA public exponent causes many security issues.Hope
CryptoGuardbe greater in the future!