Security Research
Showing results for 
Search instead for 
Do you mean 

Crypto Manifesto 2015

yoneil ‎04-22-2015 02:55 AM - edited ‎04-24-2015 10:09 AM

In 2009, the Fortify Security Research Group released a “Crypto Manifesto” to provide guidance to customers in the use of cryptographic hash, encryption and encoding algorithms, cryptographic keys, and pseudo-random number generators (PRNGs). Since then, significant advancements in computer technology have rendered previous cryptography standards insufficient.

What was considered secure in 2009 may be bypassed trivially in 2015. This becomes evident when considering the number of recent high-profile vulnerabilities related to cryptographic systems, including BREACH, CRIME, Heartbleed and POODLE. Although not all of these vulnerabilities represent weaknesses in cryptographic algorithms themselves, they prompted the HP Software Security Research (HP SSR) team to re-visit and update our guidelines for 2015.

This updated document expands beyond the original material to cover password-based key derivation functions, digital signature keys, entropy sources, and protocol versions. It assumes that the reader is familiar with these concepts and their general applications. The provided guidelines are backed up by research from the security community and align themselves with the practical tradeoffs between maximal security and acceptable paranoia.

The table below summarizes the HP SSR team’s views on the usage of cryptography within security-sensitive contexts and suggests strong alternatives. The changes between the 2009 and 2015 versions of the guidelines are indicated in italics.

 AvoidUse
Hash functionsMD2, MD4, MD5, RIPEMD-160, SHA-1SHA-224, SHA-256, SHA-384, SHA-512, SHA-3
Encryption and encoding functionsRC2, RC4, DES, SKIPJACK, Stream Ciphers, XOR, Base 64 Encoding Functions3DES, AES
Mode of operationECBGCM, CCM
PBE iteration count< 1000>= 100,000
Symmetric keys (3DES, AES)< 128 bits>= 128 bits
Public key elliptic curve keys< 224 bits>= 224 bits
Public keys (RSA)< 2048 bits>= 2048 bits with OAEP padding
Digital signature keys (RSA/DSA)< 2048 bits>= 2048 bits
PRNGsStatistical PRNGs, DUAL_ECCryptographic PRNGs (HASH, HMAC, CTR)
Entropy sourcesNon-hardware-based sources of randomness (system/input/output buffers, user/system/hardware/network serial numbers or addresses, user input, process IDs), system clock, /dev/urandomHardware-based sources of randomness (ring oscillators, disk drive timing, thermal noise, radioactive decay)
ProtocolsSSLv2, SSLv23, SSLv3TLSv1.2

 

For a detailed discussion of each of the guidelines and how they are detected by the HP Fortify tools, refer to the attached whitepaper.

0 Kudos
About the Author

yoneil

Comments
Percy Rotteveel
on ‎04-23-2015 10:00 AM

 Great blog with information to increase the security posture of any application portfolio!

Labels
Events
June 6 - 8, 2017
Las Vegas, Nevada
Discover 2017 Las Vegas
Join us for HPE Discover 2017 in Las Vegas. The event will be held at the Venetian | Palazzo from June 6-8, 2017.
Read more
Each Month in 2017
Online
Software Expert Days - 2017
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
View all