ASVS icon indicating copy to clipboard operation
ASVS copied to clipboard
verified publisher icon OWASP

Crypto appendix - mention missing mechanisms

Open randomstuff opened this issue 1 year ago • 7 comments

The following mechanisms are not mentioned and may (?) be missing.

Stream ciphers:

  • Salsa20
  • XSalsa20 (useful to mention explicitly?) (used in libsodium)
  • XChaCha20 (useful to mention explicitly?)

Block ciphers (found in the recommended TLS ciphersuites, are they used in practice?):

  • ARIA
  • Camellia

→ I did not find much usage of these two. Browsers don't advertise them in TLS ciphersuites for example. We can probably skip mentioning them for now.

Hash:

Key Exchange:

  • XEdDSA (XEd25519, XEd448) (https://signal.org/docs/specifications/xeddsa/#xeddsa)?

Moreover (and for better PQC compliance), I would remove:

Any other cipher options MUST NOT be used.

[...]

Any other method for key wrapping MUST NOT be used.

randomstuff avatar Nov 17 '24 21:11 randomstuff

We love PR's btw ;) #justsaying

danielcuthbert avatar Nov 18 '24 08:11 danielcuthbert

Yes, I thought it would be better to have this discussed before PR but this could directly be discussed in a PR instead…

randomstuff avatar Nov 18 '24 09:11 randomstuff

Yes, I thought it would be better to have this discussed before PR but this could directly be discussed in a PR instead…

That (agreement in an issue first) is the correct procedure.

elarlang avatar Nov 18 '24 10:11 elarlang

@randomstuff I'd love your help making these please, if you have time?

danielcuthbert avatar Nov 20 '24 14:11 danielcuthbert

@danielcuthbert, OK, I'll try to do that. I think I'd start by including all the things I've mentioned except maybe ARIA and Camellia which appears to quite niche in term of usage but I'm open to any feedback on this.

randomstuff avatar Nov 20 '24 18:11 randomstuff

Some additional things not mentioned which might be relevant.

MAC:

  • Poly1305, approved
    • This one is important because it is used in current TLS ciphersuites.
    • note that this uses a nonce
  • CMAC, approved
  • CBC-MAC, not approved?
  • GMAC, approved
  • Prefix-MAC, not approved (do we ned to mention this?)
  • Suffix-MAC, not approved (do we ned to mention this?)

Public-key encryption:

  • Plain/textbook RSA, not approved :smile: (really it might be worth mentioning this …)
  • RSAES-PKCS1-v1_5, not approved
  • RSAES-OAEP, approved
  • Diffie Hellman KEM (DLIES-KEM, ECIES-KEM), approved
    • this is used by HPKE which is used in Encrypted Client Hello

@danielcuthbert, do you agree it makes sense to mention these?

randomstuff avatar Dec 02 '24 20:12 randomstuff

@unprovable, any feedback?

randomstuff avatar Mar 31 '25 12:03 randomstuff