ASVS
ASVS copied to clipboard
OWASP
Feedback about recommended AES modes
Feedback from Bart Preneel related to AES modes (other aspects are discussed in #2495):
I am not sure that it is a good idea to separate encryption from data authentication. I would thus call this section Authenticated Encryption algorithms and say that for the encryption component you only allow AES and Chacha-20 (I would not add Salsa20).
[...] The only AES-based authenticated encryption algorithms that can are recommended for general use are: GCM, CCM, CCM-8, OCB (OCB has been added here – make sure you use the right version).
Add a warning that AES-GCM is particularly vulnerable to a nonce reuse attack that such vulnerabilities have already been identified earlier in some libraries.
Some notes/questions:
-
CCM-8 is listed here (see #2413), so maybe it makese sense to keep this.
-
OCB is not listed. We should probably add it.
-
CBC is not mentioned in this feedback but is currently approved in the document. Shall we do something about it? For what it's worth, it is still allowed by NIST / FIPS. Should we list it are "approved but discouraged / legacy" ? (see https://github.com/OWASP/ASVS/issues/2398#issuecomment-2513823401)
-
Shall we explicitly talk about nonce reuse in AES-GCM somewhere ? We already have:
[MODIFIED, MOVED FROM 6.2.6, LEVEL L2 > L3] Verify that nonces, initialization vectors, and other single-use numbers are not used for more than one encryption key/data-element pair. The method of generation must be appropriate for the algorithm being used.
OCB seems to have licensing issues.
Apparently, this is not an issue anymore. https://mailarchive.ietf.org/arch/msg/cfrg/qLTveWOdTJcLn4HP3ev-vrj05Vg/
