ASVS icon indicating copy to clipboard operation
ASVS copied to clipboard

Published 20 hours ago verified publisher icon OWASP

Requirement about key wrapping

Open randomstuff opened this issue 11 months ago • 6 comments

Received this feedback form Bart Preneel:

I would add a note stating that a symmetric key should always be wrapped by a key of at least the same length in bits.

randomstuff avatar Jan 08 '25 12:01 randomstuff

@randomstuff where would this fit in? Does this need to be a requirement?

tghosth avatar Jan 08 '25 13:01 tghosth

@tghosth: I don't know :)

Very-strawman proposal:

6.4.X Verify that when a symmetric key is encrypted by another key, this key encryption key has at least as much entropy as the protected key.

Questions:

  • Do we need to say "key wrap" or is my wording OK?
  • I said "when symmetric key is encrypted" but I think this should apply to private keys as well, isn't it?
  • I replaced "least the same length in bit" by "at least as much entropy", is this OK?

randomstuff avatar Jan 09 '25 21:01 randomstuff

I think keep this in the appendix as it is more of an implementation detail...

tghosth avatar Jan 16 '25 09:01 tghosth

Proposition: add a note in the appendix such as,

Warning: a symmetric key should always be wrapped by a key of at least the same length in bits.

@danielcuthbert and @unprovable, any feedback on that?

randomstuff avatar Mar 30 '25 19:03 randomstuff

i think it's better in the Appendix. I've added it into my working branch (https://github.dev/OWASP/ASVS/tree/v5_appendixV) where ill be pushing all the others too. thanks @randomstuff

danielcuthbert avatar Apr 01 '25 17:04 danielcuthbert

@danielcuthbert, your branch is based on the status of the repo from beginning of April and is now in conflict with the current branch. I think you'd need to rebase and or propose indivisual fixes so that we may have visibility on that and not do redundant work ❤

randomstuff avatar May 14 '25 08:05 randomstuff