La traduzione di questa pagina non è aggiornata. Fai clic qui per vedere l'ultima versione in inglese.

Difetti di crittografia

Difetti relativi all'utilizzo non corretto delle routine di crittografia OpenSSL

Questi difetti sono relativi all'utilizzo non corretto delle routine di crittografia della libreria OpenSSL. Ad esempio:

Utilizzo di algoritmi crittograficamente deboli
Assenza di elementi essenziali quali chiave di cifratura o vettore di inizializzazione
Ordine errato delle operazioni crittografiche

Risultati di Polyspace

Crittografia simmetrica

`Constant block cipher initialization vector`	Initialization vector is constant instead of randomized
`Constant cipher key`	Encryption or decryption key is constant instead of randomized
`Inconsistent cipher operations`	You perform encryption and decryption steps in succession with the same cipher context without a reinitialization in between
`Missing block cipher initialization vector`	Context used for encryption or decryption is associated with NULL initialization vector or not associated with an initialization vector
`Missing cipher algorithm`	An encryption or decryption algorithm is not associated with the cipher context
`Missing cipher data to process`	Final encryption or decryption step is performed without previous update steps
`Missing cipher final step`	You do not perform a final step after update steps for encrypting or decrypting data
`Missing cipher key`	Context used for encryption or decryption is associated with NULL key or not associated with a key
`Predictable block cipher initialization vector`	Initialization vector is generated from a weak random number generator
`Predictable cipher key`	Encryption or decryption key is generated from a weak random number generator
`Weak cipher algorithm`	Encryption algorithm associated with the cipher context is weak
`Weak cipher mode`	Encryption mode associated with the cipher context is weak

Crittografia a chiave pubblica: Generale

`Context initialized incorrectly for cryptographic operation`	Context used for public key cryptography operation is initialized for a different operation
`Incorrect key for cryptographic algorithm`	Public key cryptography operation is not supported by the algorithm used in context initialization
`Missing data for encryption, decryption or signing operation`	Data provided for public key cryptography operation is NULL or data length is zero
`Missing parameters for key generation`	Context used for key generation is associated with NULL parameters
`Missing peer key`	Context used for shared secret derivation is associated with NULL peer key or not associated with a peer key at all
`Missing private key`	Context used for cryptography operation is associated with NULL private key or not associated with a private key at all
`Missing public key`	Context used for cryptography operation is associated with NULL public key or not associated with a public key at all
`Nonsecure parameters for key generation`	Context used for key generation is associated with weak parameters

Crittografia a chiave pubblica: Algoritmo RSA

`Incompatible padding for RSA algorithm operation`	Cryptography operation is not supported by the padding type set in context
`Missing blinding for RSA algorithm`	Context used in decryption or signature verification is not blinded against timing attacks
`Missing padding for RSA algorithm`	Context used in encryption or signing operation is not associated with any padding
`Nonsecure RSA public exponent`	Context used in key generation is associated with low exponent value
`Weak padding for RSA algorithm`	Context used in encryption or signing operation is associated with insecure padding type

Riepiloghi dei messaggi

`Context initialized incorrectly for digest operation`	Context used for digest operation is initialized for a different digest operation
`Missing final step after hashing update operation`	Hash is incomplete or non-secure
`Missing hash algorithm`	Context in EVP routine is initialized without a hash algorithm
`Missing salt for hashing operation`	Hashed data is vulnerable to rainbow table attack
`No data added into context`	Performing hash operation on empty context might cause run-time errors
`Nonsecure hash algorithm`	Context used for message digest creation is associated with weak algorithm

Connessioni SSL/TLS

`Missing certification authority list`	Certificate for authentication cannot be trusted
`Missing private key for X.509 certificate`	Missing key might result in run-time error or non-secure encryption
`Missing X.509 certificate`	Server or client cannot be authenticated
`Nonsecure SSL/TLS protocol`	Context used for handling SSL/TLS connections is associated with weak protocol
`Server certificate common name not checked`	Attacker might use valid certificate to impersonate trusted host
`TLS/SSL connection method not set`	Program cannot determine whether to call client or server routines
`TLS/SSL connection method set incorrectly`	Program calls functions that do not match role set by connection method
`X.509 peer certificate not checked`	Connection might be vulnerable to man-in-the-middle attacks

Argomenti

Bug Finder Defect Groups
The Bug Finder defect checkers are classified into groups such as data flow, concurrency, numerical, and so on.