Is 2.9.3 a duplicate of 6.5.2 (crypto algorithms)

[tghosth]

Chapter text for 2.9:

Cryptographic authentication mechanism include smart cards or FIDO keys, where the user has to plug in or pair the cryptographic device to the computer to complete authentication. The authenticatoin server will send a challenge nonce to the cryptographic device or software, and the device or software calculates a response based upon a securely stored cryptographic key.

The requirements for single-factor cryptographic devices and software, and multi-factor cryptographic devices and software are the same, as verification of the cryptographic device proves possession of the authentication factor.

Relevant requirements for this issue:

#	Description	Level	CWE
2.9.3	[MODIFIED, LEVEL L2 > L3] Verify that approved cryptographic algorithms are used in the generation, seeding, and verification of the cryptographic keys.	3	327
6.5.2	[ADDED, SPLIT FROM 6.2.5, COVERS 6.2.3, LEVEL L2 > L1] Verify that only secure, authenticated ciphers and modes such as AES with GCM are used.	1	326

Should 2.9.3 be merged into 6.5.2? Feels like it is covered there. Is this something that absolutely needs its own separate requirement.

@elarlang @jmanico @randomstuff

[randomstuff]

6.5.2 is actually about encryption (cipher). Smart card and (I think) FIDO keys use digital signatures so they are not really covered by 6.5.2.

I agree that 2.9.3 should be covered by some requirement in 6.x. We don't really have requirements about digital signatures in V6 however.

[jmanico]

I think these can absolutely be merged. There is likely a lot of other merging possible in the crypto section. Perhaps for this one we may want to go this route: Verify that only approved cryptographic algorithms and modes of operation are used for key generation, seeding, verification, and encryption.

[randomstuff]

Verify that only approved cryptographic algorithms and modes of operation are used for key generation, seeding, verification, and encryption.

Yes, I agree that such a change makes sense in order to have a more exhaustive coverage of cryptographic topics without delving too deep into the details and without having huge number of similar requirements.

I think we would have to add "digital signature" and "MAC" as well (there is "verification" in your proposition but not generation of these). It could make sense sense to include Key Exchange as well (which is currently in 6.7.1).

[jmanico]

So how about: Verify that only approved cryptographic algorithms and modes of operation are used for key generation, key exchange, seeding, digital signature generation and verification, message authentication code (MAC) generation and verification, and encryption.

[randomstuff]

That looks OK for me but I think some additional opinion on this would be welcome.

It might make some existing requirements redundant though.

For example, if we go this route, would we have to remove 6.7.1? It's partially redundant but provides more context and extra requirements:

6.7.1 [ADDED] Verify that industry-proven cryptographic algorithms are used for key exchange (such as Diffie-Hellman) with a focus on ensuring that key exchange mechanisms use secure parameters. This should prevent attacks on the key establishment process which could lead to adversary-in-the-middle attacks or cryptographic breaks.

---

One thing, I forgot in my previous comment was that this requirement is currently is "Encryption Algorithms". This would have to be renamed info "Cryptographic Algorithms" or "Encryption Mechanisms".

[jmanico]

I prefer to reduce the crypto requirements and drop 6.7.1 and others. I think we are getting too deep in the weeds. But I agree that others should chime in first.

• In general, I'd like to split all crypto requirements into their own version of ASVS - CASVS - just for crypto so we can go "all the way" with detail. I don't think ASVS is the right place for that level of detail.
• An the work done recently in ASVS crypto is truly amazing. I am a huge fan of the work.

[randomstuff]

OK for me. The second part of 6.7.1 is, I think, already mostly covered by requirements in V9.

[randomstuff]

Actually, we already have:

6.2.2 Verify that industry proven or government approved cryptographic algorithms, modes, and libraries are used, instead of custom coded cryptography.

which is quite similar to proposed:

Verify that only approved cryptographic algorithms and modes of operation are used for key generation, key exchange, seeding, digital signature generation and verification, message authentication code (MAC) generation and verification, and encryption.

Can we merge all of this into 6.2.2?

---

Actually I would want to split 6.2.2 into:

• one requirement about "approved algorithms and modes";
• move the "libraries" topic in a separate requirement.

6.2.2 Verify that only approved cryptographic algorithms and modes of operation are used for key generation, key exchange, seeding, digital signature generation and verification, message authentication code (MAC) generation and verification, and encryption.

6.2.X Verify that industry proven libraries for cryptographic operations.

[jmanico]

Actually I would want to split 6.2.2 into:
one requirement about "approved algorithms and modes";
move the "libraries" topic in a separate requirement.

I support this direction. I like it.