Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-3329

Cypher Block Chaining IV's should be random and unique

    Details

    • Type: Vulnerability Detection
    • Status: Active
    • Resolution: Unresolved
    • Labels:
    • Message:
      * Use a dynamically-generated, random IV.
    • Default Severity:
      Critical
    • Impact:
      High
    • Likelihood:
      Low
    • Targeted languages:
      C#, C++, Objective-C, PHP, Python, Swift, VB.Net
    • Covered Languages:
      Java
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      15min
    • Analysis Level:
      Control-flow Analysis
    • Analysis Scope:
      Main Sources
    • Implementation details:
    • Common Rule:
      Yes
    • CWE:
      CWE-330
    • OWASP:
      A6
    • FindSecBugs:
      STATIC_IV

      Description

      In encryption, when Cipher Block Chaining (CBC) is used, the Initialization Vector (IV) must be random and unpredictable. Otherwise, the encrypted value is vulnerable to crypto-analysis attacks such as the "Chosen-Plaintext Attack".

      An IV value should be associated to one, and only one encryption cycle, because the IV's purpose is to ensure that the same plaintext encrypted twice will yield two different ciphertexts.

      To that end, IV's should be:

      • random
      • unpredictable
      • publishable (IVs are frequently published)
      • authenticated, along with the ciphertext, with a Message Authentication Code (MAC)

      This rule raises an issue when the IV is hard-coded.

      See

        Attachments

          Issue Links

          1.
          Java RSPEC-5330 Language-Specification Active Unassigned
          2.
          Apex RSPEC-5331 Language-Specification Active Unassigned

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                ann.campbell.2 Ann Campbell
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated: