Uploaded image for project: 'OpenShift Builds'
  1. OpenShift Builds
  2. BUILD-903 Findings from the Threat Model Source-to-image (S2I) Builder Image 1.3.8
  3. BUILD-909

T60: Use correct and approved cryptographic algorithms, parameters, and key lengths

XMLWordPrintable

    • Icon: Sub-task Sub-task
    • Resolution: Won't Do
    • Icon: Normal Normal
    • None
    • None
    • None
    • False
    • None
    • False
    • SECFLOWOTL-30 - s2i Security Review

      Use the following guidelines to ensure that your application uses algorithms, parameters, and key lengths that adhere to strict standards for encryption:

      • Always use well-tested and industry-accepted cryptographic algorithms.
      • In case an organization does not have approved cryptographic algorithms or key lengths, check the algorithm against the FIPS 140-3 validation list. Annex A Section 14 provides a list of approved security algorithms applicable to FIPS 140-3.
        - For example, Data Encryption Standard (DES) is not considered secure and an alternative such as Advanced Encryption Standard (AES) should be used for symmetric encryption.
        
      • Use any unapproved algorithms only in conjunction with approved algorithms and implement it in a manner that does not reduce the equivalent cryptographic key strength provided by the approved algorithms.
      • Do not use encoding and compression algorithms instead of encryption algorithms. For example, a common mistake is using a type of encoding to protect data, such as Base64 encoding. Base64 encoding is not an encryption algorithm and does not protect data. It can be reversed using Base64 decoding without the need for any additional shared knowledge (such as knowledge of a shared key). Techniques such as Base64, ROT13, GZip, LZW, Huffman coding, etc., should not be used for protecting data in place of encryption algorithms.
      • Use a key management system that provides features for secure generation, distribution, storage, change, and retirement or revocation of cryptographic keys.
      • Always initialize the initialization vectors (IVs) used in the algorithms with secure random values.
      • Always use cryptographically secure random IVs when using a block cipher in cipher-block chaining (CBC) mode.
        - A predictable IV can cause an affected system to be vulnerable to plaintext attacks. 
        - Use encryption in CBC mode instead of Electronic Codebook (ECB) mode.
        
      • Always incorporate an industry-accepted standard padding method, where padding is used prior to or during encryption.
      • Do not reuse the same cryptographic key for multiple purposes.
      • Use only approved, collision-resistant hash algorithms and methods with a salt value of appropriate strength that is generated using a secure random number generator.

      Imported from SD Elements: https://redhat.sdelements.com/bunits/psse-secure-development/group-2-extended-functionality-offerings/openshift-source-to-image-s2i-builder-image/tasks/phase/requirements/106-T60/

              gkamathe@redhat.com Gaurav Kamathe
              sdelements Jira-SD-Elements-Integration Bot
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: