Missing Cryptographic Step

Draft Base

Structure: Simple

Description

The product does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by the algorithm.

Common Consequences 3

Scope: Access Control

Impact: Bypass Protection Mechanism

Scope: ConfidentialityIntegrity

Impact: Read Application DataModify Application Data

Scope: AccountabilityNon-Repudiation

Impact: Hide Activities

Demonstrative Examples 1

The example code is taken from the HMAC engine inside the buggy OpenPiton SoC of HACK@DAC'21 [REF-1358]. HAMC is a message authentication code (MAC) that uses both a hash and a secret crypto key. The HMAC engine in HACK@DAC SoC uses the SHA-256 module for the calculation of the HMAC for 512 bits messages.

Code Example:

Bad

Verilog

logic [511:0] bigData; ...

hmac hmac(

verilog

.message_i(bigData),** .hash_o(hash), .ready_o(ready), .hash_valid_o(hashValid)

However, this HMAC engine cannot handle messages that are longer than 512 bits. Moreover, a complete HMAC will contain an iterate hash function that breaks up a message into blocks of a fixed size and iterates over them with a compression function (e.g., SHA-256). Therefore, the implementation of the HMAC in OpenPiton SoC is incomplete. Such HMAC engines will not be used in real-world applications as the messages will usually be longer than 512 bits. For instance, OpenTitan offers a comprehensive HMAC implementation that utilizes a FIFO for temporarily storing the truncated message, as detailed in [REF-1359].

To mitigate this, implement the iterative function to break up a message into blocks of a fixed size.

Observed Examples 1

CVE-2001-1585Missing challenge-response step allows authentication bypass using public key.

References 2

hmac_wrapper.sv

2021

https://github.com/HACK-EVENT/hackatdac21/blob/main/piton/design/chip/tile/ariane/src/hmac/hmac_wrapper.sv#L41(2023-07-15)

ID: REF-1358

HMAC HWIP Technical Specification

2023

https://opentitan.org/book/hw/ip/hmac/(2023-10-05)

ID: REF-1359

Applicable Platforms

Languages:

Not Language-Specific : Undetermined

Technologies:

Not Technology-Specific : Undetermined

Modes of Introduction

Implementation

Requirements

Related Attack Patterns

68
DEPRECATED: Windows Virtual File Problems

Functional Areas

Cryptography

Related Weaknesses

ChildOf:

Improper Following of Specification by Caller (CWE-573)

PeerOf:

Improperly Implemented Security Check for Standard (CWE-358)

Taxonomy Mapping

PLOVER
OWASP Top Ten 2007
OWASP Top Ten 2007

Notes

RelationshipOverlaps incomplete/missing security check.

RelationshipCan be resultant.