Update MASTG-DEMO-0022 and MASTG-DEMO-0023 to refer to the corresp. t…

…ests for more info in the evaluation.
OWASP · Feb 1, 2025 · e6fa23e · e6fa23e
1 parent 6e3ee3c
commit e6fa23e
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 7 deletions.
diff --git a/demos/android/MASVS-CRYPTO/MASTG-DEMO-0022/MASTG-DEMO-0022.md b/demos/android/MASVS-CRYPTO/MASTG-DEMO-0022/MASTG-DEMO-0022.md
@@ -1,6 +1,6 @@
 ---
 platform: android
-title: Uses of Insecure Encryption Algorithms in Cipher with semgrep
+title: Uses of Insecure Symmetric Encryption Algorithms in Cipher with semgrep
 id: MASTG-DEMO-0022
 code: [kotlin]
 test: MASTG-TEST-0221
@@ -28,8 +28,4 @@ The rule has identified two instances in the code file where insecure encryption
 
 ### Evaluation
 
-The test fails due to the use of weak encryption algorithms, specifically:
-
-- DES (56-bit key, breakable, [withdrawn by NIST in 2005](https://csrc.nist.gov/pubs/fips/46-3/final))
-- 3DES (Weak 64-bit blocks, vulnerable to the [Sweet32 Attack](https://sweet32.info/), [withdrawn by NIST on January 1, 2024](https://csrc.nist.gov/pubs/sp/800/67/r2/final))
-- RC4 (Biased key stream, allows plaintext recovery [RC4 Weakness](https://www.rc4nomore.com/), disapproved by [NIST](https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-52r1.pdf) in 2014 and prohibited by [IETF](https://datatracker.ietf.org/doc/html/rfc7465) in 2015)
+The test fails due to the use of weak encryption algorithms, specifically DES, 3DES, RC4 and Blowfish. See @MASTG-TEST-0221 for more information.
diff --git a/demos/android/MASVS-CRYPTO/MASTG-DEMO-0023/MASTG-DEMO-0023.md b/demos/android/MASVS-CRYPTO/MASTG-DEMO-0023/MASTG-DEMO-0023.md
@@ -30,4 +30,4 @@ The rule has identified six instances in the code file where insecure encryption
 
 The test fails since the output contains several instances of the ECB mode of AES in different transformations explicitly or implicitly (ECB is the default mode for AES if not specified).
 
-The [ECB mode of operation](https://csrc.nist.gov/pubs/sp/800/38/a/final) is generally discouraged [see NIST announcement in 2023](https://csrc.nist.gov/news/2023/decision-to-revise-nist-sp-800-38a) due to its inherent security weaknesses. While not explicitly prohibited, its use is limited and advised against in most scenarios. Google Play Store policies also [restrict the use of ECB mode](https://support.google.com/faqs/answer/10046138) for encryption.
+See @MASTG-TEST-0232 for more information.
Original file line number	Diff line number	Diff line change
Expand Up		@@ -30,4 +30,4 @@ The rule has identified six instances in the code file where insecure encryption

		The test fails since the output contains several instances of the ECB mode of AES in different transformations explicitly or implicitly (ECB is the default mode for AES if not specified).

		The [ECB mode of operation](https://csrc.nist.gov/pubs/sp/800/38/a/final) is generally discouraged [see NIST announcement in 2023](https://csrc.nist.gov/news/2023/decision-to-revise-nist-sp-800-38a) due to its inherent security weaknesses. While not explicitly prohibited, its use is limited and advised against in most scenarios. Google Play Store policies also [restrict the use of ECB mode](https://support.google.com/faqs/answer/10046138) for encryption.
		See @MASTG-TEST-0232 for more information.