diff --git a/demos/android/MASVS-CRYPTO/MASTG-DEMO-0022/MASTG-DEMO-0022.md b/demos/android/MASVS-CRYPTO/MASTG-DEMO-0022/MASTG-DEMO-0022.md index 6317d18bf7..b0975f17d5 100644 --- a/demos/android/MASVS-CRYPTO/MASTG-DEMO-0022/MASTG-DEMO-0022.md +++ b/demos/android/MASVS-CRYPTO/MASTG-DEMO-0022/MASTG-DEMO-0022.md @@ -1,6 +1,6 @@ --- platform: android -title: Uses of Insecure Encryption Algorithms in Cipher with semgrep +title: Uses of Insecure Symmetric Encryption Algorithms in Cipher with semgrep id: MASTG-DEMO-0022 code: [kotlin] test: MASTG-TEST-0221 @@ -28,8 +28,4 @@ The rule has identified two instances in the code file where insecure encryption ### Evaluation -The test fails due to the use of weak encryption algorithms, specifically: - -- DES (56-bit key, breakable, [withdrawn by NIST in 2005](https://csrc.nist.gov/pubs/fips/46-3/final)) -- 3DES (Weak 64-bit blocks, vulnerable to the [Sweet32 Attack](https://sweet32.info/), [withdrawn by NIST on January 1, 2024](https://csrc.nist.gov/pubs/sp/800/67/r2/final)) -- RC4 (Biased key stream, allows plaintext recovery [RC4 Weakness](https://www.rc4nomore.com/), disapproved by [NIST](https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-52r1.pdf) in 2014 and prohibited by [IETF](https://datatracker.ietf.org/doc/html/rfc7465) in 2015) +The test fails due to the use of weak encryption algorithms, specifically DES, 3DES, RC4 and Blowfish. See @MASTG-TEST-0221 for more information. diff --git a/demos/android/MASVS-CRYPTO/MASTG-DEMO-0023/MASTG-DEMO-0023.md b/demos/android/MASVS-CRYPTO/MASTG-DEMO-0023/MASTG-DEMO-0023.md index a461115d11..667f1a79f7 100644 --- a/demos/android/MASVS-CRYPTO/MASTG-DEMO-0023/MASTG-DEMO-0023.md +++ b/demos/android/MASVS-CRYPTO/MASTG-DEMO-0023/MASTG-DEMO-0023.md @@ -30,4 +30,4 @@ The rule has identified six instances in the code file where insecure encryption The test fails since the output contains several instances of the ECB mode of AES in different transformations explicitly or implicitly (ECB is the default mode for AES if not specified). -The [ECB mode of operation](https://csrc.nist.gov/pubs/sp/800/38/a/final) is generally discouraged [see NIST announcement in 2023](https://csrc.nist.gov/news/2023/decision-to-revise-nist-sp-800-38a) due to its inherent security weaknesses. While not explicitly prohibited, its use is limited and advised against in most scenarios. Google Play Store policies also [restrict the use of ECB mode](https://support.google.com/faqs/answer/10046138) for encryption. +See @MASTG-TEST-0232 for more information.