加密缺陷

与 OpenSSL 加密例程用法不正确相关的缺陷

这些缺陷与 OpenSSL 库中加密例程的用法不正确相关。例如:

  • 使用弱加密算法

  • 缺少基本元素,例如密钥或初始化向量

  • 加密运算的顺序不正确

Polyspace 结果

全部展开

常量块加密初始化向量Initialization vector is constant instead of randomized
常量加密密钥Encryption or decryption key is constant instead of randomized
加密运算不一致You perform encryption and decryption steps in succession with the same cipher context without a reinitialization in between
缺失块加密初始化向量Context used for encryption or decryption is associated with NULL initialization vector or not associated with an initialization vector
缺失加密算法An encryption or decryption algorithm is not associated with the cipher context
缺失要处理的加密数据Final encryption or decryption step is performed without previous update steps
缺失加密最终步骤You do not perform a final step after update steps for encrypting or decrypting data
缺失加密密钥Context used for encryption or decryption is associated with NULL key or not associated with a key
可预测的块加密初始化向量Initialization vector is generated from a weak random number generator
可预测的加密密钥Encryption or decryption key is generated from a weak random number generator
弱加密算法Encryption algorithm associated with the cipher context is weak
弱加密模式Encryption mode associated with the cipher context is weak
加密运算的上下文初始化不正确Context used for public key cryptography operation is initialized for a different operation
加密算法的密钥不正确Public key cryptography operation is not supported by the algorithm used in context initialization
缺失用于加密、解密或签名运算的数据Data provided for public key cryptography operation is NULL or data length is zero
缺失密钥生成参数Context used for key generation is associated with NULL parameters
缺失对等密钥Context used for shared secret derivation is associated with NULL peer key or not associated with a peer key at all
缺失私钥Context used for cryptography operation is associated with NULL private key or not associated with a private key at all
缺失公钥Context used for cryptography operation is associated with NULL public key or not associated with a public key at all
不安全的密钥生成参数Context used for key generation is associated with weak parameters
对 RSA 算法运算使用不兼容的填充Cryptography operation is not supported by the padding type set in context
RSA 算法缺失盲化Context used in decryption or signature verification is not blinded against timing attacks
RSA 算法缺失填充Context used in encryption or signing operation is not associated with any padding
不安全的 RSA 公钥指数密钥生成中使用的上下文与低指数值相关联
对 RSA 算法使用弱填充Context used in encryption or signing operation is associated with insecure padding type
未正确初始化摘要运算的上下文Context used for digest operation is initialized for a different digest operation
哈希更新运算后缺失最终步骤Hash is incomplete or non-secure
缺失哈希算法Context in EVP routine is initialized without a hash algorithm
哈希运算缺失加密盐Hashed data is vulnerable to rainbow table attack
未向上下文添加数据Performing hash operation on empty context might cause run-time errors
不安全的哈希算法Context used for message digest creation is associated with weak algorithm
缺失证书认证中心列表Certificate for authentication cannot be trusted
缺失 X.509 证书的私钥Missing key might result in run-time error or non-secure encryption
缺失 X.509 证书Server or client cannot be authenticated
不安全的 SSL/TLS 协议Context used for handling SSL/TLS connections is associated with weak protocol
未检查服务器证书的通用名Attacker might use valid certificate to impersonate trusted host
未设置 TLS/SSL 连接方法Program cannot determine whether to call client or server routines
TLS/SSL 连接方法设置不正确Program calls functions that do not match role set by connection method
未检查 X.509 对等证书Connection might be vulnerable to man-in-the-middle attacks

主题