Failure to Add Integrity Check Value
From Guidance Share
Contents |
[edit]
Description
The failure to encrypt data passes up the guarantees of confidentiality, integrity, and accountability that properly implemented encryption conveys.
[edit]
Applies To
- Languages: Any
- Operating platform: Any
[edit]
Example
The following example reads and writes sensitive network data without encrypting it:
server.sin_family = AF_INET;
hp = gethostbyname(argv[1]);
if (hp==NULL) error("Unknown host");
memcpy( (char *)&server.sin_addr,(char *)hp->h_addr,hp->h_length);
if (argc < 3) port = 80;
else port = (unsigned short)atoi(argv[3]);
server.sin_port = htons(port);
if (connect(sock, (struct sockaddr *)&server, sizeof server) < 0)
error("Connecting");
...
while ((n=read(sock,buffer,BUFSIZE-1))!=-1){
write(dfd,password_buffer,n);
[edit]
Impact
- Confidentiality: Properly encrypted data channels ensure data confidentiality.
- Integrity: Properly encrypted data channels ensure data integrity.
- Accountability: Properly encrypted data channels ensure accountability.
[edit]
Vulnerabilities
- Failure to encrypt sensitive data
[edit]
Countermeasures
- Requirements specification: require that encryption be integrated into the system.
- Design: Ensure that encryption is properly integrated into the system design, not simply as a drop-in replacement for sockets.
[edit]
Vulnerability Patterns
[edit]
