Failure to Add Integrity Check Value

From Guidance Share

Jump to: navigation, search

Contents

Description

The failure to encrypt data passes up the guarantees of confidentiality, integrity, and accountability that properly implemented encryption conveys.

Applies To

  • Languages: Any
  • Operating platform: Any

Example

The following example reads and writes sensitive network data without encrypting it:

server.sin_family = AF_INET;
hp = gethostbyname(argv[1]);
if (hp==NULL) error("Unknown host");
memcpy( (char *)&server.sin_addr,(char *)hp->h_addr,hp->h_length);
if (argc < 3) port = 80;
else port = (unsigned short)atoi(argv[3]);
server.sin_port = htons(port); 
if (connect(sock, (struct sockaddr *)&server, sizeof server) < 0)
error("Connecting");
...
while ((n=read(sock,buffer,BUFSIZE-1))!=-1){
write(dfd,password_buffer,n);

Impact

  • Confidentiality: Properly encrypted data channels ensure data confidentiality.
  • Integrity: Properly encrypted data channels ensure data integrity.
  • Accountability: Properly encrypted data channels ensure accountability.

Vulnerabilities

  • Failure to encrypt sensitive data

Countermeasures

  • Requirements specification: require that encryption be integrated into the system.
  • Design: Ensure that encryption is properly integrated into the system design, not simply as a drop-in replacement for sockets.

Vulnerability Patterns

How Tos

Personal tools