Skip to content

Latest commit

 

History

History
83 lines (68 loc) · 6.2 KB

threat-modeling.md

File metadata and controls

83 lines (68 loc) · 6.2 KB

Threat Model Analysis for krzyzanowskim/cryptoswift

Threat: Weak Key Derivation

  • Description: An attacker uses a brute-force or dictionary attack against a weak password or passphrase used with CryptoSwift's key derivation functions. The attacker tries many possible passwords, deriving a key from each, and attempts to decrypt data or forge a MAC.
    • Impact: Compromise of confidentiality (data decryption) or integrity (forged messages). Potential for privilege escalation.
    • Affected CryptoSwift Component: PBKDF1, PBKDF2, HKDF. Also, any direct use of a password as a key (e.g., AES(key: passwordData) without a KDF).
    • Risk Severity: High to Critical (depending on password strength and data sensitivity).
    • Mitigation Strategies:
      • Use a strong, randomly generated salt (at least 16 bytes) with CryptoSwift's KDFs.
      • Use a high iteration count for PBKDF2 (OWASP recommends at least 310,000 for SHA-256, increasing over time). Strongly consider Argon2id instead.
      • Store the salt, but never the derived key.

Threat: Predictable Initialization Vector (IV) Reuse

  • Description: An attacker exploits the reuse of the same IV with the same key in CryptoSwift's block cipher modes like CBC or CTR. With CBC, this leaks information. With CTR, it completely breaks confidentiality (equivalent to a reused one-time pad).
    • Impact: Loss of confidentiality; potential for partial or complete plaintext recovery.
    • Affected CryptoSwift Component: Block cipher modes: CBC, CTR, CFB, OFB. Any function accepting an iv parameter.
    • Risk Severity: High to Critical (depending on mode and data).
    • Mitigation Strategies:
      • Never reuse an IV with the same key.
      • Use CryptoSwift's randomBytes(count:) (or a system CSRNG) to generate a unique IV for each encryption.
      • For CTR, ensure the nonce (IV) is unique; a counter is often sufficient, but it must never repeat for a given key.

Threat: Padding Oracle Attack (CBC Mode)

  • Description: An attacker sends crafted ciphertexts to the application using CryptoSwift's CBC mode and observes responses (errors, timing) to determine padding validity, allowing byte-by-byte decryption.
    • Impact: Complete loss of confidentiality.
    • Affected CryptoSwift Component: CBC mode with PKCS7 padding. Functions using AES(..., blockMode: .cbc, padding: .pkcs7).
    • Risk Severity: High
    • Mitigation Strategies:
      • Use authenticated encryption (GCM, CCM) instead of CBC.
      • If CBC must be used, ensure the application does not leak padding error information (extremely difficult).
      • Use encrypt-then-MAC with CryptoSwift's HMAC, verifying the MAC before decryption.

Threat: Missing or Incorrect MAC Verification

  • Description: An attacker modifies ciphertext or associated data, and the application, using CryptoSwift for MAC, fails to verify or incorrectly verifies the MAC.
    • Impact: Loss of data integrity; processing of tampered data.
    • Affected CryptoSwift Component: HMAC, CMAC, authenticated encryption modes (GCM, CCM).
    • Risk Severity: High to Critical.
    • Mitigation Strategies:
      • Always use authenticated encryption (GCM, CCM) when possible.
      • If using a separate MAC (e.g., HMAC), always verify before decryption.
      • Use a strong MAC (HMAC-SHA256 or higher).
      • Ensure separate, secure keys for MAC and encryption.
      • Calculate the MAC over all data (ciphertext and associated data).
      • Use CryptoSwift's secureCompare for constant-time MAC comparison.

Threat: Use of Weak Hashing Algorithms

  • Description: An attacker exploits weaknesses in MD5 or SHA-1 (supported by CryptoSwift, but should not be used) to create collisions or perform preimage attacks.
    • Impact: Compromised data integrity; potential forgery.
    • Affected CryptoSwift Component: MD5, SHA1. Functions like Digest.md5(data), data.md5().
    • Risk Severity: High
    • Mitigation Strategies:
      • Never use MD5 or SHA-1 for security.
      • Use SHA-256, SHA-384, SHA-512, or SHA-3.

Threat: Insufficient Randomness

  • Description: An attacker exploits weak or predictable random number generation to guess keys, IVs, or salts used with CryptoSwift.
    • Impact: Compromise of confidentiality, integrity, and/or authentication.
    • Affected CryptoSwift Component: randomBytes(count:). Also, any code using a non-cryptographic PRNG for cryptographic material.
    • Risk Severity: Critical
    • Mitigation Strategies:
      • Always use a CSRNG.
      • Use CryptoSwift's randomBytes(count:) (relies on SecRandomCopyBytes on Apple platforms).
      • Ensure CryptoSwift is configured to use a secure random source on other platforms.
      • Never use arc4random() or similar for cryptography.

Threat: Incorrect Use of Stream Ciphers (CTR Mode)

  • Description: An attacker exploits incorrect usage of CTR mode in CryptoSwift, such as reusing the nonce (IV) or using a predictable nonce sequence.
    • Impact: Loss of confidentiality. Reusing a nonce in CTR mode is equivalent to reusing a one-time pad.
    • Affected CryptoSwift Component: CTR block cipher mode. Any function using AES(key:..., iv:..., blockMode: .ctr).
    • Risk Severity: Critical
    • Mitigation Strategies:
      • Never reuse a nonce with the same key in CTR mode.
      • A simple counter is often used, but it must be incremented correctly and never wrap around or repeat for a given key.
      • Ensure the counter is initialized to a unique value for each encryption.
      • Consider a random nonce, but uniqueness is paramount.