Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Redundant requirement about secure hash functions #2523

Closed
randomstuff opened this issue Jan 13, 2025 · 3 comments · Fixed by #2536
Closed

Redundant requirement about secure hash functions #2523

randomstuff opened this issue Jan 13, 2025 · 3 comments · Fixed by #2536
Labels
6) PR awaiting review V6 _5.0 - prep This needs to be addressed to prepare 5.0

Comments

@randomstuff
Copy link
Contributor

randomstuff commented Jan 13, 2025
edited
Loading

6.6.1 and 6.6.3 look very much the same to me:

# Description L1 L2 L3 CWE
6.6.1 [ADDED] Verify that only approved hash functions are used for general cryptographic use cases, including digital signatures, HMAC, KDF, and random bit generation.
6.6.3 [ADDED, SPLIT FROM 6.2.5] Verify that cryptographic systems avoid the use of disallowed hash functions, such as MD5, SHA-1, or any other insecure hash functions, for any cryptographic purpose.

A disapproved hash function cannot be approved right? So if we check that they are approved, we also check they are not disallowed?

By the way should be say "cryptographic hash functions" everywhere. For example, SipHash might very well be an approved hash function but is not an approved cryptographic hash functions. (Sure, we are in the cryptography chapter but still …).
@jmanico
Copy link
Member

jmanico commented Jan 13, 2025

Based on your comment and observation, it looks like 6.6.3 should go away.

@elarlang elarlang added the V6 label Jan 13, 2025
@elarlang
Copy link
Collaborator

Yes, seems like those are duplicates.

6.6.1 can not be just ADDED, as there was something on the topic in v4.0.3.

I think the modification tag needs to point to v4.0.3-6.2.3.

The modification tag for current 6.6.3 must be reviewed as well:

@elarlang elarlang added 1) Discussion ongoing Issue is opened and assigned but no clear proposal yet _5.0 - prep This needs to be addressed to prepare 5.0 labels Jan 13, 2025
tghosth added a commit that referenced this issue Jan 19, 2025
@tghosth
Remove duplicates and tidy tags to resolve #2523
4107145
@tghosth tghosth linked a pull request Jan 19, 2025 that will close this issue
Remove duplicates and tidy tags to resolve #2523 #2536
Merged
@tghosth tghosth mentioned this issue Jan 19, 2025
Merged
@tghosth
Copy link
Collaborator

tghosth commented Jan 19, 2025

@elarlang do you think this handles it:
#2536

@tghosth tghosth added 6) PR awaiting review and removed 1) Discussion ongoing Issue is opened and assigned but no clear proposal yet labels Jan 19, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
6) PR awaiting review V6 _5.0 - prep This needs to be addressed to prepare 5.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Remove duplicates and tidy tags to resolve #2523 OWASP/ASVS
4 participants
@jmanico @randomstuff @tghosth @elarlang