这是indexloc提供的服务,不要输入任何密码
Skip to content

MASTG-TEST-0209: Insufficient Key Sizes

Overview

In this test case, we will look for the use insufficient key sizes in iOS apps. To do this, we need to focus on the cryptographic frameworks and libraries that are available in iOS and the methods that are used to generate cryptographic keys.

Since you don't usually generate keys directly in CryptoKit (the library does that for you automatically), we'll focus on the CommonCrypto and Security libraries in this test.

Steps

  1. Run a static analysis tool such as radare2 for iOS on the app binary, or use a dynamic analysis tool like Frida for iOS, and look for uses of the cryptographic functions that generate keys.

Observation

The output should contain the disassembled code of the functions using CCCrypt or other cryptographic functions.

Evaluation

The test case fails if you can find the use of insufficient key sizes within the source code. For example, a 1024-bit key size is considered insufficient for RSA encryption and a 128-bit key size is considered insufficient for AES encryption considering quantum computing attacks.

Demos

MASTG-DEMO-0011: Uses of Insufficient Key Size in SecKeyCreateRandomKey with r2