Adds to OWASP/mastg#2588 [MASWE-0024] Weak Message Authentication Codes (MAC)

weaknesses/MASVS-CRYPTO/MASWE-0024.md

@@ -31,3 +31,33 @@ status: placeholder
 
 ---
 
+## Overview
+
+Improper use of a MAC, e.g., not using proper nonces or timestamps, may allow MAC forgeries, making it possible to compromise the authenticity and integrity of the data.
+Not applying the MAC in the correct order when using CBC mode during encryption, e.g., creating the MAC before encrypting the data instead of after to ensure the authenticity and integrity of the encrypted data.
+Another common issue is using an HMAC with any type of general-purpose hashing algorithm (like MD5, SHA-1, SHA-2, or even SHA-3) on low-entropy input, such as user-supplied passwords, PINs, or other user-controlled predictors. HMACs are not designed for use with low-entropy inputs or low-entropy keys. Using HMACs in this way will result in "weak" message digests that can easily be exploited.
+Deprecated or risky HMAC implementations like HMAC-MD5 or HMAC-SHA1 are vulnerable to collision attacks that would compromise the authenticity and integrity of the data. Collision attacks can also be made possible through truncating the HMAC digest. If truncating is necessary for interoperability, never truncate the digest below 128 bits and use the full HMAC whenever possible. Finally, never create checksums using non-cryptographically secure algorithms like CRC‑32, which are not meant for cryptographic purposes.
+
+## Impact
+
+- **Loss of authenticity**: Improper use of MAC may allow an attacker to compromise the authenticity of the data, making the data appear authentic.
+- **Loss of Integrity**: Improper use of MAC may allow an attacker to alter the data, thereby compromising its integrity.
+- **Loss of Confidentiality**: Using MAC for other purposes than authentication may lead to a complete loss of confidentiality.
+
+## Modes of Introduction
+
+- **Not including a timestamp**: Creating a MAC for message authentication without using a proper timestamp that can be validated to protect against MAC forgery.
+- **Using a MAC with low-entropy keys**: Using low-entropy inputs or low-entropy keys as input to a HMAC.
+- **Using a MAC with a predictor**: Using data controlled by the user to create a HMAC signature.
+- **Using a deprecated or risky MAC implementation**: Using e.g, HMAC-MD5 or HMAC-SHA1, which are known to be vulnerable to collision attacks.
+- **Using a non-cryptographically secure algorithm**: Using CRC‑32, which is not meant to be used for cryptographic purposes.
+- **Truncating the HMAC digest too much**: Truncating the final HMAC digest makes it shorter than 128 bits.
+
+## Mitigations
+
+- **Use MAC with a timestamp**: Generate the MAC over a message with the timestamp included. This should protect the application against replay attacks within a reasonable amount of time. Reasonable, meaning a time frame that is short enough to prevent an attacker from sending an identical message and long enough to allow the message to be sent and digested.
+- **Do not use HMAC together with a low-entropy key**: Ensure the keys used are generated using cryptographically secure PRNGs (CSPRNG) generate random numbers that pass statistical randomness tests, and are resilient against prediction attacks.
+- **Do not use a MAC together with a predictor**: Ensure that all inputs to the MAC are unpredictable and not controlled by the user or attacker. Never use user-controllable or predictable data as input to a MAC, as this can allow attackers to forge valid MACs.
+- **Do not use deprecated HMAC implementations**: Deprecated HMAC implementations could contain errors that allow for collision attacks. Therefore, only use recommended libraries and functions.
+- **Do not use non-cryptographically secure algorithms**: Algorithms like e.g. CRC‑32 are not meant to be used for cryptographic purposes.
+- **Use the complete HMAC digest and avoid truncation**: When possible, always use the complete HMAC digest. When truncating is necessary, never make it shorter than 128 bits.