VRF

Verification Bugs (VRF) Class

Definition

We define Verification Bugs (VRF) as:

The software does not properly sign data, check and prove source, or assure data is not altered

Note that "check" is for identity authentication, "prove" is for origin (signer) non-repudiation, and "not altered" is for integrity authentication.

Model of Cryptographic Store or Transfer.

Type

High (semantic).

Taxonomy

Fig. 1 depicts VRF causes, attributes and consequences.

Fig 1. Verification Bugs (VRF) Class - click on image for detailed view.

Attributes

Verified Data

This is the data that needs verification. It may be confidential or public. Secret (confidential) data could be cryptographic hashes, secret keys, or keying material. Public data could be signed contract, documents, or public keys.

Algorithm

Hash functions are used for integrity authentication. They may use PRN. MAC are symmetric key algorithms (one secret key per source/user), used for integrity authentication, identity authentication. It needs authentication code generation, source signs data, user gets tag for key and data, and verifies data by tag and key. Digital Signature is an asymmetric key algorithm (two keys), used for integrity and identity authentication, and origin (signer) non-repudiation. It needs key generation, signature generation, and signature verification. MAC and Digital Signature use KMN and recursively VRF.

Security Service

This is the security service the verification process failed. Integrity Authentication is for data and keys. Identity Authentication and Origin Non-Repudiation are for source authentication.

Causes

Weak key is a KMN fault.

Sites

VRF is a high level class, so sites do not apply.

Related BF Classes

BF classes related to VRF are: KMN, RND, ENC, ATN, IEX.

Related CWEs and SFPs