rspec/rules/S3329/common/fix/fix.adoc

==== Use unique IVs

To ensure high security, initialization vectors must meet two important
criteria:

* IVs must be unique for each encryption operation.
* For CBC and CFB modes, a secure FIPS-compliant random number generator should be used to generate unpredictable IVs.

The IV does not need be secret, so the IV or information sufficient to determine the
IV may be transmitted along with the ciphertext.

In the previous non-compliant example, the problem is not that the IV is
hard-coded. +
It is that the same IV is used for multiple encryption attempts.
Modify S3329: Learn-As-You-Code migration (#2293) ## Review A dedicated reviewer checked the rule description successfully for: - [x] logical errors and incorrect information - [x] information gaps and missing content - [x] text style and tone - [x] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) --------- Co-authored-by: hendrik-buchwald-sonarsource <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> 2023-06-28 17:25:56 +02:00			`==== Use unique IVs`

APPSEC-843 Modify S3329: Mention FIPS-compliant PRNG (#2904) ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) --------- Co-authored-by: daniel-teuchert-sonarsource <141642369+daniel-teuchert-sonarsource@users.noreply.github.com> 2023-08-21 09:55:20 +02:00			`To ensure high security, initialization vectors must meet two important`
			`criteria:`
Modify S3329: Learn-As-You-Code migration (#2293) ## Review A dedicated reviewer checked the rule description successfully for: - [x] logical errors and incorrect information - [x] information gaps and missing content - [x] text style and tone - [x] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) --------- Co-authored-by: hendrik-buchwald-sonarsource <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> 2023-06-28 17:25:56 +02:00
APPSEC-843 Modify S3329: Mention FIPS-compliant PRNG (#2904) ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) --------- Co-authored-by: daniel-teuchert-sonarsource <141642369+daniel-teuchert-sonarsource@users.noreply.github.com> 2023-08-21 09:55:20 +02:00			`* IVs must be unique for each encryption operation.`
			`* For CBC and CFB modes, a secure FIPS-compliant random number generator should be used to generate unpredictable IVs.`

			`The IV does not need be secret, so the IV or information sufficient to determine the`
			`IV may be transmitted along with the ciphertext.`
Modify S3329: Learn-As-You-Code migration (#2293) ## Review A dedicated reviewer checked the rule description successfully for: - [x] logical errors and incorrect information - [x] information gaps and missing content - [x] text style and tone - [x] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) --------- Co-authored-by: hendrik-buchwald-sonarsource <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> 2023-06-28 17:25:56 +02:00
APPSEC-843 Modify S3329: Mention FIPS-compliant PRNG (#2904) ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) --------- Co-authored-by: daniel-teuchert-sonarsource <141642369+daniel-teuchert-sonarsource@users.noreply.github.com> 2023-08-21 09:55:20 +02:00			`In the previous non-compliant example, the problem is not that the IV is`
			`hard-coded. +`
			`It is that the same IV is used for multiple encryption attempts.`