Skip to content

CybOX 3.0: HashType Refactoring

Jump to bottom Edit New page
Ivan Kirillov edited this page Oct 27, 2015 · 26 revisions

Issue Description

There are two main issues with the current structure for characterizing cryptographic hashes in CybOX, the HashType:

  1. The structure is overly verbose and heavyweight for the capture of ubiquitous types of hash values such as MD5, SHA1, and SHA256. Currently, users must first specify the correct value from the default HashNameVocab vocabulary, populate the Type field with this value and set its xsi:type to point to the vocabulary, and then finally populate the Simple_Hash_Value field with the actual hash value:
  <Type xsi:type="HashNameVocab-1.0">MD5</Type>
  <Simple_Hash_Value>3773a88f65a5e780c8dff9cdc3a056f3</Simple_Hash_Type>
  1. The structure has separate fields for capturing simple and fuzzy hash values, both fundamentally string values. This seems an unnecessary distinction, as specifying the type of a hash (e.g., SSDeep) provides the necessary context for identifying it as simple or fuzzy.
Add a custom footer
Add a custom sidebar
Clone this wiki locally