-
Couldn't load subscription status.
- Fork 18
CybOX 3.0: HashType Refactoring
Ivan Kirillov edited this page Oct 27, 2015
·
26 revisions
There are two main issues with the current structure for characterizing cryptographic hashes in CybOX, the HashType:
- The structure is overly verbose and heavyweight for the capture of ubiquitous types of hash values such as MD5, SHA1, and SHA256. Currently, users must first specify the correct value from the default
HashNameVocabvocabulary, populate theTypefield with this value and set its xsi:type to point to the vocabulary, and then finally populate theSimple_Hash_Valuefield with the actual hash value:
<Type xsi:type="HashNameVocab-1.0">MD5</Type>
<Simple_Hash_Value>3773a88f65a5e780c8dff9cdc3a056f3</Simple_Hash_Type>- The structure has separate fields for capturing simple and fuzzy hash values, both fundamentally string values. This seems an unnecessary distinction, as simply specifying the type of a hash (e.g., SSDeep) provides the necessary context for identifying it as simple or fuzzy.
For the capture of ubiquitous hash values, we propose the creation of a new CommonHashesType with the following fields:
| Field | Type | Description |
|---|---|---|
| md5_value | string | Specifies an MD5 hash value. |
| sha1_value | string | Specifies a SHA1 hash value. |
| sha256_value | string | Specifies a SHA256 hash value. |
Also, we propose refactoring the existing HashType, so that it has the following fields:
| Field | Type | Description |
|---|---|---|
| type | ControlledVocabularyStringType | Specifies the type of hash used in the hash_value field; the default vocabulary for this field is the HashNameVocab. |
| hash_value | string | Specifies a single cryptographic hash value, of the type defined in the type field. |
| fuzzy_hash_structure | FuzzyHashStructureType | Enables the characterization of the key internal components of a fuzzy hash calculation with a given block size. |