Use secure cryptographic mechanisms
Summary
The system must use the most secure cryptographic mechanism provided by the platform (e.g., java.security.SecureRandom) for random number generation used in critical processes (e.g., ID generation, code mapping, cryptographic keys).
Description
The system's cryptographic keys are essential for maintaining the confidentiality and integrity of transactions and communications. Some of these keys and other critical elements are generated using random numbers. In these cases, the random numbers themselves must be generated using secure mechanisms, which have often already been implemented by the platform.
Supported In
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Essential | 🟢 |
| Advanced | 🟢 |
References
- CAPEC™-20. Encryption brute forcing
- CAPEC™-94. Adversary in the middle (AiTM)
- CAPEC™-117. Interception
- CAPEC™-151. Identity spoofing
- CAPEC™-216. Communication channel manipulation
- CAPEC™-272. Protocol manipulation
- CAPEC™-594. Traffic injection
- CIS-3_10. Encrypt sensitive data in transit
- CWE™-321. Use of hard-coded cryptographic key
- CWE™-326. Inadequate encryption strength
- CWE™-327. Use of a broken or risky cryptographic algorithm
- CWE™-331. Insufficient entropy
- CWE™-340. Generation of predictable numbers or identifiers
- NIST 800-53-IA-7. Cryptographic module authentication
- OWASP TOP 10-A4. Insecure design
- OWASP-M TOP 10-M3. Insecure communication threat agents
- OWASP-M TOP 10-M5. Insufficient cryptography
- BIZEC-APP-APP-05. Directory traversal
- NYDFS-500_15. Encryption of nonpublic information
- MITRE ATT&CK®-M1025. Privileged process integrity
- PA-DSS-2_5_1. Generation of strong cryptographic keys
- PA-DSS-5_2_3. Insecure cryptographic storage
- SANS 25-18. Use of hard-coded credentials
- CMMC-MP_L2-3_8_6. Portable storage encryption
- CMMC-SC_L1-3_13_1. Boundary protection
- CMMC-SC_L2-3_13_8. Data in transit
- HITRUST CSF-01_y. Teleworking
- HITRUST CSF-06_f. Regulation of cryptographic controls
- HITRUST CSF-09_m. Network controls
- HITRUST CSF-09_s. Information exchange policies and procedures
- HITRUST CSF-09_y. On-line transactions
- HITRUST CSF-10_d. Message integrity
- HITRUST CSF-10_f. Policy on the use of cryptographic controls
- FedRAMP-CM-3_6. Baseline configuration - Cryptography management
- FedRAMP-SC-8_1. Cryptographic or alternate physical protection
- FedRAMP-SC-13. Cryptographic protection
- ISO/IEC 27002-8_24. Use of cryptography
- ISA/IEC 62443-SI-3_1. Communication integrity
- OSSTMM3-10_7_2. Telecommunications security (controls verification) - Confidentiality
- OSSTMM3-11_7_2. Data networks security (controls verification) - Confidentiality
- OSSTMM3-11_7_4. Data networks security (controls verification) - Integrity
- NIST SSDF-PS_2_1. Provide a mechanism for verifying software release integrity
- PTES-7_7. Post Exploitation - Persistence
- OWASP Top 10 Privacy Risks-P2. Operator-sided data leakage
- MVSP-2_8. Application design controls - Encryption
- OWASP SCP-6. Cryptographic practices
- BSAFSS-SM_3-2. Supply chain data is protected
- BSAFSS-EN_2-5. Avoid weak encryption
- NIST 800-171-1_13. Employ cryptographic mechanisms to protect the confidentiality of remote access sessions
- SWIFT CSCF-2_1. Internal data flow security
- OWASP ASVS-1_9_1. Communications architecture
- OWASP ASVS-2_6_2. Look-up secret verifier
- OWASP ASVS-2_9_3. Cryptographic verifier
- OWASP ASVS-3_2_4. Session binding
- OWASP ASVS-6_3_3. Random values
- C2M2-9_5_d. Implement data security for cybersecurity architecture
- PCI DSS-3_7_1. Generation of strong cryptographic keys
- PCI DSS-4_2_2. Strong cryptography to protect data
- SIG Lite-SL_30. Are encryption tools managed and maintained for Scoped Data?
- SIG Core-D_6_1. Asset and information management
- SIG Core-D_6_11_1. Asset and information management
- OWASP ASVS-3_2_2. Session binding
- OWASP ASVS-6_2_8. Algorithms
- OWASP ASVS-6_3_2. Random values
- ISO/IEC 27001-8_24. Use of cryptography
- CASA-1_9_1. Communications Architecture
- CASA-2_9_3. Cryptographic Verifier
- CASA-6_2_8. Algorithms
- CASA-6_3_2. Random Values
- CASA-6_3_3. Random Values
- Resolution SB 2021 2126-Art_26_11_h. Information Security
- Resolution SB 2021 2126-Art_27_8. Security in Electronic Channels
- Resolution SB 2021 2126-Art_28_1. Security in Electronic Channels - ATMs
- FISMA-IA-7. Cryptographic module authentication
- OWASP MASVS-CRYPTO-1. The app employs current strong cryptography and uses it according to industry best practices
- OWASP MASVS-NETWORK-1. The app secures all network traffic according to the current best practices
- CWE TOP 25-798. Use of hard-coded credentials
Vulnerabilities
- 034. Insecure generation of random numbers
- 078. Insecurely generated token
- 395. Insecure generation of random numbers - Static IV
- 411. Insecure encryption algorithm - Default encryption
free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.