Use secure cryptographic mechanisms

Summary

The system must use the most secure cryptographic mechanism provided by the platform (e.g., java.security.SecureRandom) for random number generation used in critical processes (e.g., ID generation, code mapping, cryptographic keys).

Description

The system's cryptographic keys are essential for maintaining the confidentiality and integrity of transactions and communications. Some of these keys and other critical elements are generated using random numbers. In these cases, the random numbers themselves must be generated using secure mechanisms, which have often already been implemented by the platform.

Supported In

This requirement is verified in following services

Plan	Supported
Machine	🟢
Squad	🟢

References

• CAPEC™-20. Encryption brute forcing
• CAPEC™-94. Adversary in the middle (AiTM)
• CAPEC™-117. Interception
• CAPEC™-151. Identity spoofing
• CAPEC™-216. Communication channel manipulation
• CAPEC™-272. Protocol manipulation
• CAPEC™-594. Traffic injection
• CIS-3_10. Encrypt sensitive data in transit
• CWE™-321. Use of hard-coded cryptographic key
• CWE™-326. Inadequate encryption strength
• CWE™-327. Use of a broken or risky cryptographic algorithm
• CWE™-331. Insufficient entropy
• CWE™-340. Generation of predictable numbers or identifiers
• NIST 800-53-IA-7. Cryptographic module authentication
• OWASP TOP 10-A4. Insecure design
• OWASP-M TOP 10-M3. Insecure communication threat agents
• OWASP-M TOP 10-M5. Insufficient cryptography
• NIST Framework-PR_PT-4. Communications and control networks are protected
• BIZEC-APP-APP-05. Directory traversal
• NYDFS-500_15. Encryption of nonpublic information
• MITRE ATT&CK®-M1025. Privileged process integrity
• PA-DSS-2_5_1. Generation of strong cryptographic keys
• PA-DSS-5_2_3. Insecure cryptographic storage
• SANS 25-15. Use of Hard-coded Credentials
• CMMC-MP_L2-3_8_6. Portable storage encryption
• CMMC-SC_L1-3_13_1. Boundary protection
• CMMC-SC_L2-3_13_8. Data in transit
• HITRUST CSF-01_y. Teleworking
• HITRUST CSF-06_f. Regulation of cryptographic controls
• HITRUST CSF-09_m. Network controls
• HITRUST CSF-09_s. Information exchange policies and procedures
• HITRUST CSF-09_y. On-line transactions
• HITRUST CSF-10_d. Message integrity
• HITRUST CSF-10_f. Policy on the use of cryptographic controls
• FedRAMP-CM-3_6. Baseline configuration - Cryptography management
• FedRAMP-SC-8_1. Cryptographic or alternate physical protection
• FedRAMP-SC-13. Cryptographic protection
• ISO/IEC 27002-8_24. Use of cryptography
• ISA/IEC 62443-SI-3_1. Communication integrity
• OSSTMM3-10_7_2. Telecommunications security (controls verification) - Confidentiality
• OSSTMM3-11_7_2. Data networks security (controls verification) - Confidentiality
• OSSTMM3-11_7_4. Data networks security (controls verification) - Integrity
• NIST SSDF-PS_2_1. Provide a mechanism for verifying software release integrity
• PTES-7_7. Post Exploitation - Persistence
• OWASP Top 10 Privacy Risks-P2. Operator-sided data leakage
• MVSP-2_8. Application design controls - Encryption
• OWASP SCP-6. Cryptographic practices
• BSAFSS-SM_3-2. Supply chain data is protected
• BSAFSS-EN_2-5. Avoid weak encryption
• OWASP MASVS-V1_8. Architecture, design and threat modeling requirements
• OWASP MASVS-V3_4. Cryptography requirements
• NIST 800-171-1_13. Employ cryptographic mechanisms to protect the confidentiality of remote access sessions
• SWIFT CSCF-2_1. Internal data flow security
• OWASP ASVS-1_9_1. Communications architecture
• OWASP ASVS-2_6_2. Look-up secret verifier
• OWASP ASVS-2_9_3. Cryptographic verifier
• OWASP ASVS-3_2_4. Session binding
• OWASP ASVS-6_3_3. Random values
• C2M2-9_5_d. Implement data security for cybersecurity architecture
• PCI DSS-3_7_1. Generation of strong cryptographic keys
• PCI DSS-4_2_2. Strong cryptography to protect data
• SIG Lite-SL_30. Are encryption tools managed and maintained for Scoped Data?
• SIG Core-D_6_1. Asset and information management
• SIG Core-D_6_11_1. Asset and information management
• OWASP ASVS-3_2_2. Session binding
• OWASP ASVS-6_2_8. Algorithms
• OWASP ASVS-6_3_2. Random values
• ISO/IEC 27001-8_24. Use of cryptography
• CASA-1_9_1. Communications Architecture
• CASA-2_9_3. Cryptographic Verifier
• CASA-6_2_8. Algorithms
• CASA-6_3_2. Random Values
• CASA-6_3_3. Random Values
• Resolution SB 2021 2126-Art_26_11_h. Information Security
• Resolution SB 2021 2126-Art_27_8. Security in Electronic Channels
• Resolution SB 2021 2126-Art_28_1. Security in Electronic Channels - ATMs

Vulnerabilities

• 034. Insecure generation of random numbers
• 078. Insecurely generated token
• 395. Insecure generation of random numbers - Static IV
• 411. Insecure encryption algorithm - Default encryption

free trial

Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.