Implement perfect forward secrecy
Summary
Critical communications should travel through a secure channel that implements perfect forward secrecy.
Description
All communications between the client and the server should take place over channels that are protected and encrypted. Secure channels often use a single secret to encrypt all communications. Therefore, if that secret is breached, all past communications can be decrypted and compromised. Perfect forward secrecy is attained when each message in a conversation is encrypted using a different secret. Thus, if a secret is breached, only a small portion of a conversation can be compromised, which represents an increase in the overall security of the system.
Supported In
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Machine | 🔴 |
| Squad | 🟢 |
References
- CAPEC™-117. Interception
- CWE™-319. Cleartext transmission of sensitive information
- OWASP TOP 10-A2. Cryptographic failures
- OWASP-M TOP 10-M3. Insecure communication threat agents
- NIST Framework-PR_PT-4. Communications and control networks are protected
- NYDFS-500_15. Encryption of nonpublic information
- PA-DSS-2_5_4. Cryptographic key changes for keys
- CMMC-AC_L2-3_1_13. Remote access confidentiality
- CMMC-SC_L1-3_13_1. Boundary protection
- CMMC-SC_L2-3_13_15. Communications authenticity
- HITRUST CSF-01_y. Teleworking
- HITRUST CSF-09_s. Information exchange policies and procedures
- FedRAMP-SC-8. Transmission confidentiality and integrity
- OSSTMM3-10_7_3. Telecommunications security (controls verification) - Privacy
- OSSTMM3-11_7_3. Data networks security (controls verification) - Privacy
- ISSAF-A_2_7. Assessment - Compromise remote users or sites
- PTES-2_17_1. Pre-engagement interactions - Emergency contact information
- PTES-4_5_3. Threat capability analysis - Communication mechanisms
- MVSP-2_8. Application design controls - Encryption
- OWASP SCP-9. Communication security
- OWASP SCP-14. General coding practices
- BSAFSS-VM_3-2. Vulnerability management
- NIST 800-171-1_13. Employ cryptographic mechanisms to protect the confidentiality of remote access sessions
- OWASP SAMM-OE_1. Enable communications for critical security-relevant data
- OWASP ASVS-2_7_4. Out of band verifier
- C2M2-9_5_c. Implement data security for cybersecurity architecture
- PCI DSS-3_4_2. Use secure remote-access technologies
- PCI DSS-3_7_9. Secure transmission and storage of cryptographic keys
- PCI DSS-4_2_1. Strong cryptography during transmission
- PCI DSS-8_3_2. Strong authentication for users and administrators is established
- SIG Lite-SL_78. Are applications used to transmit, process or store scoped data?
- SIG Lite-SL_160. Do agreements with third parties who have access or potential access to scoped data, address confidentiality, audit, security, and privacy, including but not limited to incident response, monitoring, data sharing and secure disposal of scoped data?
- SIG Core-D_6_1. Asset and information management
- SIG Core-H_4_1. Access control
- SIG Core-N_1_15_4. Network security
- SIG Core-U_1_9_15. Server security
- CASA-2_2_5. General Authenticator Security
- CASA-2_7_4. Out of Band Verifier
Vulnerabilities
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.