Skip to content

Cryptographic Vulnerability: Hardcoded Key

Cryptographic Vulnerability: Hardcoded Key

Description

The main purpose of encrypting and decrypting data is to guarantee the confidentiality of the information and prevent the third parties from viewing private data. Pre-shared keys may be used when working with large data sets or to protect the confidentiality of an application’s or a user’s assets. However, the usage of a hardcoded key increases the possibility of an attacker to decrypt and recover the data in case of a stolen device.

Recommendation

To ensure proper encryption of sensitive data:

  • Keys must be unique to the device and may use input from the user to compute the key.
  • When generating a key from password, use salt.
  • When generating a key from password, specify an appropriate hash iteration count.
  • Use a key of length sufficient to guarantee this strength of encryption.

Standards

  • OWASP_MASVS_L1:
    • MSTG_CRYPTO_1
  • OWASP_MASVS_L2:
    • MSTG_CRYPTO_1
  • PCI_STANDARDS:
    • REQ_2_2
    • REQ_3_5
    • REQ_3_6
    • REQ_3_7
    • REQ_4_2
    • REQ_6_2
  • OWASP_MASVS_v2_1:
    • MASVS_CRYPTO_2
  • SOC2_CONTROLS:
    • CC_2_1
    • CC_4_1
    • CC_6_7
    • CC_7_1
    • CC_7_2
    • CC_7_4
    • CC_7_5