Cryptographic Vulnerability: Hardcoded Key

Cryptographic Vulnerability: Hardcoded Key

Risk: medium

Description

The main purpose of encrypting and decrypting data is to guarantee the confidentiality of the information and prevent the third parties from viewing private data. Pre-shared keys may be used when working with large data sets or to protect the confidentiality of an application’s or a user’s assets. However, the usage of a hardcoded key increases the possibility of an attacker to decrypt and recover the data in case of a stolen device.

Recommendation

To ensure proper encryption of sensitive data:

• Keys must be unique to the device and may use input from the user to compute the key.
• When generating a key from password, use salt.
• When generating a key from password, specify an appropriate hash iteration count.
• Use a key of length sufficient to guarantee this strength of encryption.

Links

• Use of Hard-coded Credentials (CWE-798)

Standards

• OWASP_MASVS_L1:
  • MSTG_CRYPTO_1
• OWASP_MASVS_L2:
  • MSTG_CRYPTO_1
• PCI_STANDARDS:
  • REQ_2_2
  • REQ_3_5
  • REQ_3_6
  • REQ_3_7
  • REQ_4_2
  • REQ_6_2