Key Management: Hardcoded Encryption key 密鑰管理：硬編碼加密密鑰

時間 2019-11-17

標籤 key management hardcoded encryption 密鑰管理編碼加密欄目字符編碼简体版

原文原文鏈接

Abstract:

Hardcoded 加密密鑰可能會削弱系統安全性，一旦出現安全問題將沒法輕易修正。

Explanation:

請勿對加密密鑰進行硬編碼，由於這樣全部項目開發人員都能查看該加密密鑰，並且還會大大增長解決問題的難度。一旦代碼被使用，除非對軟件進行修補，不然加密密鑰將不再能更改。若是受加密密鑰保護的賬戶遭受入侵，系統全部者將被迫在安全性和可用性之間作出選擇。

例 1：下列代碼使用了硬編碼加密密鑰：

...

private static final String encryptionKey = "lakdsljkalkjlksdfkl"; byte[] keyBytes = encryptionKey.getBytes(); SecretKeySpec key = new SecretKeySpec(keyBytes, "AES"); Cipher encryptCipher = Cipher.getInstance("AES"); encryptCipher.init(Cipher.ENCRYPT_MODE, key);

...

任何可訪問該代碼的人都能訪問加密密鑰。一旦應用程序發佈，除非對程序進行修補，不然將沒法更改加密密鑰。僱員能夠利用手中掌握的信息訪問權限入侵系統。更糟糕的是，若是攻擊者能夠訪問應用程序的可執行文件，就能夠提取加密密鑰值。

Instance ID: 8769D69879B813A4804A88C0B1B9F349

Priority Metadata Values:

IMPACT: 3.0

LIKELIHOOD: 3.2

Legacy Priority Metadata Values:

SEVERITY: 4.0

CONFIDENCE: 5.0

Remediation Effort: 3.0

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Recommendations:

請勿對加密密鑰進行硬編碼，而應對加密密鑰加以模糊化，並在外部資源文件中進行管理。若是在系統中採用明文的形式存儲加密密鑰，任何有足夠權限的人便可讀取加密密鑰，還可能誤用這些密碼。

References:

[1] MSC03-J. Never hard code sensitive information, CERT, https://www.securecoding.cert.org/confluence/display/java/MSC03-J.+Never+hard+code+sensitive+information

[2] Standards Mapping - Common Weakness Enumeration, CWE ID 321

[3] Standards Mapping - FIPS200, IA

[4] Standards Mapping - NIST Special Publication 800-53 Revision 4, SC-12 Cryptographic Key Establishment and Management (P1)

[5] Standards Mapping - OWASP Mobile Top 10 Risks 2014, M6 Broken Cryptography

[6] Standards Mapping - OWASP Top 10 2004, A8 Insecure Storage

[7] Standards Mapping - OWASP Top 10 2007, A8 Insecure Cryptographic Storage

[8] Standards Mapping - OWASP Top 10 2010, A7 Insecure Cryptographic Storage

[9] Standards Mapping - OWASP Top 10 2013, A6 Sensitive Data Exposure

[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1, Requirement 6.5.8, Requirement 8.4

[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2, Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4

[12] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0, Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4

[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0, Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1

[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1, Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1

[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2, Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1

[16] Standards Mapping - SANS Top 25 2009, Porous Defenses - CWE ID 259

[17] Standards Mapping - SANS Top 25 2010, Porous Defenses - CWE ID 798

[18] Standards Mapping - SANS Top 25 2011, Porous Defenses - CWE ID 798

[19] Standards Mapping - Security Technical Implementation Guide Version 3.1, APP3210.1 CAT II, APP3350 CAT I

[20] Standards Mapping - Security Technical Implementation Guide Version 3.10, APP3210.1 CAT II, APP3350 CAT I

[21] Standards Mapping - Security Technical Implementation Guide Version 3.4, APP3210.1 CAT II, APP3350 CAT I

[22] Standards Mapping - Security Technical Implementation Guide Version 3.5, APP3210.1 CAT II, APP3350 CAT I

[23] Standards Mapping - Security Technical Implementation Guide Version 3.6, APP3210.1 CAT II, APP3350 CAT I

[24] Standards Mapping - Security Technical Implementation Guide Version 3.7, APP3210.1 CAT II, APP3350 CAT I

[25] Standards Mapping - Security Technical Implementation Guide Version 3.9, APP3210.1 CAT II, APP3350 CAT I

[26] Standards Mapping - Security Technical Implementation Guide Version 4.1, APSC-DV-002010 CAT II

[27] Standards Mapping - Web Application Security Consortium Version 2.00, Information Leakage (WASC-13)

相關標籤/搜索

每日一句

每一个你不满意的现在，都有一个你没有努力的曾经。