Key Management: Hardcoded Encryption key 密钥管理：硬编码加密密钥

 

 

Abstract:

 

Hardcoded 加密密钥可能会削弱系统安全性，一旦出现安全问题将无法轻易修正。

 

 

Explanation:

 

请勿对加密密钥进行硬编码，因为这样所有项目开发人员都能查看该加密密钥，而且还会大大增加解决问题的难度。一旦代码被使用，除非对软件进行修补，否则加密密钥将再也不能更改。如果受加密密钥保护的帐户遭受入侵，系统所有者将被迫在安全性和可用性之间做出选择。

 

 

例 1：下列代码使用了硬编码加密密钥：

 

 

...

private static final String encryptionKey = "lakdsljkalkjlksdfkl"; byte[] keyBytes = encryptionKey.getBytes(); SecretKeySpec key = new SecretKeySpec(keyBytes, "AES"); Cipher encryptCipher = Cipher.getInstance("AES"); encryptCipher.init(Cipher.ENCRYPT_MODE, key);

...

 

 

任何可访问该代码的人都能访问加密密钥。一旦应用程序发布，除非对程序进行修补，否则将无法更改加密密钥。雇员可以利用手中掌握的信息访问权限入侵系统。更糟糕的是，如果攻击者可以访问应用程序的可执行文件，就可以提取加密密钥值。

 

 

 

Instance ID: 8769D69879B813A4804A88C0B1B9F349

 

Priority Metadata Values:

 

            IMPACT: 3.0

 

            LIKELIHOOD: 3.2

 

Legacy Priority Metadata Values:

 

            SEVERITY: 4.0

 

            CONFIDENCE: 5.0

 

 

Remediation Effort: 3.0

 

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

 

Recommendations:

 

请勿对加密密钥进行硬编码，而应对加密密钥加以模糊化，并在外部资源文件中进行管理。如果在系统中采用明文的形式存储加密密钥，任何有足够权限的人即可读取加密密钥，还可能误用这些密码。

 

 

References:

 

[1] MSC03-J. Never hard code sensitive information, CERT, https://www.securecoding.cert.org/confluence/display/java/MSC03-J.+Never+hard+code+sensitive+information

 

[2] Standards Mapping - Common Weakness Enumeration, CWE ID 321

 

[3] Standards Mapping - FIPS200, IA

 

[4] Standards Mapping - NIST Special Publication 800-53 Revision 4, SC-12 Cryptographic Key Establishment and Management (P1)

 

[5] Standards Mapping - OWASP Mobile Top 10 Risks 2014, M6 Broken Cryptography

 

[6] Standards Mapping - OWASP Top 10 2004, A8 Insecure Storage

 

[7] Standards Mapping - OWASP Top 10 2007, A8 Insecure Cryptographic Storage

 

[8] Standards Mapping - OWASP Top 10 2010, A7 Insecure Cryptographic Storage

 

[9] Standards Mapping - OWASP Top 10 2013, A6 Sensitive Data Exposure

 

[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1, Requirement 6.5.8, Requirement 8.4

 

[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2, Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4

 

[12] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0, Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4

 

[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0, Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1

 

[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1, Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1

 

[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2, Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1

 

[16] Standards Mapping - SANS Top 25 2009, Porous Defenses - CWE ID 259

 

[17] Standards Mapping - SANS Top 25 2010, Porous Defenses - CWE ID 798

 

[18] Standards Mapping - SANS Top 25 2011, Porous Defenses - CWE ID 798

 

[19] Standards Mapping - Security Technical Implementation Guide Version 3.1, APP3210.1 CAT II, APP3350 CAT I

 

[20] Standards Mapping - Security Technical Implementation Guide Version 3.10, APP3210.1 CAT II, APP3350 CAT I

 

[21] Standards Mapping - Security Technical Implementation Guide Version 3.4, APP3210.1 CAT II, APP3350 CAT I

 

[22] Standards Mapping - Security Technical Implementation Guide Version 3.5, APP3210.1 CAT II, APP3350 CAT I

 

[23] Standards Mapping - Security Technical Implementation Guide Version 3.6, APP3210.1 CAT II, APP3350 CAT I

 

[24] Standards Mapping - Security Technical Implementation Guide Version 3.7, APP3210.1 CAT II, APP3350 CAT I

 

[25] Standards Mapping - Security Technical Implementation Guide Version 3.9, APP3210.1 CAT II, APP3350 CAT I

 

[26] Standards Mapping - Security Technical Implementation Guide Version 4.1, APSC-DV-002010 CAT II

 

[27] Standards Mapping - Web Application Security Consortium Version 2.00, Information Leakage (WASC-13)