Abstract:
Hardcoded 加密密鑰可能會削弱系統安全性,一旦出現安全問題將無法輕易修正。
Explanation:
請勿對加密密鑰進行硬編碼,因爲這樣所有項目開發人員都能查看該加密密鑰,而且還會大大增加解決問題的難度。一旦代碼被使用,除非對軟件進行修補,否則加密密鑰將再也不能更改。如果受加密密鑰保護的帳戶遭受入侵,系統所有者將被迫在安全性和可用性之間做出選擇。
例 1:下列代碼使用了硬編碼加密密鑰:
private static final String encryptionKey = "lakdsljkalkjlksdfkl";
byte[] keyBytes = encryptionKey.getBytes();
SecretKeySpec key = new SecretKeySpec(keyBytes, "AES");
Cipher encryptCipher = Cipher.getInstance("AES"); encryptCipher.init(Cipher.ENCRYPT_MODE, key);
任何可訪問該代碼的人都能訪問加密密鑰。一旦應用程序發佈,除非對程序進行修補,否則將無法更改加密密鑰。僱員可以利用手中掌握的信息訪問權限入侵系統。更糟糕的是,如果攻擊者可以訪問應用程序的可執行文件,就可以提取加密密鑰值。
Instance ID: 8769D69879B813A4804A88C0B1B9F349
Priority Metadata Values:
IMPACT: 3.0
LIKELIHOOD: 3.2
Legacy Priority Metadata Values:
SEVERITY: 4.0
CONFIDENCE: 5.0
Remediation Effort: 3.0
Recommendations:
請勿對加密密鑰進行硬編碼,而應對加密密鑰加以模糊化,並在外部資源文件中進行管理。如果在系統中採用明文的形式存儲加密密鑰,任何有足夠權限的人即可讀取加密密鑰,還可能誤用這些密碼。
References:
[1] MSC03-J. Never hard code sensitive information, CERT, https://www.securecoding.cert.org/confluence/display/java/MSC03-J.+Never+hard+code+sensitive+information
[2] Standards Mapping - Common Weakness Enumeration, CWE ID 321
[3] Standards Mapping - FIPS200, IA
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4, SC-12 Cryptographic Key Establishment and Management (P1)
[5] Standards Mapping - OWASP Mobile Top 10 Risks 2014, M6 Broken Cryptography
[6] Standards Mapping - OWASP Top 10 2004, A8 Insecure Storage
[7] Standards Mapping - OWASP Top 10 2007, A8 Insecure Cryptographic Storage
[8] Standards Mapping - OWASP Top 10 2010, A7 Insecure Cryptographic Storage
[9] Standards Mapping - OWASP Top 10 2013, A6 Sensitive Data Exposure
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1, Requirement 6.5.8, Requirement 8.4
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2, Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0, Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0, Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1, Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2, Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[16] Standards Mapping - SANS Top 25 2009, Porous Defenses - CWE ID 259
[17] Standards Mapping - SANS Top 25 2010, Porous Defenses - CWE ID 798
[18] Standards Mapping - SANS Top 25 2011, Porous Defenses - CWE ID 798
[19] Standards Mapping - Security Technical Implementation Guide Version 3.1, APP3210.1 CAT II, APP3350 CAT I
[20] Standards Mapping - Security Technical Implementation Guide Version 3.10, APP3210.1 CAT II, APP3350 CAT I
[21] Standards Mapping - Security Technical Implementation Guide Version 3.4, APP3210.1 CAT II, APP3350 CAT I
[22] Standards Mapping - Security Technical Implementation Guide Version 3.5, APP3210.1 CAT II, APP3350 CAT I
[23] Standards Mapping - Security Technical Implementation Guide Version 3.6, APP3210.1 CAT II, APP3350 CAT I
[24] Standards Mapping - Security Technical Implementation Guide Version 3.7, APP3210.1 CAT II, APP3350 CAT I
[25] Standards Mapping - Security Technical Implementation Guide Version 3.9, APP3210.1 CAT II, APP3350 CAT I
[26] Standards Mapping - Security Technical Implementation Guide Version 4.1, APSC-DV-002010 CAT II
[27] Standards Mapping - Web Application Security Consortium Version 2.00, Information Leakage (WASC-13)