R147. Use pre-existent mechanisms

Requirement

The system’s cryptographic functions must be implemented with pre-existing and up-to-date cryptographic mechanisms.

Description

The system’s cryptographic functions are essential for maintaining the confidentiality and integrity of transactions and communications. Therefore, these functions must be based on pre-existent, tested, approved and secure mechanisms.

References

  1. CAPEC-20: Encryption Brute Forcing. An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext.

  2. CIS Controls. 13.6 Encrypt Mobile Device Data. Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.

  3. CIS Controls. 18.5 Use only Standardized and Extensively Reviewed Encryption Algorithms. Use only standardized, currently accepted, and extensively reviewed encryption algorithms.

  4. CWE-326: Inadequate Encryption Strength The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

  5. CWE-327: Use of a Broken or Risky Cryptographic Algorithm The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information.

  6. HIPAA Security Rules 164.312(a)(2)(iv): Encryption and Decryption: Implement a mechanism to encrypt and decrypt electronic protected health information.

  7. NIST 800-53 IA-7 Cryptographic module authentication: The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.

  8. OWASP-ASVS v4.0.1 Appendix C: Internet of Things Verification Requirements.(C.23) Verify usage of cryptographically secure pseudo-random number generator on embedded device (e.g., using chip-provided random number generators).

  9. OWASP-ASVS v4.0.1 V1.6 Cryptographic Architectural Requirements.(1.6.1) Verify that there is an explicit policy for management of cryptographic keys and that a cryptographic key lifecycle follows a key management standard such as NIST SP 800-57.

  10. OWASP-ASVS v4.0.1 V1.6 Cryptographic Architectural Requirements.(1.6.2) Verify that consumers of cryptographic services protect key material and other secrets by using key vaults or API based alternatives.

  11. OWASP-ASVS v4.0.1 V1.6 Cryptographic Architectural Requirements.(1.6.3) Verify that all keys and passwords are replaceable and are part of a well-defined process to re-encrypt sensitive data.

  12. OWASP-ASVS v4.0.1 V2.8 Single or Multi Factor One Time Verifier Requirements.(2.8.3) Verify that approved cryptographic algorithms are used in the generation, seeding, and verification.

  13. OWASP-ASVS v4.0.1 V2.9 Cryptographic Software and Devices Verifier Requirements.(2.9.3) Verify that approved cryptographic algorithms are used in the generation, seeding, and verification.

  14. OWASP-ASVS v4.0.1 V6.2 Algorithms.(6.2.2) Verify that industry proven or government approved cryptographic algorithms, modes, and libraries are used, instead of custom coded cryptography.

  15. OWASP-ASVS v4.0.1 V6.2 Algorithms.(6.2.3) Verify that encryption initialization vector, cipher configuration, and block modes are configured securely using the latest advice.

  16. PCI DSS v3.2.1 - Requirement 4.1.1 Ensure wireless networks transmitting cardholder data or connected to the cardholder data environment, use industry best practices to implement strong encryption for authentication and transmission.

Copyright © 2021 Fluid Attacks, We hack your software. All rights reserved.