R145. Protect system cryptographic keys


System private asymmetric or symmetric keys must be protected and must not be exposed.


System cryptographic keys are essential for maintaining the confidentiality and integrity of transactions and communications. Their exposure may cause business information leakages, loss of data integrity and loss of trust due to the inability to differentiate server traffic from malicious traffic. Therefore, these keys must be protected and managed following industry-verified standards.


  1. CWE-321: Use of Hard-coded Cryptographic Key The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.

  2. CWE-322: Key Exchange without Entity Authentication The software performs a key exchange with an actor without verifying the identity of that actor.

  3. CWE-323: Reusing a Nonce, Key Pair in Encryption Nonces should be used for the present occasion and only once.

  4. CWE-522: Insufficiently Protected Credentials The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

  5. OWASP-ASVS v4.0.1 V1.6 Cryptographic Architectural Requirements.(1.6.1) Verify that there is an explicit policy for management of cryptographic keys and that a cryptographic key lifecycle follows a key management standard such as NIST SP 800-57.

  6. OWASP-ASVS v4.0.1 V1.6 Cryptographic Architectural Requirements.(1.6.2) Verify that consumers of cryptographic services protect key material and other secrets by using key vaults or API based alternatives.

  7. OWASP-ASVS v4.0.1 V1.6 Cryptographic Architectural Requirements.(1.6.3) Verify that all keys and passwords are replaceable and are part of a well-defined process to re-encrypt sensitive data.

  8. OWASP-ASVS v4.0.1 V1.6 Cryptographic Architectural Requirements.(1.6.4) Verify that symmetric keys, passwords, or API secrets generated by or shared with clients are used only in protecting low risk secrets, such as encrypting local storage, or temporary ephemeral uses such as parameter obfuscation.

  9. OWASP-ASVS v4.0.1 V2.8 Single or Multi Factor One Time Verifier Requirements.(2.8.2) Verify that symmetric keys used to verify submitted OTPs are highly protected, such as by using a hardware security module or secure operating system based key storage.

  10. OWASP-ASVS v4.0.1 V2.9 Cryptographic Software and Devices Verifier Requirements.(2.9.1) Verify that cryptographic keys used in verification are stored securely and protected against disclosure, such as using a TPM or HSM, or an OS service that can use this secure storage.

  11. OWASP-ASVS v4.0.1 V6.4 Secret Management.(6.4.1) Verify that a secrets management solution such as a key vault is used to securely create, store, control access to and destroy secrets.

  12. OWASP-ASVS v4.0.1 V6.4 Secret Management.(6.4.2) Verify that key material is not exposed to the application but instead uses an isolated security module like a vault for cryptographic operations.

Copyright © 2020 Fluid Attacks, We hack your software. All rights reserved.

Service status - Terms of Use - Privacy Policy - Cookie Policy