R146. Remove cryptographic keys from RAM

Requirement

Cryptographic keys should not remain in RAM for more than 5 seconds.

References

  1. CWE-226: Sensitive Information Uncleared in Resource Before Release for Reuse. The product prepares to release a resource such as memory or a file so that the resource can be reused by other entities, but the product does not fully clear previously-used sensitive information from that resource before the resource is released.

  2. CWE-459: Incomplete Cleanup. The software does not properly "clean up" and remove temporary or supporting resources after they have been used.

  3. OWASP-ASVS v4.0.1 Appendix C: Internet of Things Verification Requirements.(C.31) Verify that sensitive information maintained in memory is overwritten with zeros as soon as it is no longer required.

  4. OWASP-ASVS v4.0.1 V1.6 Cryptographic Architectural Requirements.(1.6.1) Verify that there is an explicit policy for management of cryptographic keys and that a cryptographic key lifecycle follows a key management standard such as NIST SP 800-57.

  5. OWASP-ASVS v4.0.1 V8.2 Client-side Data Protection.(8.2.3) Verify that authenticated data is cleared from client storage, such as the browser DOM, after the client or session is terminated.

  6. OWASP-ASVS v4.0.1 V8.3 Sensitive Private Data.(8.3.6) Verify that sensitive information contained in memory is overwritten as soon as it is no longer required to mitigate memory dumping attacks, using zeros or random data.

  7. PCI DSS v3.2.1 - Requirement 3.5.4 Store cryptographic keys in the fewest possible locations.

  8. PCI DSS v3.2.1 - Requirement 3.6.3 Fully document and implement all key-management processes and procedures for cryptographic keys including secure cryptographic key storage.

Copyright © 2020 Fluid Attacks, We hack your software. All rights reserved.

Service status - Terms of Use - Privacy Policy - Cookie Policy