Fluid Attacks logo
Contact Us
Young hacker smiling
Zero false positives

Expert intelligence + effective automation

Contact logo Contact Us

R146. Set timeout to cryptographic keys

This document contains the details of the security requirements related to definition and management of cryptographic systems. This requirement establishes the importance of protecting system cryptographic keys by limiting the time they remain in system RAM.


Cryptographic keys must remain in RAM for maximum 5 seconds.


  1. OWASP-ASVS v3.1-7.9 Verify that there is an explicit policy for how cryptographic keys are managed (e.g., generated, distributed, revoked, and expired). Verify that this key lifecycle is properly enforced.

  2. OWASP-ASVS v3.1-7.13 Verify that sensitive passwords or key material maintained in memory is overwritten with zeros as soon as it no longer required, to mitigate memory dumping attacks.

  3. OWASP-ASVS v3.1-9.11 Verify that authenticated data is cleared from client storage, such as the browser DOM, after the client or session is terminated.

  4. OWASP-ASVS v4.0.1 V1.6 Cryptographic Architectural Requirements.(1.6.1) Verify that there is an explicit policy for management of cryptographic keys and that a cryptographic key lifecycle follows a key management standard such as NIST SP 800-57.

Service status - Terms of Use