R147. Use pre-existent mechanisms

Requirement

The cryptographic functions of the system must be implemented with pre-existing and up-to-date cryptographic mechanisms.

Description

System cryptographic functions are essential for maintaining the confidentiality and integrity of transactions and communications. Therefore, these functions must be based on pre-existent, tested, approved and secure mechanisms.

References

  1. CWE-326: Inadequate Encryption Strength The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

  2. CWE-327: Use of a Broken or Risky Cryptographic Algorithm The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information.

  3. HIPAA Security Rules 164.312(a)(2)(iv): Encryption and Decryption: Implement a mechanism to encrypt and decrypt electronic protected health information.

  4. NIST 800-53 IA-7 Cryptographic module authentication: The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.

  5. OWASP-ASVS v4.0.1 Appendix C: Internet of Things Verification Requirements.(C.23) Verify usage of cryptographically secure pseudo-random number generator on embedded device (e.g., using chip-provided random number generators).

  6. OWASP-ASVS v4.0.1 V1.6 Cryptographic Architectural Requirements.(1.6.1) Verify that there is an explicit policy for management of cryptographic keys and that a cryptographic key lifecycle follows a key management standard such as NIST SP 800-57.

  7. OWASP-ASVS v4.0.1 V1.6 Cryptographic Architectural Requirements.(1.6.2) Verify that consumers of cryptographic services protect key material and other secrets by using key vaults or API based alternatives.

  8. OWASP-ASVS v4.0.1 V1.6 Cryptographic Architectural Requirements.(1.6.3) Verify that all keys and passwords are replaceable and are part of a well-defined process to re-encrypt sensitive data.

  9. OWASP-ASVS v4.0.1 V2.8 Single or Multi Factor One Time Verifier Requirements.(2.8.3) Verify that approved cryptographic algorithms are used in the generation, seeding, and verification.

  10. OWASP-ASVS v4.0.1 V2.9 Cryptographic Software and Devices Verifier Requirements.(2.9.3) Verify that approved cryptographic algorithms are used in the generation, seeding, and verification.

  11. OWASP-ASVS v4.0.1 V6.2 Algorithms.(6.2.2) Verify that industry proven or government approved cryptographic algorithms, modes, and libraries are used, instead of custom coded cryptography.

  12. OWASP-ASVS v4.0.1 V6.2 Algorithms.(6.2.3) Verify that encryption initialization vector, cipher configuration, and block modes are configured securely using the latest advice.

  13. PCI DSS v3.2.1 - Requirement 4.1.1 Ensure wireless networks transmitting cardholder data or connected to the cardholder data environment, use industry best practices to implement strong encryption for authentication and transmission.

Copyright © 2020 Fluid Attacks, We hack your software. All rights reserved.

Service status - Terms of Use - Privacy Policy - Cookie Policy