Use of Hard Coded Cryptographic Key

From Guidance Share

Jump to: navigation, search

Contents

Description

The use of a hard-coded cryptographic key tremendously increases the possibility that encrypted data may be recovered.

Applies To

Languages: All Operating platforms: All

Example

The following example shows the use of a hardcoded cryptographic key for the computation of an HMAC:

byte[] key = new byte[KEY_SIZE] {5, 15, 245, 134, 96};
byte[] data = new byte[DATA_SIZE];

HMACSHA1 hmac = new HMACSHA1(key);
CryptoStream cs = new CryptoStream(Stream.Null, shaM, CryptoStreamMode.Write);
cs.Write(data, 0, data.Length);
cs.Close();
byte[] result = shaM.Hash;

Impact

Confidentiality: A user's, or system's, cryptographic key may be revealed. Once the key is revealed any encrypted data will then be revealed to the attacker as well. Authentication: Passwords are often encrypted for protection, if the encryption key is revealed an attacker can gain access to the password and then impersonate the user in question.

Vulnerabilities

  • Failure to properly secure encryption keys - hardcoding in code or in unprotected configuration files.

Countermeasures

  • Design: Use platform supported key providers, such as those offered by the .NET framework in System.Security.Cryptography.

Vulnerability Patterns

How Tos

Personal tools