Summary

Each individual device must have unique cryptographic keys and certificates.

Description

A system that is using unique cryptographic keys applied to devices can prevent unauthorized devices from gaining access to a network or system. Without the proper keys and certificates, a device should not be able to establish a secure connection or participate in transactions.

Supported In

This requirement is verified in following services

References

• CWE™-693. Protection mechanism failure
• CWE™-1233. Improper hardware lock protection for security sensitive controls
• OWASP TOP 10-A5. Security misconfiguration
• SANS 25-18. Use of hard-coded credentials
• PDPO-9A_66G. Powers exercisable in relation to premises and electronic devices
• CMMC-MP_L2-3_8_1. Media protection
• CMMC-MP_L2-3_8_2. Media access
• CMMC-SC_L2-3_13_10. Key management
• HITRUST CSF-01_k. Equipment identification in networks
• HITRUST CSF-01_x. Mobile computing and communications
• FedRAMP-MP-2. Media access
• PTES-7_7. Post Exploitation - Persistence
• MVSP-2_8. Application design controls - Encryption
• OWASP SCP-6. Cryptographic practices
• NIST 800-171-5_1. Identify system users, processes acting on behalf of users, and devices
• C2M2-9_5_e. Implement data security for cybersecurity architecture
• PCI DSS-3_6_1_1. Protect cryptographic keys used to protect stored account data
• SIG Lite-SL_31. Are clients provided with the ability to generate a unique encryption key?
• OWASP MASVS-CRYPTO-2. The app performs key management according to industry best practices
• CWE TOP 25-798. Use of hard-coded credentials

Vulnerabilities

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.