Cryptography
Proper Use of Initialization Vector (IV)
Summary Symmetric encryption should use a random IV (Initialization Vector) which should have the same length of the encryption key. Description The requirement emphasizes that the IV should be random. A random IV adds unpredictability to the ...
Use GCM Padding with AES
Summary AES symmetric encryption should be used only with GCM padding. Description This GCM padding mechanism is a secure option when working with symmetric encryption. GCM is well-suited for modern cryptographic requirements and is widely adopted in ...
Use OAEP padding with RSA
Summary RSA asymmetric encryption should be used only with OAEP padding (Optimal Asymmetric Encryption Padding). Description This means that any encryption or decryption processes involving RSA should adhere to the OAEP padding scheme. OAEP is ...
Replace cryptographic keys
Summary The system's cryptographic keys must be replaced after a defined period of time, after having produced a certain amount of cipher-text or after its integrity has been weakened, e.g., when an employee with knowledge of a key leaves or when it ...
Assign unique keys to each device
Summary Each individual device must have unique cryptographic keys and certificates. Description A system that is using unique cryptographic keys applied to devices can prevent unauthorized devices from gaining access to a network or system. Without ...
Use initialization vectors once
Summary The system should use initialization vectors, nonces and other single use numbers only once with a given encryption key. Description The system's cryptographic keys are essential for maintaining the confidentiality and integrity of ...
Implement perfect forward secrecy
Summary Critical communications should travel through a secure channel that implements perfect forward secrecy. Description All communications between the client and the server should take place over channels that are protected and encrypted. Secure ...
Disable insecure TLS versions
Summary The system must disable out-of-date or insecure versions of SSL and TLS protocols, algorithms and ciphers. Description All communications between the client and the server should take place over channels that are protected and encrypted. In ...
Use secure cryptographic mechanisms
Summary The system must use the most secure cryptographic mechanism provided by the platform (e.g., java.security.SecureRandom) for random number generation used in critical processes (e.g., ID generation, code mapping, cryptographic keys). ...
Uniform distribution in random numbers
Summary The system's random numbers must be generated using a uniform distribution. Description The system's cryptographic keys are essential for maintaining the confidentiality and integrity of transactions and communications. Some of these keys and ...
Separate keys for encryption and signatures
Summary The system must use asymmetric cryptography with separated keys for encryption and signatures. Description The key used for encryption is responsible for ensuring the confidentiality of data. By keeping the encryption key separate from the ...
Set minimum size for hash functions
Summary Use hash functions with a minimum size of 256 bits. Description Systems must use hash functions with a minimum size of 256 bits because it is important for achieving a high level of security and resistance against various cryptographic ...
Set minimum size of symmetric encryption
Summary The symmetric encryption mechanism must use a minimum key size of 128 bits. Description As the key size increases, the number of possible key combinations grows significantly. Each additional bit in the key size doubles the number of possible ...
Set minimum size of asymmetric encryption
Summary The asymmetric encryption mechanism must use a minimum key size of 2048 bits. Description The key size in asymmetric encryption is directly correlated with the strength of the encryption. Larger key sizes provide a higher level of security ...
Use pre-existent mechanisms
Summary The systems cryptographic functions must be implemented with pre-existing and up-to-date cryptographic mechanisms. Description The systems cryptographic functions are essential for maintaining the confidentiality and integrity of transactions ...
Remove cryptographic keys from RAM
Summary Cryptographic keys should not remain in RAM for more than 5 seconds. Description When cryptographic keys are used for encryption or decryption operations, they are loaded into the computer's or device's RAM. Even after the cryptographic ...
Protect system cryptographic keys
Summary The systems private asymmetric or symmetric keys must be protected and should not be exposed. Description The systems cryptographic keys are essential for maintaining the confidentiality and integrity of transactions and communications. Their ...