界: Security Features

ソフトウェアのセキュリティは、セキュリティ ソフトウェアではありません。ここでは、認証、アクセス制御、機密性、暗号化、権限管理などのトピックについて説明します。

314 見つかった項目
脆弱性

Weak Cryptographic Signature: Insufficient Key Size

Abstract
強力な暗号化署名アルゴリズムでも、不十分な鍵サイズを使用する場合は、Brute-Force 攻撃に対してさらに脆弱性が増す可能性があります。
Explanation
現在の暗号化ガイドラインでは、RSA と DSA アルゴリズムでは最小でも 2048 ビットの鍵の長さを使用する必要があるとされています。しかし、演算処理能力とファクタリング技術が進歩し続ける限り [1]、将来的に推奨される鍵のサイズが増大するのは避けられません。

例 1: 次のコードは、1024 ビットの DSA 署名鍵を生成します。

...
DSA dsa = new DSACryptoServiceProvider(1024);
...
References
[1] J. Cheng 307-digit key crack endangers 1024-bit RSA
[2] Elaine Barker and Allen Roginsky NIST Special Publication 800-131A: Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths. NIST
[3] B. Chess and J. West, Secure Programming with Static Analysis. Boston, MA: Addison-Wesley, 2007.
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.5
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[8] Standards Mapping - CIS Kubernetes Benchmark complete
[9] Standards Mapping - Common Weakness Enumeration CWE ID 326
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[11] Standards Mapping - FIPS200 MP
[12] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-12 Cryptographic Key Establishment and Management (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-12 Cryptographic Key Establishment and Management
[15] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[16] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[18] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[20] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[21] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 6.2.7 Algorithms (L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[22] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[23] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[24] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[25] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.6.1, Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.6.1, Requirement 6.3.1.3, Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.6.1, Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.6.1, Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.6.1, Requirement 6.5.3
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.6.1, Requirement 6.5.3
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.6.1, Requirement 6.5.3
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.6.1, Requirement 6.2.4
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002290 CAT II
desc.structural.dotnet.weak_cryptographic_signature_insufficient_key_size
Abstract
強力な暗号化署名アルゴリズムでも、不十分な鍵サイズを使用する場合は、Brute-Force 攻撃に対してさらに脆弱性が増す可能性があります。
Explanation
現在の暗号化ガイドラインでは、RSA と DSA アルゴリズムでは最小でも 2048 ビットの鍵の長さを使用する必要があるとされています。しかし、演算処理能力とファクタリング技術が進歩し続ける限り [1]、将来的に推奨される鍵のサイズが増大するのは避けられません。

例 1: 次のコードは、1024 ビットの DSA 署名鍵を生成します。

...
DSA_generate_parameters_ex(dsa, 1024, NULL, 0, NULL, NULL, NULL);
...
References
[1] J. Cheng 307-digit key crack endangers 1024-bit RSA
[2] Elaine Barker and Allen Roginsky NIST Special Publication 800-131A: Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths. NIST
[3] B. Chess and J. West, Secure Programming with Static Analysis. Boston, MA: Addison-Wesley, 2007.
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.5
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[8] Standards Mapping - CIS Kubernetes Benchmark complete
[9] Standards Mapping - Common Weakness Enumeration CWE ID 326
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[11] Standards Mapping - FIPS200 MP
[12] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-12 Cryptographic Key Establishment and Management (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-12 Cryptographic Key Establishment and Management
[15] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[16] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[18] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[20] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[21] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 6.2.7 Algorithms (L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[22] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[23] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[24] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[25] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.6.1, Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.6.1, Requirement 6.3.1.3, Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.6.1, Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.6.1, Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.6.1, Requirement 6.5.3
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.6.1, Requirement 6.5.3
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.6.1, Requirement 6.5.3
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.6.1, Requirement 6.2.4
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002290 CAT II
desc.structural.cpp.weak_cryptographic_signature_insufficient_key_size
Abstract
強力な暗号化署名アルゴリズムでも、不十分な鍵サイズを使用する場合は、Brute-Force 攻撃に対してさらに脆弱性が増します。
Explanation
現在の暗号化ガイドラインでは、RSA と DSA アルゴリズムでは最小でも 2048 ビットの鍵の長さを使用するように推奨されています。しかし、演算処理能力とファクタリング技術が進歩し続ける限り [1]、将来的に推奨される鍵のサイズが増大するのは避けられません。

例 1: 次のコードは、1024 ビットの DSA 署名鍵を生成します。

...
dsa.GenerateParameters(params, rand.Reader, dsa.L1024N160)
privatekey := new(dsa.PrivateKey)
privatekey.PublicKey.Parameters = *params
dsa.GenerateKey(privatekey, rand.Reader)
...
References
[1] J. Cheng 307-digit key crack endangers 1024-bit RSA
[2] Elaine Barker and Allen Roginsky NIST Special Publication 800-131A: Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths. NIST
[3] B. Chess and J. West, Secure Programming with Static Analysis. Boston, MA: Addison-Wesley, 2007.
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.5
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[8] Standards Mapping - CIS Kubernetes Benchmark complete
[9] Standards Mapping - Common Weakness Enumeration CWE ID 326
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[11] Standards Mapping - FIPS200 MP
[12] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-12 Cryptographic Key Establishment and Management (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-12 Cryptographic Key Establishment and Management
[15] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[16] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[18] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[20] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[21] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 6.2.7 Algorithms (L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[22] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[23] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[24] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[25] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.6.1, Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.6.1, Requirement 6.3.1.3, Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.6.1, Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.6.1, Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.6.1, Requirement 6.5.3
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.6.1, Requirement 6.5.3
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.6.1, Requirement 6.5.3
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.6.1, Requirement 6.2.4
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002290 CAT II
desc.structural.golang.weak_cryptographic_signature_insufficient_key_size
Abstract
暗号化署名アルゴリズムでも、鍵のサイズが不十分であると、ブルートフォース攻撃に対して脆弱になります。
Explanation
現在の暗号化ガイドラインでは、RSA と DSA アルゴリズムでは最小でも 2048 ビットの鍵の長さを使用するように推奨されています。しかし、演算処理能力とファクタリング技術が進歩し続ける限り [1]、将来的に推奨される鍵のサイズが増大するのは避けられません。

例 1: 次のコードは、1024 ビットの DSA 署名鍵を生成します。

...
KeyPairGenerator keyGen = KeyPairGenerator.getInstance("DSA", "SUN");
SecureRandom random = SecureRandom.getInstance("SHA256PRNG", "SUN");
keyGen.initialize(1024, random);
...
References
[1] J. Cheng 307-digit key crack endangers 1024-bit RSA
[2] Elaine Barker and Allen Roginsky NIST Special Publication 800-131A: Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths. NIST
[3] B. Chess and J. West, Secure Programming with Static Analysis. Boston, MA: Addison-Wesley, 2007.
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.5
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[8] Standards Mapping - CIS Kubernetes Benchmark complete
[9] Standards Mapping - Common Weakness Enumeration CWE ID 326
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[11] Standards Mapping - FIPS200 MP
[12] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-12 Cryptographic Key Establishment and Management (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-12 Cryptographic Key Establishment and Management
[15] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[16] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[18] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[20] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[21] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 6.2.7 Algorithms (L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[22] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[23] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[24] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[25] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.6.1, Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.6.1, Requirement 6.3.1.3, Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.6.1, Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.6.1, Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.6.1, Requirement 6.5.3
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.6.1, Requirement 6.5.3
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.6.1, Requirement 6.5.3
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.6.1, Requirement 6.2.4
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002290 CAT II
desc.structural.java.weak_cryptographic_signature_insufficient_key_size
Abstract
強力な暗号化署名アルゴリズムでも、不十分な鍵サイズを使用する場合は、Brute-Force 攻撃に対してさらに脆弱性が増す可能性があります。
Explanation
現在の暗号化ガイドラインでは、RSA と DSA アルゴリズムでは最小でも 2048 ビットの鍵の長さを使用する必要があるとされています。しかし、演算処理能力とファクタリング技術が進歩し続ける限り [1]、将来的に推奨される鍵のサイズが増大するのは避けられません。

例 1: 次のコードは、1024 ビットの DSA 署名鍵を生成します。

...
from Crypto.PublicKey import DSA
key = DSA.generate(1024)
...
References
[1] J. Cheng 307-digit key crack endangers 1024-bit RSA
[2] Elaine Barker and Allen Roginsky NIST Special Publication 800-131A: Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths. NIST
[3] B. Chess and J. West, Secure Programming with Static Analysis. Boston, MA: Addison-Wesley, 2007.
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.5
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[8] Standards Mapping - CIS Kubernetes Benchmark complete
[9] Standards Mapping - Common Weakness Enumeration CWE ID 326
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[11] Standards Mapping - FIPS200 MP
[12] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-12 Cryptographic Key Establishment and Management (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-12 Cryptographic Key Establishment and Management
[15] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[16] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[18] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[20] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[21] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 6.2.7 Algorithms (L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[22] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[23] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[24] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[25] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.6.1, Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.6.1, Requirement 6.3.1.3, Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.6.1, Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.6.1, Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.6.1, Requirement 6.5.3
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.6.1, Requirement 6.5.3
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.6.1, Requirement 6.5.3
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.6.1, Requirement 6.2.4
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002290 CAT II
desc.structural.python.weak_cryptographic_signature_insufficient_key_size
Abstract
強力な暗号化署名アルゴリズムでも、不十分な鍵サイズを使用する場合は、Brute-Force 攻撃に対してさらに脆弱性が増す可能性があります。
Explanation
現在の暗号化ガイドラインでは、RSA と DSA アルゴリズムでは最小でも 2048 ビットの鍵の長さを使用する必要があるとされています。しかし、演算処理能力とファクタリング技術が進歩し続ける限り [1]、将来的に推奨される鍵のサイズが増大するのは避けられません。

例 1: 次のコードは、1024 ビットの DSA 署名鍵を生成します。

require 'openssl'
...
key = OpenSSL::PKey::DSA.new(1024)
...

References
[1] J. Cheng 307-digit key crack endangers 1024-bit RSA
[2] Elaine Barker and Allen Roginsky NIST Special Publication 800-131A: Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths. NIST
[3] B. Chess and J. West, Secure Programming with Static Analysis. Boston, MA: Addison-Wesley, 2007.
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.5
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[8] Standards Mapping - CIS Kubernetes Benchmark complete
[9] Standards Mapping - Common Weakness Enumeration CWE ID 326
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[11] Standards Mapping - FIPS200 MP
[12] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-12 Cryptographic Key Establishment and Management (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-12 Cryptographic Key Establishment and Management
[15] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[16] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[18] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[20] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[21] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 6.2.7 Algorithms (L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[22] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[23] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[24] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[25] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.6.1, Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.6.1, Requirement 6.3.1.3, Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.6.1, Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.6.1, Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.6.1, Requirement 6.5.3
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.6.1, Requirement 6.5.3
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.6.1, Requirement 6.5.3
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.6.1, Requirement 6.2.4
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002290 CAT II
desc.structural.ruby.weak_cryptographic_signature_insufficient_key_size

Weak Cryptographic Signature: Missing Required Step

Abstract
暗号化署名の生成プロセスの間に、コードは必須ステップの呼び出しに失敗します。
Explanation
暗号化署名の生成には複数のステップが伴います。必須ステップのいずれか 1 つでも欠落すると、生成される署名の強度が弱まります。

例 1: 次のコードはメソッド EVP_SignUpdate へのコールをスキップするため、データに基づかずに署名が作成されます。


...
rv = EVP_SignInit(ctx, EVP_sha512());
...
rv = EVP_SignFinal(ctx, sig, &sig_len,  key);
...
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.5
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[5] Standards Mapping - CIS Kubernetes Benchmark complete
[6] Standards Mapping - Common Weakness Enumeration CWE ID 325
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[8] Standards Mapping - FIPS200 MP
[9] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[12] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[13] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[14] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[15] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[16] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[17] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[18] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3)
[19] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[20] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[21] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[22] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002290 CAT II
desc.controlflow.cpp.weak_cryptographic_signature_missing_required_step
Abstract
暗号化署名の生成プロセスの間に、コードは必須ステップの呼び出しに失敗します。
Explanation
暗号化署名の生成には複数のステップが伴います。必須ステップのいずれか 1 つでも欠落すると、生成される署名の強度が弱まります。

例 1: 次のコードはメソッド update へのコールをスキップするため、データに基づかずに署名が作成されます。

...
Signature sig = Signature.getInstance("SHA256withRSA");
sig.initSign(keyPair.getPrivate());
...
byte[] signatureBytes = sig.sign();
...
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.5
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[5] Standards Mapping - CIS Kubernetes Benchmark complete
[6] Standards Mapping - Common Weakness Enumeration CWE ID 325
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[8] Standards Mapping - FIPS200 MP
[9] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[12] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[13] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[14] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[15] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[16] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[17] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[18] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3)
[19] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[20] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[21] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[22] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002290 CAT II
desc.controlflow.java.weak_cryptographic_signature_missing_required_step

Weak Cryptographic Signature: User-Controlled Key Size

Abstract
鍵サイズ パラメーターを受け取る暗号署名関数には汚染された鍵サイズ値を渡さないでください。
Explanation
鍵サイズの決定をユーザー制御値に許可すると、攻撃者は空の鍵を指定できます。その結果、暗号化データの整合性を維持する暗号署名の改ざんを許します。ゼロ以外の値を必須としても、攻撃者は可能な限り低い鍵サイズ値を指定し、暗号化データの整合性を下げることができます。

Weak Cryptographic Hash: User-Controlled Key Size の問題は、次の場合に発生します。

1. 信頼できないソースからデータがプログラムに入り込んだ場合。

2. ユーザー制御データが暗号署名関数内の鍵サイズ パラメーターの全部または一部として使用される場合。

多くのソフトウェア セキュリティの脆弱性と同様、Weak Cryptographic Hash: User-Controlled Key Size は目的を達成するための手段であって、目的そのものではありません。基本的には、この脆弱性は単純なものです。攻撃者は悪意のあるデータをアプリケーションに渡し、暗号化の実行中にそのデータが鍵サイズ値の全体または一部として使用されます。

現在の暗号化ガイドラインでは、RSA と DSA アルゴリズムでは最小でも 2048 ビットの鍵の長さを使用する必要があるとされています。しかし、演算処理能力とファクタリング技術が進歩し続ける限り [1]、将来的に推奨される鍵のサイズが増大するのは避けられません。ユーザー入力が鍵サイズの一部として使用される場合でも、署名のセキュリティを大幅に弱体化し、結果的に暗号化データの整合性が下がります。

例 1: 次のコードは、ユーザー制御の鍵サイズ パラメーターを使用して DSA 署名鍵を生成します。

...
DSA dsa1 = new DSACryptoServiceProvider(Convert.ToInt32(TextBox1.Text));
...


ユーザーが key_len を決定できる使用例もわずかにありますが、その場合でも、それが数値であり、鍵サイズとして適切な値の範囲に収まっていることを確認するだけの防御が求められます。ほとんどの使用例において、十分に大きな数字をハードコーディングすることが求められます。
References
[1] J. Cheng 307-digit key crack endangers 1024-bit RSA
[2] Elaine Barker and Allen Roginsky NIST Special Publication 800-131A: Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths. NIST
[3] B. Chess and J. West, Secure Programming with Static Analysis. Boston, MA: Addison-Wesley, 2007.
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.5
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[8] Standards Mapping - CIS Kubernetes Benchmark complete
[9] Standards Mapping - Common Weakness Enumeration CWE ID 326
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[11] Standards Mapping - FIPS200 MP
[12] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-12 Cryptographic Key Establishment and Management (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-12 Cryptographic Key Establishment and Management
[15] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[16] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[18] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[20] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[21] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 6.2.7 Algorithms (L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[22] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[23] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[24] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[25] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.6.1, Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.6.1, Requirement 6.3.1.3, Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.6.1, Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.6.1, Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.6.1, Requirement 6.5.3
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.6.1, Requirement 6.5.3
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.6.1, Requirement 6.5.3
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.6.1, Requirement 6.2.4
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002290 CAT II
desc.dataflow.dotnet.weak_cryptographic_signature_user_controlled_key_size
Abstract
鍵サイズを受け取る暗号署名関数は、汚染された鍵サイズ値を受け取る可能性があります。
Explanation
鍵サイズの決定をユーザー制御値に許可すると、攻撃者は空の鍵を指定できます。その結果、暗号化データの整合性を維持する暗号署名の改ざんを許します。ゼロ以外の値を必須としても、攻撃者は可能な限り低い鍵サイズ値を指定し、暗号化データの整合性を下げることができます。

脆弱な暗号署名: ユーザー制御による鍵サイズの問題は、次の場合に発生します。

1.信頼できないソースを経由してデータがプログラムに入り込んだ場合。

2.ユーザー制御データが暗号署名関数内の鍵サイズ パラメーターの全部または一部として使用される場合。

多くのソフトウェアのセキュリティ脆弱性と同様に、脆弱な暗号化署名: ユーザー制御による鍵サイズは、それ自体が目的ではなく目標を達成するための手段です。基本的には、この脆弱性は単純なものです。攻撃者は悪意のあるデータをアプリケーションに渡し、暗号化を実行するためにそのデータが鍵サイズ値の全体または一部として使用されます。

現在の暗号化ガイドラインでは、RSA と DSA アルゴリズムでは最小でも 2048 ビットの鍵の長さを使用するように推奨されています。しかし、演算処理能力とファクタリング技術が進歩し続ける限り [1]、将来的に推奨される鍵のサイズが増大するのは避けられません。ユーザー入力が鍵サイズの一部として使用される場合でも、署名のセキュリティを弱体化し、結果的に暗号化データの整合性が下がります。

例 1: 次のコードはユーザー制御の鍵サイズ パラメーターを使用して DSA 署名鍵を生成します。

...
dsa.GenerateParameters(params, rand.Reader, key_len)
privatekey := new(dsa.PrivateKey)
privatekey.PublicKey.Parameters = *params
dsa.GenerateKey(privatekey, rand.Reader)
...


ユーザーが key_len を指定できなくてはいけない場合がまれにあります。その場合、それが数値であり、鍵サイズとして適切な値の範囲に収まっていることを確認する必要があります。ほとんどの使用例において、ハードコーディングされた十分に大きな鍵サイズを選択してください。
References
[1] J. Cheng 307-digit key crack endangers 1024-bit RSA
[2] Elaine Barker and Allen Roginsky NIST Special Publication 800-131A: Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths. NIST
[3] B. Chess and J. West, Secure Programming with Static Analysis. Boston, MA: Addison-Wesley, 2007.
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.5
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[8] Standards Mapping - CIS Kubernetes Benchmark complete
[9] Standards Mapping - Common Weakness Enumeration CWE ID 326
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[11] Standards Mapping - FIPS200 MP
[12] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-12 Cryptographic Key Establishment and Management (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-12 Cryptographic Key Establishment and Management
[15] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[16] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[18] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[20] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[21] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 6.2.7 Algorithms (L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[22] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[23] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[24] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[25] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.6.1, Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.6.1, Requirement 6.3.1.3, Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.6.1, Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.6.1, Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.6.1, Requirement 6.5.3
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.6.1, Requirement 6.5.3
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.6.1, Requirement 6.5.3
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.6.1, Requirement 6.2.4
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002290 CAT II
desc.dataflow.golang.weak_cryptographic_signature_user_controlled_key_size
Abstract
鍵サイズ パラメーターを受け取る暗号署名関数には汚染された鍵サイズ値を渡さないでください。
Explanation
鍵サイズの決定をユーザー制御値に許可すると、攻撃者は空の鍵を指定できます。その結果、暗号化データの整合性を維持する暗号署名の改ざんを許します。ゼロ以外の値を必須としても、攻撃者は可能な限り低い鍵サイズ値を指定し、暗号化データの整合性を下げることができます。

脆弱な暗号化ハッシュ:ユーザー制御による鍵サイズの問題は、次の場合に発生します。

1. 信頼できないソースからデータがプログラムに入り込んだ場合。

2. ユーザー制御データが暗号署名関数内の鍵サイズ パラメーターの全部または一部として使用される場合。

多くのソフトウェアのセキュリティ脆弱性と同様に、脆弱な暗号化ハッシュ:ユーザー制御による鍵サイズは、それ自体が目的ではなく目標を達成するための手段です。基本的には、この脆弱性は単純なものです。攻撃者は悪意のあるデータをアプリケーションに渡します。暗号化の実行中にそのデータが鍵サイズ値の全部または一部として使用されます。

現在の暗号化ガイドラインでは、RSA と DSA アルゴリズムでは最小でも 2048 ビットの鍵の長さを使用する必要があるとされています。しかし、演算処理能力とファクタリング技術が進歩し続ける限り [1]、将来的に推奨される鍵のサイズが増大するのは避けられません。ユーザー入力が鍵サイズの一部として使用される場合でも、署名のセキュリティを大幅に弱体化し、結果的に暗号化データの整合性が下がります。

例 1: 次のコードはユーザー制御の鍵サイズ パラメーターを使用して DSA 署名鍵を生成します。

require 'openssl'
...
key_len = io.read.to_i
key = OpenSSL::PKey::DSA.new(key_len)
...


ユーザーが key_len を決定できる使用例もわずかにありますが、その場合でも、それが数値であり、鍵サイズとして適切な値の範囲に収まっていることを確認するだけの防御が求められます。ほとんどの使用例において、十分に大きな数字をハードコーディングすることが求められます。
References
[1] J. Cheng 307-digit key crack endangers 1024-bit RSA
[2] Elaine Barker and Allen Roginsky NIST Special Publication 800-131A: Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths. NIST
[3] B. Chess and J. West, Secure Programming with Static Analysis. Boston, MA: Addison-Wesley, 2007.
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.5
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[8] Standards Mapping - CIS Kubernetes Benchmark complete
[9] Standards Mapping - Common Weakness Enumeration CWE ID 326
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[11] Standards Mapping - FIPS200 MP
[12] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-12 Cryptographic Key Establishment and Management (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-12 Cryptographic Key Establishment and Management
[15] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[16] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[18] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[20] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[21] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 6.2.7 Algorithms (L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[22] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[23] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[24] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[25] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.6.1, Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.6.1, Requirement 6.3.1.3, Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.6.1, Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.6.1, Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.6.1, Requirement 6.5.3
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.6.1, Requirement 6.5.3
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.6.1, Requirement 6.5.3
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.6.1, Requirement 6.2.4
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002290 CAT II
desc.dataflow.ruby.weak_cryptographic_signature_user_controlled_key_size

Weak Encryption

Abstract
この特定のコールでは、重要なデータの機密性を保証できない貧弱な暗号化アルゴリズムが使用されています。
Explanation
DES などの旧式の暗号化アルゴリズムには、機密データに使用するのに十分な保護機能がありません。暗号化アルゴリズムは、暗号化機能の堅牢さを保証する主要メカニズムの 1 つとして、鍵のサイズを使用しています。暗号化機能の堅牢さは通常、有効な鍵を生成するのに要する時間とコンピュータの処理能力によって測られます。コンピュータの処理能力が向上したことによって、適当な時間内に小規模な暗号鍵を取得できるようになりました。たとえば、このアルゴリズムが初めて開発された 1970 年代、DES で使用される 56 ビット鍵はコンピュータの処理性能の面で大きな障害となっていました。しかし今日、一般的なツールを使用して 1 日も経たないうちに DES を解読できるようになりました。
References
[1] distributed.net DES
[2] FAQ About the Electronic Frontier Foundation's "DES Cracker" Machine Electronic Frontier Foundation
[3] SDL Development Practices Microsoft
[4] Microsoft Security Fundamentals Microsoft
[5] NIST Special Publication 800-132 NIST
[6] John Kelsey, Bruce Schneier, and David Wagner Related-key cryptanalysis of 3-WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA
[7] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[8] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[9] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[10] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[11] Standards Mapping - CIS Kubernetes Benchmark complete
[12] Standards Mapping - Common Weakness Enumeration CWE ID 327
[13] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[14] Standards Mapping - FIPS200 MP
[15] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[16] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[17] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[18] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[19] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[20] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[21] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[22] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[23] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[24] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.6.2 Cryptographic Architectural Requirements (L2 L3), 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.8.2 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.9.1 Cryptographic Software and Devices Verifier Requirements (L2 L3), 2.9.3 Cryptographic Software and Devices Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.2 Algorithms (L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 6.4.2 Secret Management (L2 L3), 8.3.7 Sensitive Private Data (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[25] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[26] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[27] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[28] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[40] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 327
[41] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 327
[42] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 327
[43] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[60] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[61] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[62] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[63] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II, APSC-DV-003100 CAT II, APSC-DV-003310 CAT II
desc.semantic.abap.weak_encryption
Abstract
この特定のコールでは、重要なデータの機密性を保証できない貧弱な暗号化アルゴリズムが使用されています。
Explanation
DES などの旧式の暗号化アルゴリズムには、機密データに使用するのに十分な保護機能がありません。暗号化アルゴリズムは、暗号化機能の堅牢さを保証する主要メカニズムの 1 つとして、鍵のサイズを使用しています。暗号化機能の堅牢さは通常、有効な鍵を生成するのに要する時間とコンピュータの処理能力によって測られます。コンピュータの処理能力が向上したことによって、適当な時間内に小規模な暗号鍵を取得できるようになりました。たとえば、このアルゴリズムが初めて開発された 1970 年代、DES で使用される 56 ビット鍵はコンピュータの処理性能の面で大きな障害となっていました。しかし今日、一般的なツールを使用して 1 日も経たないうちに DES を解読できるようになりました。
References
[1] distributed.net DES
[2] FAQ About the Electronic Frontier Foundation's "DES Cracker" Machine Electronic Frontier Foundation
[3] SDL Development Practices Microsoft
[4] Microsoft Security Fundamentals Microsoft
[5] John Kelsey, Bruce Schneier, and David Wagner Related-key cryptanalysis of 3-WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA
[6] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[7] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[8] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[9] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[10] Standards Mapping - CIS Kubernetes Benchmark complete
[11] Standards Mapping - Common Weakness Enumeration CWE ID 327
[12] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[13] Standards Mapping - FIPS200 MP
[14] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[15] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[16] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[17] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[18] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[19] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[20] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[21] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[22] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[23] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.6.2 Cryptographic Architectural Requirements (L2 L3), 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.8.2 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.9.1 Cryptographic Software and Devices Verifier Requirements (L2 L3), 2.9.3 Cryptographic Software and Devices Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.2 Algorithms (L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 6.4.2 Secret Management (L2 L3), 8.3.7 Sensitive Private Data (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[24] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[25] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[26] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[27] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[39] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 327
[40] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 327
[41] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 327
[42] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[60] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[61] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[62] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II, APSC-DV-003100 CAT II, APSC-DV-003310 CAT II
desc.semantic.dotnet.weak_encryption
Abstract
この特定のコールでは、重要なデータの機密性を保証できない貧弱な暗号化アルゴリズムが使用されています。
Explanation
DES などの旧式の暗号化アルゴリズムには、機密データに使用するのに十分な保護機能がありません。暗号化アルゴリズムは、暗号化機能の堅牢さを保証する主要メカニズムの 1 つとして、鍵のサイズを使用しています。暗号化機能の堅牢さは通常、有効な鍵を生成するのに要する時間とコンピュータの処理能力によって測られます。コンピュータの処理能力が向上したことによって、適当な時間内に小規模な暗号鍵を取得できるようになりました。たとえば、このアルゴリズムが初めて開発された 1970 年代、DES で使用される 56 ビット鍵はコンピュータの処理性能の面で大きな障害となっていました。しかし今日、一般的なツールを使用して 1 日も経たないうちに DES を解読できるようになりました。
References
[1] EVP_EncryptInit(3) The OpenSSL Project
[2] distributed.net DES
[3] FAQ About the Electronic Frontier Foundation's "DES Cracker" Machine Electronic Frontier Foundation
[4] SDL Development Practices Microsoft
[5] Microsoft Security Fundamentals Microsoft
[6] John Kelsey, Bruce Schneier, and David Wagner Related-key cryptanalysis of 3-WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA
[7] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[8] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[9] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[10] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[11] Standards Mapping - CIS Kubernetes Benchmark complete
[12] Standards Mapping - Common Weakness Enumeration CWE ID 327
[13] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[14] Standards Mapping - FIPS200 MP
[15] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[16] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[17] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[18] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[19] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[20] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[21] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[22] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[23] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[24] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.6.2 Cryptographic Architectural Requirements (L2 L3), 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.8.2 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.9.1 Cryptographic Software and Devices Verifier Requirements (L2 L3), 2.9.3 Cryptographic Software and Devices Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.2 Algorithms (L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 6.4.2 Secret Management (L2 L3), 8.3.7 Sensitive Private Data (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[25] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[26] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[27] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[28] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[40] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 327
[41] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 327
[42] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 327
[43] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[60] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[61] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[62] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[63] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II, APSC-DV-003100 CAT II, APSC-DV-003310 CAT II
desc.semantic.cpp.weak_encryption
Abstract
この特定のコールでは、重要なデータの機密性を保証できない貧弱な暗号化アルゴリズムが使用されています。
Explanation
DES などの旧式の暗号化アルゴリズムには、機密データに使用するのに十分な保護機能がありません。暗号化アルゴリズムは、暗号化機能の堅牢さを保証する主要メカニズムの 1 つとして、鍵のサイズを使用しています。暗号化機能の堅牢さは通常、有効な鍵を生成するのに要する時間とコンピュータの処理能力によって測られます。コンピュータの処理能力が向上したことによって、適当な時間内に小規模な暗号鍵を取得できるようになりました。たとえば、このアルゴリズムが初めて開発された 1970 年代、DES で使用される 56 ビット鍵はコンピュータの処理性能の面で大きな障害となっていました。しかし今日、一般的なツールを使用して 1 日も経たないうちに DES を解読できるようになりました。
References
[1] Java Cryptography Architecture Standard Algorithm Name Documentation Sun Microsystems
[2] distributed.net DES
[3] FAQ About the Electronic Frontier Foundation's "DES Cracker" Machine Electronic Frontier Foundation
[4] SDL Development Practices Microsoft
[5] Microsoft Security Fundamentals Microsoft
[6] John Kelsey, Bruce Schneier, and David Wagner Related-key cryptanalysis of 3-WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA
[7] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[8] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[9] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[10] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[11] Standards Mapping - CIS Kubernetes Benchmark complete
[12] Standards Mapping - Common Weakness Enumeration CWE ID 327
[13] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[14] Standards Mapping - FIPS200 MP
[15] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[16] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[17] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[18] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[19] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[20] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[21] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[22] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[23] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[24] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.6.2 Cryptographic Architectural Requirements (L2 L3), 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.8.2 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.9.1 Cryptographic Software and Devices Verifier Requirements (L2 L3), 2.9.3 Cryptographic Software and Devices Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.2 Algorithms (L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 6.4.2 Secret Management (L2 L3), 8.3.7 Sensitive Private Data (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[25] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[26] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[27] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[28] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[40] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 327
[41] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 327
[42] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 327
[43] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[60] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[61] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[62] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[63] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II, APSC-DV-003100 CAT II, APSC-DV-003310 CAT II
desc.semantic.cfml.weak_encryption
Abstract
この特定のコールでは、重要なデータの機密性を保証できない貧弱な暗号化アルゴリズムが使用されています。
Explanation
DES などの旧式の暗号化アルゴリズムには、機密データに使用するのに十分な保護機能がありません。暗号化アルゴリズムは、暗号化機能の堅牢さを保証する主要メカニズムの 1 つとして、鍵のサイズを使用しています。暗号化機能の堅牢さは通常、有効な鍵を生成するのに要する時間とコンピュータの処理能力によって測られます。コンピュータの処理能力が向上したことによって、適当な時間内に小規模な暗号鍵を取得できるようになりました。たとえば、このアルゴリズムが初めて開発された 1970 年代、DES で使用される 56 ビット鍵はコンピュータの処理性能の面で大きな障害となっていました。しかし今日、攻撃者は一般的なツールを使用して 1 日も経たないうちに DES を解読できるようになりました。
References
[1] Java Cryptography Architecture Standard Algorithm Name Documentation Sun Microsystems
[2] distributed.net DES
[3] FAQ About the Electronic Frontier Foundation's "DES Cracker" Machine Electronic Frontier Foundation
[4] SDL Development Practices Microsoft
[5] Microsoft Security Fundamentals Microsoft
[6] NIST Special Publication 800-132 NIST
[7] John Kelsey, Bruce Schneier, and David Wagner Related-key cryptanalysis of 3-WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA
[8] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[9] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[10] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[11] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[12] Standards Mapping - CIS Kubernetes Benchmark complete
[13] Standards Mapping - Common Weakness Enumeration CWE ID 327
[14] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[15] Standards Mapping - FIPS200 MP
[16] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[17] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[18] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[19] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[20] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[21] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[22] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[23] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[24] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[25] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.6.2 Cryptographic Architectural Requirements (L2 L3), 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.8.2 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.9.1 Cryptographic Software and Devices Verifier Requirements (L2 L3), 2.9.3 Cryptographic Software and Devices Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.2 Algorithms (L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 6.4.2 Secret Management (L2 L3), 8.3.7 Sensitive Private Data (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[26] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[27] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[28] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[29] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[41] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 327
[42] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 327
[43] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 327
[44] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[60] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[61] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[62] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[63] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[64] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II, APSC-DV-003100 CAT II, APSC-DV-003310 CAT II
desc.semantic.golang.weak_encryption
Abstract
この特定のコールでは、重要なデータの機密性を保証できない貧弱な暗号化アルゴリズムが使用されています。
Explanation
DES などの旧式の暗号化アルゴリズムには、機密データに使用するのに十分な保護機能がありません。暗号化アルゴリズムは、暗号化機能の堅牢さを保証する主要メカニズムの 1 つとして、鍵のサイズを使用しています。暗号化機能の堅牢さは通常、有効な鍵を生成するのに要する時間とコンピュータの処理能力によって測られます。コンピュータの処理能力が向上したことによって、適当な時間内に小規模な暗号鍵を取得できるようになりました。たとえば、このアルゴリズムが初めて開発された 1970 年代、DES で使用される 56 ビット鍵はコンピュータの処理性能の面で大きな障害となっていました。しかし今日、一般的なツールを使用して 1 日も経たないうちに DES を解読できるようになりました。
References
[1] Java Cryptography Architecture Standard Algorithm Name Documentation Sun Microsystems
[2] distributed.net DES
[3] FAQ About the Electronic Frontier Foundation's "DES Cracker" Machine Electronic Frontier Foundation
[4] SDL Development Practices Microsoft
[5] Microsoft Security Fundamentals Microsoft
[6] NIST Special Publication 800-132 NIST
[7] John Kelsey, Bruce Schneier, and David Wagner Related-key cryptanalysis of 3-WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA
[8] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[9] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[10] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[11] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[12] Standards Mapping - CIS Kubernetes Benchmark complete
[13] Standards Mapping - Common Weakness Enumeration CWE ID 327
[14] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[15] Standards Mapping - FIPS200 MP
[16] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[17] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[18] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[19] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[20] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[21] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[22] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[23] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[24] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[25] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.6.2 Cryptographic Architectural Requirements (L2 L3), 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.8.2 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.9.1 Cryptographic Software and Devices Verifier Requirements (L2 L3), 2.9.3 Cryptographic Software and Devices Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.2 Algorithms (L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 6.4.2 Secret Management (L2 L3), 8.3.7 Sensitive Private Data (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[26] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[27] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[28] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[29] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[41] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 327
[42] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 327
[43] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 327
[44] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[60] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[61] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[62] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[63] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[64] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II, APSC-DV-003100 CAT II, APSC-DV-003310 CAT II
desc.semantic.java.weak_encryption
Abstract
この特定のコールでは、重要なデータの機密性を保証できない貧弱な暗号化アルゴリズムが使用されています。
Explanation
DES などの旧式の暗号化アルゴリズムには、機密データに使用するのに十分な保護機能がありません。暗号化アルゴリズムは、暗号化機能の堅牢さを保証する主要メカニズムの 1 つとして、鍵のサイズを使用しています。暗号化機能の堅牢さは通常、有効な鍵を生成するのに要する時間とコンピュータの処理能力によって測られます。コンピュータの処理能力が向上したことによって、適当な時間内に小規模な暗号鍵を取得できるようになりました。たとえば、このアルゴリズムが初めて開発された 1970 年代、DES で使用される 56 ビット鍵はコンピュータの処理性能の面で大きな障害となっていました。しかし今日、一般的なツールを使用して 1 日も経たないうちに DES を解読できるようになりました。
References
[1] Java Cryptography Architecture Standard Algorithm Name Documentation Sun Microsystems
[2] distributed.net DES
[3] FAQ About the Electronic Frontier Foundation's "DES Cracker" Machine Electronic Frontier Foundation
[4] SDL Development Practices Microsoft
[5] Microsoft Security Fundamentals Microsoft
[6] John Kelsey, Bruce Schneier, and David Wagner Related-key cryptanalysis of 3-WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA
[7] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[8] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[9] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[10] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[11] Standards Mapping - CIS Kubernetes Benchmark complete
[12] Standards Mapping - Common Weakness Enumeration CWE ID 327
[13] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[14] Standards Mapping - FIPS200 MP
[15] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[16] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[17] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[18] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[19] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[20] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[21] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[22] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[23] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[24] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.6.2 Cryptographic Architectural Requirements (L2 L3), 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.8.2 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.9.1 Cryptographic Software and Devices Verifier Requirements (L2 L3), 2.9.3 Cryptographic Software and Devices Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.2 Algorithms (L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 6.4.2 Secret Management (L2 L3), 8.3.7 Sensitive Private Data (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[25] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[26] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[27] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[28] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[40] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 327
[41] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 327
[42] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 327
[43] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[60] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[61] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[62] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[63] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II, APSC-DV-003100 CAT II, APSC-DV-003310 CAT II
desc.structural.javascript.weak_encryption
Abstract
この特定のコールでは、重要なデータの機密性を保証できない貧弱な暗号化アルゴリズムが使用されています。
Explanation
旧式の暗号化アルゴリズム、特に不十分なサイズの鍵を使用するアルゴリズムは、機密データの保護機能が十分ではありません。技術的な進歩によって、現在のコンピュータの処理能力では、ある程度の時間をかければ力づくで小サイズの暗号化鍵の取得が可能です。たとえば、このアルゴリズムが初めて開発された 1970 年代、DES で使用される 64 ビット鍵はコンピュータの処理性能の面で大きな障害となっていました。しかし今日、一般的なツールを使用して 1 日も経たないうちに DES を解読できるようになりました。

例 1: 次のコードは、安全でないアルゴリズム (DES) によって暗号化を実行します。

...
CCCrypt(kCCEncrypt,
        kCCAlgorithmDES,
        kCCOptionPKCS7Padding,
        key,
        kCCKeySizeDES, // 64-bit key size
        iv,
        plaintext,
        sizeof(plaintext),
        ciphertext,
        sizeof(ciphertext),
        &numBytesEncrypted);
...
References
[1] EVP_EncryptInit(3) The OpenSSL Project
[2] distributed.net DES
[3] FAQ About the Electronic Frontier Foundation's "DES Cracker" Machine Electronic Frontier Foundation
[4] John Kelsey, Bruce Schneier, and David Wagner Related-key cryptanalysis of 3-WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA
[5] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[6] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[7] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[8] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[9] Standards Mapping - CIS Kubernetes Benchmark complete
[10] Standards Mapping - Common Weakness Enumeration CWE ID 327
[11] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[12] Standards Mapping - FIPS200 MP
[13] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[14] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[15] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[16] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[17] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[18] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[19] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[20] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[21] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[22] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.6.2 Cryptographic Architectural Requirements (L2 L3), 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.8.2 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.9.1 Cryptographic Software and Devices Verifier Requirements (L2 L3), 2.9.3 Cryptographic Software and Devices Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.2 Algorithms (L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 6.4.2 Secret Management (L2 L3), 8.3.7 Sensitive Private Data (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[23] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[24] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[25] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[26] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[38] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 327
[39] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 327
[40] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 327
[41] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[60] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[61] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II, APSC-DV-003100 CAT II, APSC-DV-003310 CAT II
desc.structural.objc.weak_encryption
Abstract
この特定のコールでは、重要なデータの機密性を保証できない貧弱な暗号化アルゴリズムが使用されています。
Explanation
DES などの旧式の暗号化アルゴリズムには、機密データに使用するのに十分な保護機能がありません。暗号化アルゴリズムは、暗号化機能の堅牢さを保証する主要メカニズムの 1 つとして、鍵のサイズを使用しています。暗号化機能の堅牢さは通常、有効な鍵を生成するのに要する時間とコンピュータの処理能力によって測られます。コンピュータの処理能力が向上したことによって、適当な時間内に小規模な暗号鍵を取得できるようになりました。たとえば、このアルゴリズムが初めて開発された 1970 年代、DES で使用される 56 ビット鍵はコンピュータの処理性能の面で大きな障害となっていました。しかし今日、一般的なツールを使用して 1 日も経たないうちに DES を解読できるようになりました。
References
[1] Mcrypt ciphers The PHP Group
[2] mcrypt_encrypt The PHP Group
[3] distributed.net DES
[4] FAQ About the Electronic Frontier Foundation's "DES Cracker" Machine Electronic Frontier Foundation
[5] SDL Development Practices Microsoft
[6] Microsoft Security Fundamentals Microsoft
[7] John Kelsey, Bruce Schneier, and David Wagner Related-key cryptanalysis of 3-WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA
[8] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[9] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[10] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[11] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[12] Standards Mapping - CIS Kubernetes Benchmark complete
[13] Standards Mapping - Common Weakness Enumeration CWE ID 327
[14] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[15] Standards Mapping - FIPS200 MP
[16] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[17] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[18] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[19] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[20] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[21] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[22] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[23] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[24] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[25] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.6.2 Cryptographic Architectural Requirements (L2 L3), 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.8.2 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.9.1 Cryptographic Software and Devices Verifier Requirements (L2 L3), 2.9.3 Cryptographic Software and Devices Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.2 Algorithms (L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 6.4.2 Secret Management (L2 L3), 8.3.7 Sensitive Private Data (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[26] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[27] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[28] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[29] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[41] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 327
[42] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 327
[43] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 327
[44] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[60] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[61] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[62] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[63] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[64] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II, APSC-DV-003100 CAT II, APSC-DV-003310 CAT II
desc.structural.php.weak_encryption
Abstract
機密データの機密性を保証できない貧弱な暗号化アルゴリズムがプログラムで使用されています。
Explanation
DES などの旧式の暗号化アルゴリズムには、機密データに使用するのに十分な保護機能がありません。暗号化アルゴリズムは、暗号化機能の堅牢さを保証する主要メカニズムの 1 つとして、鍵のサイズを使用しています。暗号化機能の堅牢さは通常、有効な鍵を生成するのに要する時間とコンピュータの処理能力によって測られます。コンピュータの処理能力が向上したことによって、適当な時間内に小規模な暗号鍵を取得できるようになりました。たとえば、このアルゴリズムが初めて開発された 1970 年代、DES で使用される 56 ビット鍵はコンピュータの処理性能の面で大きな障害となっていました。しかし今日、一般的なツールを使用して 1 日も経たないうちに DES を解読できるようになりました。
References
[1] distributed.net DES
[2] FAQ About the Electronic Frontier Foundation's "DES Cracker" Machine Electronic Frontier Foundation
[3] SDL Development Practices Microsoft
[4] Microsoft Security Fundamentals Microsoft
[5] John Kelsey, Bruce Schneier, and David Wagner Related-key cryptanalysis of 3-WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA
[6] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[7] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[8] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[9] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[10] Standards Mapping - CIS Kubernetes Benchmark complete
[11] Standards Mapping - Common Weakness Enumeration CWE ID 327
[12] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[13] Standards Mapping - FIPS200 MP
[14] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[15] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[16] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[17] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[18] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[19] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[20] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[21] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[22] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[23] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.6.2 Cryptographic Architectural Requirements (L2 L3), 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.8.2 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.9.1 Cryptographic Software and Devices Verifier Requirements (L2 L3), 2.9.3 Cryptographic Software and Devices Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.2 Algorithms (L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 6.4.2 Secret Management (L2 L3), 8.3.7 Sensitive Private Data (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[24] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[25] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[26] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[27] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[39] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 327
[40] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 327
[41] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 327
[42] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[60] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[61] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[62] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II, APSC-DV-003100 CAT II, APSC-DV-003310 CAT II
desc.semantic.python.weak_encryption
Abstract
この特定のコールでは、重要なデータの機密性を保証できない貧弱な暗号化アルゴリズムが使用されています。
Explanation
DES などの旧式の暗号化アルゴリズムには、機密データに使用するのに十分な保護機能がありません。暗号化アルゴリズムは、暗号化機能の堅牢さを保証する主要メカニズムの 1 つとして、鍵のサイズを使用しています。暗号化機能の堅牢さは通常、有効な鍵を生成するのに要する時間とコンピュータの処理能力によって測られます。コンピュータの処理能力が向上したことによって、適当な時間内に小規模な暗号鍵を取得できるようになりました。たとえば、このアルゴリズムが初めて開発された 1970 年代、DES で使用される 56 ビット鍵はコンピュータの処理性能の面で大きな障害となっていました。しかし今日、一般的なツールを使用して 1 日も経たないうちに DES を解読できるようになりました。
References
[1] distributed.net DES
[2] FAQ About the Electronic Frontier Foundation's "DES Cracker" Machine Electronic Frontier Foundation
[3] SDL Development Practices Microsoft
[4] Microsoft Security Fundamentals Microsoft
[5] NIST Special Publication 800-132 NIST
[6] John Kelsey, Bruce Schneier, and David Wagner Related-key cryptanalysis of 3-WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA
[7] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[8] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[9] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[10] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[11] Standards Mapping - CIS Kubernetes Benchmark complete
[12] Standards Mapping - Common Weakness Enumeration CWE ID 327
[13] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[14] Standards Mapping - FIPS200 MP
[15] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[16] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[17] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[18] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[19] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[20] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[21] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[22] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[23] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[24] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.6.2 Cryptographic Architectural Requirements (L2 L3), 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.8.2 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.9.1 Cryptographic Software and Devices Verifier Requirements (L2 L3), 2.9.3 Cryptographic Software and Devices Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.2 Algorithms (L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 6.4.2 Secret Management (L2 L3), 8.3.7 Sensitive Private Data (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[25] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[26] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[27] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[28] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[40] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 327
[41] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 327
[42] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 327
[43] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[60] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[61] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[62] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[63] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II, APSC-DV-003100 CAT II, APSC-DV-003310 CAT II
desc.structural.ruby.weak_encryption
Abstract
この特定のコールでは、重要なデータの機密性を保証できない貧弱な暗号化アルゴリズムが使用されています。
Explanation
旧式の暗号化アルゴリズム、特に不十分なサイズの鍵を使用するアルゴリズムは、機密データの保護機能が十分ではありません。技術的な進歩によって、現在のコンピュータの処理能力では、ある程度の時間をかければ力づくで小サイズの暗号化鍵の取得が可能です。たとえば、このアルゴリズムが初めて開発された 1970 年代、DES で使用される 64 ビット鍵はコンピュータの処理性能の面で大きな障害となっていました。しかし今日、一般的なツールを使用して 1 日も経たないうちに DES を解読できるようになりました。

例 1: 次のコードは、安全でないアルゴリズム (DES) によって暗号化を実行します。

...
let iv = getTrueRandomIV()
...
let cStatus = CCCrypt(UInt32(kCCEncrypt),
UInt32(kCCAlgorithmDES),
UInt32(kCCOptionPKCS7Padding),
key,
keyLength,
iv, 
plaintext, 
plaintextLength,
ciphertext, 
ciphertextLength,
&numBytesEncrypted)
...
References
[1] EVP_EncryptInit(3) The OpenSSL Project
[2] distributed.net DES
[3] FAQ About the Electronic Frontier Foundation's "DES Cracker" Machine Electronic Frontier Foundation
[4] John Kelsey, Bruce Schneier, and David Wagner Related-key cryptanalysis of 3-WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA
[5] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[6] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[7] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[8] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[9] Standards Mapping - CIS Kubernetes Benchmark complete
[10] Standards Mapping - Common Weakness Enumeration CWE ID 327
[11] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[12] Standards Mapping - FIPS200 MP
[13] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[14] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[15] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[16] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[17] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[18] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[19] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[20] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[21] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[22] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.6.2 Cryptographic Architectural Requirements (L2 L3), 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.8.2 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.9.1 Cryptographic Software and Devices Verifier Requirements (L2 L3), 2.9.3 Cryptographic Software and Devices Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.2 Algorithms (L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 6.4.2 Secret Management (L2 L3), 8.3.7 Sensitive Private Data (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[23] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[24] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[25] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[26] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[38] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 327
[39] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 327
[40] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 327
[41] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[60] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[61] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II, APSC-DV-003100 CAT II, APSC-DV-003310 CAT II
desc.structural.swift.weak_encryption
Abstract
機密データの機密性を保証できない貧弱な暗号化アルゴリズムが構成されています。
Explanation
DES などの旧式の暗号化アルゴリズムには、機密データに使用するのに十分な保護機能がありません。暗号化アルゴリズムは、暗号化機能の堅牢さを保証する主要メカニズムの 1 つとして、鍵のサイズを使用しています。暗号化機能の堅牢さは通常、有効な鍵を生成するのに要する時間とコンピュータの処理能力によって測られます。コンピュータの処理能力が向上したことによって、適当な時間内に小規模な暗号鍵を取得できるようになりました。たとえば、このアルゴリズムが初めて開発された 1970 年代、DES で使用される 56 ビット鍵はコンピュータの処理性能の面で大きな障害となっていました。しかし今日、一般的なツールを使用して 1 日も経たないうちに DES を解読できるようになりました。
References
[1] Java Cryptography Architecture Standard Algorithm Name Documentation Sun Microsystems
[2] distributed.net DES
[3] FAQ About the Electronic Frontier Foundation's "DES Cracker" Machine Electronic Frontier Foundation
[4] SDL Development Practices Microsoft
[5] Microsoft Security Fundamentals Microsoft
[6] NIST Special Publication 800-132 NIST
[7] John Kelsey, Bruce Schneier, and David Wagner Related-key cryptanalysis of 3-WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA
[8] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[9] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[10] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[11] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[12] Standards Mapping - CIS Kubernetes Benchmark complete
[13] Standards Mapping - Common Weakness Enumeration CWE ID 327
[14] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[15] Standards Mapping - FIPS200 MP
[16] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[17] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[18] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[19] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[20] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[21] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[22] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[23] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[24] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[25] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.6.2 Cryptographic Architectural Requirements (L2 L3), 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.8.2 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.9.1 Cryptographic Software and Devices Verifier Requirements (L2 L3), 2.9.3 Cryptographic Software and Devices Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.2 Algorithms (L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 6.4.2 Secret Management (L2 L3), 8.3.7 Sensitive Private Data (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[26] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[27] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[28] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[29] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[41] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 327
[42] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 327
[43] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 327
[44] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[60] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[61] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[62] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[63] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[64] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II, APSC-DV-003100 CAT II, APSC-DV-003310 CAT II
desc.config.xml.weak_encryption
Abstract
この特定のコールでは、重要なデータの機密性を保証できない貧弱な暗号化アルゴリズムが使用されています。
Explanation
DES などの旧式の暗号化アルゴリズムには、機密データに使用するのに十分な保護機能がありません。暗号化アルゴリズムは、暗号化機能の堅牢さを保証する主要メカニズムの 1 つとして、鍵のサイズを使用しています。暗号化機能の堅牢さは通常、有効な鍵を生成するのに要する時間とコンピュータの処理能力によって測られます。コンピュータの処理能力が向上したことによって、適当な時間内に小規模な暗号鍵を取得できるようになりました。たとえば、このアルゴリズムが初めて開発された 1970 年代、DES で使用される 56 ビット鍵はコンピュータの処理性能の面で大きな障害となっていました。しかし今日、一般的なツールを使用して 1 日も経たないうちに DES を解読できるようになりました。
References
[1] Java Cryptography Architecture Standard Algorithm Name Documentation Sun Microsystems
[2] distributed.net DES
[3] FAQ About the Electronic Frontier Foundation's "DES Cracker" Machine Electronic Frontier Foundation
[4] SDL Development Practices Microsoft
[5] Microsoft Security Fundamentals Microsoft
[6] John Kelsey, Bruce Schneier, and David Wagner Related-key cryptanalysis of 3-WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA
[7] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[8] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[9] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[10] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[11] Standards Mapping - CIS Kubernetes Benchmark complete
[12] Standards Mapping - Common Weakness Enumeration CWE ID 327
[13] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[14] Standards Mapping - FIPS200 MP
[15] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[16] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[17] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[18] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[19] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[20] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[21] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[22] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[23] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[24] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.6.2 Cryptographic Architectural Requirements (L2 L3), 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.8.2 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.9.1 Cryptographic Software and Devices Verifier Requirements (L2 L3), 2.9.3 Cryptographic Software and Devices Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.2 Algorithms (L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 6.4.2 Secret Management (L2 L3), 8.3.7 Sensitive Private Data (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[25] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[26] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[27] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[28] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[40] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 327
[41] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 327
[42] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 327
[43] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[60] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[61] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[62] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[63] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II, APSC-DV-003100 CAT II, APSC-DV-003310 CAT II
desc.structural.vb.weak_encryption

Weak Encryption: Byte Array to String Conversion

Abstract
暗号鍵を String に変換するとエントロピを大幅に失います。
Explanation
Weak Encryption: Byte Array to String Conversion の問題は、次の場合に発生します。

1. 暗号鍵がバイト配列で作成されている


2. データが String に変換されている

例 1: 次の例では、暗号鍵を作成して String に変換しています。


import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
  ...
  KeyGenerator keygen = KeyGenerator.newInstance("AES");
  ...
  SecretKey cryptoKey = keygen.generateKey();
  byte[] rawCryptoKey = cryptoKey.getEncoded();
  ...
  String key = new String(rawCryptoKey);
  ...


暗号鍵をデフォルトのシステム文字セットを使って String に変換していますが、コンストラクターに文字セットの有効な範囲外のバイトを加えた場合、何が起こるかは不明です。そのままでは、key は元の暗号鍵 rawCryptoKey と比べて大幅にエントロピを失う可能性があります。
References
[1] STR03-J. Do not encode noncharacter data as a string CERT
[2] When 'EFBFBD' and Friends Come Knocking: Observations of Byte Array to String Conversions GDS Security
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 4.0
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[7] Standards Mapping - CIS Kubernetes Benchmark complete
[8] Standards Mapping - Common Weakness Enumeration CWE ID 320
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[10] Standards Mapping - FIPS200 MP
[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-12 Cryptographic Key Establishment and Management (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-12 Cryptographic Key Establishment and Management
[14] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[15] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[16] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[18] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[20] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.6.2 Cryptographic Architectural Requirements (L2 L3), 2.8.2 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.9.1 Cryptographic Software and Devices Verifier Requirements (L2 L3), 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.4.2 Secret Management (L2 L3), 6.2.1 Algorithms (L1 L2 L3)
[21] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[22] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[23] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[24] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.6.1, Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.6.1, Requirement 6.3.1.3, Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.6.1, Requirement 6.5.3
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.6.1, Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.6.1, Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.6.1, Requirement 6.5.3
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.6.1, Requirement 6.5.3
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.6.1, Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography, Control Objective 7.4 - Use of Cryptography
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective 7.4 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective 7.4 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.dataflow.java.weak_encryption_byte_array_to_string_conversion

Weak Encryption: Inadequate RSA Padding

Abstract
公開鍵 RSA 暗号化が OAEP パディングなしで実行されるので、暗号化が脆弱になっています。
Explanation
実際には、RSA 公開鍵を使用した暗号化は、通常、パディング スキームと組み合わされます。パディング スキームは RSA への攻撃を防止でき、それは暗号化をパディングなしで実行する場合にのみ機能します。

例 1: 次のコードは、RSA 公開鍵を使用し、パディング スキームは使用しないで暗号化を実行します。

  static public byte[] EncryptWithRSA(byte[] plaintext, RSAParameters key) {
    try {
      RSACryptoServiceProvider rsa = new RSACryptoServiceProvider();
      rsa.ImportParameters(key);
      return rsa.Encrypt(plaintext, false);
    }
    catch(CryptographicException e) {
      Console.WriteLine(e.Message);
      return null;
    }
  }
References
[1] Wikipedia
[2] OPENSSL Documentation
[3] PKCS #1 v2.1: RSA Cryptography Standard
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[8] Standards Mapping - CIS Kubernetes Benchmark complete
[9] Standards Mapping - Common Weakness Enumeration CWE ID 780
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[11] Standards Mapping - FIPS200 MP
[12] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[15] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[16] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[18] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[20] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[21] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.9.3 Cryptographic Software and Devices Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.2 Algorithms (L2 L3), 8.3.7 Sensitive Private Data (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[22] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[23] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[24] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[25] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography, Control Objective 7.4 - Use of Cryptography
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective 7.4 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective 7.4 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.semantic.dotnet.weak_encryption_inadequate_rsa_padding
Abstract
公開鍵 RSA 暗号化が OAEP パディングなしで実行されるので、暗号化が脆弱になっています。
Explanation
実際には、RSA 公開鍵を使用した暗号化は、通常、パディング スキームと組み合わされます。パディング スキームは RSA への攻撃を防止でき、それは暗号化をパディングなしで実行する場合にのみ機能します。

例 1: 次のコードは、RSA 公開鍵を使用し、パディング スキームは使用しないで暗号化を実行します。

  void encrypt_with_rsa(BIGNUM *out, BIGNUM *in, RSA *key) {
    u_char *inbuf, *outbuf;
    int ilen;
    ...
    ilen = BN_num_bytes(in);
    inbuf = xmalloc(ilen);
    BN_bn2bin(in, inbuf);
    if ((len = RSA_public_encrypt(ilen, inbuf, outbuf, key, RSA_NO_PADDING)) <= 0) {
      fatal("encrypt_with_rsa() failed");
    }
    ...
  }
References
[1] Wikipedia
[2] OPENSSL Documentation
[3] PKCS #1 v2.1: RSA Cryptography Standard
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[8] Standards Mapping - CIS Kubernetes Benchmark complete
[9] Standards Mapping - Common Weakness Enumeration CWE ID 780
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[11] Standards Mapping - FIPS200 MP
[12] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[15] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[16] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[18] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[20] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[21] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.9.3 Cryptographic Software and Devices Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.2 Algorithms (L2 L3), 8.3.7 Sensitive Private Data (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[22] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[23] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[24] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[25] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography, Control Objective 7.4 - Use of Cryptography
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective 7.4 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective 7.4 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.semantic.cpp.weak_encryption_inadequate_rsa_padding
Abstract
公開鍵 RSA 暗号化が OAEP パディングなしで実行されるので、暗号化が脆弱になっています。
Explanation
実際には、RSA 公開鍵を使用した暗号化は、通常、パディング スキームと組み合わされます。パディング スキームは RSA への攻撃を防止でき、それは暗号化をパディングなしで実行する場合にのみ機能します。

例 1: 次のコードは、RSA 公開鍵を使用し PKCS#1 v1.5 パディング スキームを使って暗号化を実行します。

...
import "crypto/rsa"
...
plaintext := []byte("Attack at dawn")
cipherText, err := rsa.EncryptPKCS1v15(rand.Reader, &k.PublicKey, plaintext)
...
References
[1] Wikipedia
[2] OPENSSL Documentation
[3] PKCS #1 v2.1: RSA Cryptography Standard
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[8] Standards Mapping - CIS Kubernetes Benchmark complete
[9] Standards Mapping - Common Weakness Enumeration CWE ID 780
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[11] Standards Mapping - FIPS200 MP
[12] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[15] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[16] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[18] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[20] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[21] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.9.3 Cryptographic Software and Devices Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.2 Algorithms (L2 L3), 8.3.7 Sensitive Private Data (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[22] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[23] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[24] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[25] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography, Control Objective 7.4 - Use of Cryptography
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective 7.4 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective 7.4 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.structural.golang.weak_encryption_inadequate_rsa_padding
Abstract
公開鍵 RSA 暗号化が OAEP パディングなしで実行されるので、暗号化が脆弱になっています。
Explanation
実際には、RSA 公開鍵を使用した暗号化は、通常、パディング スキームと組み合わされます。パディング スキームは RSA への攻撃を防止でき、それは暗号化をパディングなしで実行する場合にのみ機能します。

例 1: 次のコードは、RSA 公開鍵を使用し、パディング スキームは使用しないで暗号化を実行します。

  public Cipher getRSACipher() {
    Cipher rsa = null;
    try {
      rsa = javax.crypto.Cipher.getInstance("RSA/NONE/NoPadding");
    }
    catch (java.security.NoSuchAlgorithmException e) {
      log("this should never happen", e);
    }
    catch (javax.crypto.NoSuchPaddingException e) {
      log("this should never happen", e);
    }
    return rsa;
  }
References
[1] Wikipedia
[2] OPENSSL Documentation
[3] PKCS #1 v2.1: RSA Cryptography Standard
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[8] Standards Mapping - CIS Kubernetes Benchmark complete
[9] Standards Mapping - Common Weakness Enumeration CWE ID 780
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[11] Standards Mapping - FIPS200 MP
[12] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[15] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[16] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[18] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[20] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[21] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.9.3 Cryptographic Software and Devices Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.2 Algorithms (L2 L3), 8.3.7 Sensitive Private Data (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[22] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[23] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[24] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[25] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography, Control Objective 7.4 - Use of Cryptography
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective 7.4 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective 7.4 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.semantic.java.weak_encryption_inadequate_rsa_padding
Abstract
公開鍵 RSA 暗号化が OAEP パディングなしで実行されるので、暗号化が脆弱になっています。
Explanation
実際には、RSA 公開鍵を使用した暗号化は、通常、パディング スキームと組み合わされます。パディング スキームは RSA への攻撃を防止でき、それは暗号化をパディングなしで実行する場合にのみ機能します。

例 1: 次のコードは、RSA 公開鍵を使用し、パディング スキームは使用しないで暗号化を実行します。

+ (NSData *) encryptData:(NSData *) plaintextData withKey:(SecKeyRef *) publicKey {
    CFErrorRef error = nil;
    
    NSData *ciphertextData = (NSData*) CFBridgingRelease(
        SecKeyCreateEncryptedData(*publicKey,
                                  kSecKeyAlgorithmRSAEncryptionPKCS1,
                                  (__bridge CFDataRef) plaintextData,
                                  &error));
    
    if (error) {
        // handle error ...
    }
    
    return ciphertextData;
}
References
[1] Wikipedia
[2] PKCS #1 v2.1: RSA Cryptography Standard
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[7] Standards Mapping - CIS Kubernetes Benchmark complete
[8] Standards Mapping - Common Weakness Enumeration CWE ID 780
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[10] Standards Mapping - FIPS200 MP
[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[14] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[15] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[16] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[18] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[20] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.9.3 Cryptographic Software and Devices Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.2 Algorithms (L2 L3), 8.3.7 Sensitive Private Data (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[21] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[22] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[23] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[24] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography, Control Objective 7.4 - Use of Cryptography
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective 7.4 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective 7.4 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.dataflow.objc.weak_encryption_inadequate_rsa_padding
Abstract
公開鍵 RSA 暗号化が OAEP パディングなしで実行されるので、暗号化が脆弱になっています。
Explanation
実際には、RSA 公開鍵を使用した暗号化は、通常、パディング スキームと組み合わされます。パディング スキームは RSA への攻撃を防止でき、それは暗号化をパディングなしで実行する場合にのみ機能します。

例 1: 次のコードは、RSA 公開鍵を使用し、パディング スキームは使用しないで暗号化を実行します。

  function encrypt($input, $key) {
    $output='';
    openssl_public_encrypt($input, $output, $key, OPENSSL_NO_PADDING);
    return $output;
  }
References
[1] Wikipedia
[2] OPENSSL Documentation
[3] PKCS #1 v2.1: RSA Cryptography Standard
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[8] Standards Mapping - CIS Kubernetes Benchmark complete
[9] Standards Mapping - Common Weakness Enumeration CWE ID 780
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[11] Standards Mapping - FIPS200 MP
[12] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[15] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[16] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[18] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[20] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[21] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.9.3 Cryptographic Software and Devices Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.2 Algorithms (L2 L3), 8.3.7 Sensitive Private Data (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[22] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[23] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[24] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[25] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography, Control Objective 7.4 - Use of Cryptography
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective 7.4 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective 7.4 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.structural.php.weak_encryption_inadequate_rsa_padding
Abstract
公開鍵 RSA 暗号化が OAEP パディングなしで実行されるので、暗号化が脆弱になっています。
Explanation
実際には、RSA 公開鍵を使用した暗号化は、通常、パディング スキームと組み合わされます。パディング スキームは RSA への攻撃を防止でき、それは暗号化をパディングなしで実行する場合にのみ機能します。

例 1: 次のコードは、RSA 公開鍵を使用し、パディング スキームは使用しないで暗号化を実行します。

...
from Crypto.PublicKey import RSA

message = 'Attack at dawn'
key = RSA.importKey(open('pubkey.der').read())
ciphertext = key.encrypt(message)
...
References
[1] Wikipedia
[2] OPENSSL Documentation
[3] PKCS #1 v2.1: RSA Cryptography Standard
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[8] Standards Mapping - CIS Kubernetes Benchmark complete
[9] Standards Mapping - Common Weakness Enumeration CWE ID 780
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[11] Standards Mapping - FIPS200 MP
[12] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[15] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[16] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[18] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[20] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[21] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.9.3 Cryptographic Software and Devices Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.2 Algorithms (L2 L3), 8.3.7 Sensitive Private Data (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[22] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[23] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[24] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[25] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography, Control Objective 7.4 - Use of Cryptography
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective 7.4 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective 7.4 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.structural.python.weak_encryption_inadequate_rsa_padding
Abstract
公開鍵 RSA 暗号化が OAEP パディングなしで実行されるので、暗号化が脆弱になっています。
Explanation
実際には、RSA 公開鍵を使用した暗号化は、通常、パディング スキームと組み合わされます。パディング スキームは RSA への攻撃を防止でき、それは暗号化をパディングなしで実行する場合にのみ機能します。

例 1: 次のコードは、RSA 公開鍵を使用し、パディング スキームは使用しないで暗号化を実行します。

require 'openssl'
...
key = OpenSSL::PKey::RSA.new 2048
public_encrypted = key.public_encrypt(data) #padding type not specified
...
Example 1 では、OpenSSL::PKey::RSA#public_encrypt は文字列でのみ呼び出され、使用するパディングの種類を指定しません。パディングの初期設定は OpenSSL::PKey::RSA::PKCS1_PADDING です。
References
[1] Wikipedia
[2] OPENSSL Documentation
[3] PKCS #1 v2.1: RSA Cryptography Standard
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[8] Standards Mapping - CIS Kubernetes Benchmark complete
[9] Standards Mapping - Common Weakness Enumeration CWE ID 780
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[11] Standards Mapping - FIPS200 MP
[12] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[15] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[16] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[18] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[20] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[21] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.9.3 Cryptographic Software and Devices Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.2 Algorithms (L2 L3), 8.3.7 Sensitive Private Data (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[22] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[23] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[24] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[25] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography, Control Objective 7.4 - Use of Cryptography
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective 7.4 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective 7.4 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.structural.ruby.weak_encryption_inadequate_rsa_padding
Abstract
公開鍵 RSA 暗号化が OAEP パディングなしで実行されるので、暗号化が脆弱になっています。
Explanation
実際には、RSA 公開鍵を使用した暗号化は、通常、パディング スキームと組み合わされます。パディング スキームは RSA への攻撃を防止でき、それは暗号化をパディングなしで実行する場合にのみ機能します。
例 1: 次のコードは、RSA 公開鍵を使用し、パディング スキームは使用しないで暗号化を実行します。

func encrypt(data plaintextData:Data, publicKey:SecKey) throws -> Data {
    var error: Unmanaged<CFError>?
    guard let ciphertextData = SecKeyCreateEncryptedData(publicKey,
                                                         .rsaEncryptionPKCS1,
                                                         plaintextData as CFData,
                                                         &error) else {
        throw error!.takeRetainedValue() as Error
    }
    return ciphertextData as Data;
}
References
[1] Wikipedia
[2] PKCS #1 v2.1: RSA Cryptography Standard
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[7] Standards Mapping - CIS Kubernetes Benchmark complete
[8] Standards Mapping - Common Weakness Enumeration CWE ID 780
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[10] Standards Mapping - FIPS200 MP
[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[14] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[15] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[16] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[18] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[20] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.9.3 Cryptographic Software and Devices Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.2 Algorithms (L2 L3), 8.3.7 Sensitive Private Data (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[21] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[22] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[23] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[24] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography, Control Objective 7.4 - Use of Cryptography
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective 7.4 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective 7.4 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.dataflow.swift.weak_encryption_inadequate_rsa_padding

Weak Encryption: Insecure Initialization Vector

Abstract
暗号化の疑似ランダム数値の生成機能を使用して、初期化ベクトルを作成する必要があります。
Explanation
暗号化の疑似ランダム数値の生成機能 (IV) を使用して、初期化ベクトルを作成する必要があります。ランダムな IV を使用しないと、暗号文の推測が容易になり、dictionary 攻撃による危険が高まります。

例 1: 次のコードは、ランダムでない IV を使用して AES 暗号を実行します。


...
Blob iv = Blob.valueOf('1234567890123456');
Blob encrypted = Crypto.encrypt('AES128', encKey, iv, input);
...
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.5
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.1
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[5] Standards Mapping - CIS Kubernetes Benchmark complete
[6] Standards Mapping - Common Weakness Enumeration CWE ID 329
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[8] Standards Mapping - FIPS200 MP
[9] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-12 Cryptographic Key Establishment and Management (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-12 Cryptographic Key Establishment and Management
[12] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[13] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[14] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[15] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[16] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[17] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[18] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3)
[19] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[20] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[21] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[22] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.6.1, Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.6.1, Requirement 6.3.1.3, Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.6.1, Requirement 6.5.3
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.6.1, Requirement 6.5.3
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.6.1, Requirement 6.5.3
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.6.1, Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.6.1, Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.6.1, Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.4 - Use of Cryptography
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.4 - Use of Cryptography
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.4 - Use of Cryptography
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.structural.apex.weak_encryption_insecure_initialization_vector
Abstract
初期化ベクトルは、暗号化の疑似ランダム数値の生成機能を使用して作成する必要があります。
Explanation
初期化ベクトル (IV) は、暗号化の疑似ランダム数値の生成機能を使用して作成する必要があります。ランダム IV を使用しないと、暗号文の推測が非常に容易になり、辞書攻撃による危険が高まります。

例 1: 次のコードは、ハードコーディングされたバイトを使用してランダムでない IV を作成します。


byte[] iv = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
using (SymmetricAlgorithm aesAlgo = SymmetricAlgorithm.Create("AES"))
{
    ...
    aesAlgo.IV = iv;
    ...
}
References
[1] .NET Framework Cryptography Model Microsoft
[2] J. Viega, G. McGraw Building Secure Software Addison-Wesley
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.5
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.1
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[7] Standards Mapping - CIS Kubernetes Benchmark complete
[8] Standards Mapping - Common Weakness Enumeration CWE ID 329
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[10] Standards Mapping - FIPS200 MP
[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-12 Cryptographic Key Establishment and Management (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-12 Cryptographic Key Establishment and Management
[14] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[15] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[16] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[18] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[20] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3)
[21] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[22] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[23] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[24] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.6.1, Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.6.1, Requirement 6.3.1.3, Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.6.1, Requirement 6.5.3
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.6.1, Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.6.1, Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.6.1, Requirement 6.5.3
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.6.1, Requirement 6.5.3
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.6.1, Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.4 - Use of Cryptography
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.4 - Use of Cryptography
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.4 - Use of Cryptography
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.semantic.dotnet.weak_encryption_insecure_initialization_vector
Abstract
初期化ベクトルは、暗号化の疑似ランダム数値の生成機能を使用して作成する必要があります。
Explanation
初期化ベクトル (IV) は、暗号化の疑似ランダム数値の生成機能を使用して作成する必要があります。ランダム IV を使用しないと、暗号文の推測が非常に容易になり、辞書攻撃による危険が高まります。

例 1: 次のコードは、ハードコーディングされた文字列を使用して非ランダム IV を作成します。


unsigned char * iv = "12345678";
EVP_EncryptInit_ex(&ctx, EVP_idea_gcm(), NULL, key, iv);
References
[1] J. Viega, G. McGraw Building Secure Software Addison-Wesley
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.5
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.1
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[6] Standards Mapping - CIS Kubernetes Benchmark complete
[7] Standards Mapping - Common Weakness Enumeration CWE ID 329
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[9] Standards Mapping - FIPS200 MP
[10] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-12 Cryptographic Key Establishment and Management (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-12 Cryptographic Key Establishment and Management
[13] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[14] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[15] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[16] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[17] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[18] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[19] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3)
[20] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[21] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[22] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[23] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.6.1, Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.6.1, Requirement 6.3.1.3, Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.6.1, Requirement 6.5.3
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.6.1, Requirement 6.5.3
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.6.1, Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.6.1, Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.6.1, Requirement 6.5.3
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.6.1, Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.4 - Use of Cryptography
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.4 - Use of Cryptography
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.4 - Use of Cryptography
[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.semantic.cpp.weak_encryption_insecure_initialization_vector
Abstract
初期化ベクトルを作成するには、暗号化の疑似ランダム数値の生成機能を使用します。
Explanation
初期化ベクトル (IV) を作成するには、暗号化の疑似ランダム数値の生成機能を使用します。使用しないと、暗号文の推測が容易になり、dictionary 攻撃による危険が高まります。

例 1: 次のコードは IV として鍵を再利用します。


import (
    "crypto/aes"
    "crypto/cipher"
    "crypto/rand"
)
...
block, err := aes.NewCipher(key)
...
mode := cipher.NewCBCEncrypter(block, key)
mode.CryptBlocks(ciphertext[aes.BlockSize:], plaintext)


鍵を IV として使用すると、攻撃者は鍵を復元し、データを復号できます。
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.5
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.1
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[5] Standards Mapping - CIS Kubernetes Benchmark complete
[6] Standards Mapping - Common Weakness Enumeration CWE ID 329
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[8] Standards Mapping - FIPS200 MP
[9] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-12 Cryptographic Key Establishment and Management (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-12 Cryptographic Key Establishment and Management
[12] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[13] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[14] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[15] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[16] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[17] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[18] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3)
[19] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[20] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[21] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[22] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.6.1, Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.6.1, Requirement 6.3.1.3, Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.6.1, Requirement 6.5.3
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.6.1, Requirement 6.5.3
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.6.1, Requirement 6.5.3
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.6.1, Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.6.1, Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.6.1, Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.4 - Use of Cryptography
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.4 - Use of Cryptography
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.4 - Use of Cryptography
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.semantic.golang.weak_encryption_insecure_initialization_vector
Abstract
初期化ベクトルは、暗号化の疑似ランダム数値の生成機能を使用して作成する必要があります。
Explanation
初期化ベクトル (IV) は、暗号化の疑似ランダム数値の生成機能を使用して作成する必要があります。ランダム IV を使用しないと、暗号文の推測が非常に容易になり、辞書攻撃による危険が高まります。

例 1: 次のコードは、ハードコーディングされたバイトを使用してランダムでない IV を作成します。


byte[] iv = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
IvParameterSpec ips = new IvParameterSpec(iv);
References
[1] Java Cryptography Architecture Oracle
[2] J. Viega, G. McGraw Building Secure Software Addison-Wesley
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.5
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.1
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[7] Standards Mapping - CIS Kubernetes Benchmark complete
[8] Standards Mapping - Common Weakness Enumeration CWE ID 329
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[10] Standards Mapping - FIPS200 MP
[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-12 Cryptographic Key Establishment and Management (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-12 Cryptographic Key Establishment and Management
[14] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[15] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[16] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[18] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[20] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3)
[21] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[22] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[23] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[24] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.6.1, Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.6.1, Requirement 6.3.1.3, Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.6.1, Requirement 6.5.3
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.6.1, Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.6.1, Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.6.1, Requirement 6.5.3
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.6.1, Requirement 6.5.3
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.6.1, Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.4 - Use of Cryptography
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.4 - Use of Cryptography
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.4 - Use of Cryptography
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.semantic.java.weak_encryption_insecure_initialization_vector
Abstract
初期化ベクトルは、暗号化の疑似ランダム数値の生成機能を使用して作成する必要があります。
Explanation
初期化ベクトル (IV) は、暗号化の疑似ランダム数値の生成機能を使用して作成する必要があります。ランダム IV を使用しないと、暗号文の推測が非常に容易になり、辞書攻撃による危険が高まります。

例 1: 次のコードは、ハードコーディングされたバイトを使用してランダムでない IV を作成します。


...
NSString *iv = @"1234567812345678";  //Bad idea to hard code IV
char ivPtr[kCCBlockSizeAES128];

[iv getCString:ivPtr maxLength:sizeof(ivPtr) encoding:NSASCIIStringEncoding];
...
ccStatus = CCCrypt(   kCCEncrypt,
                      kCCAlgorithmAES128,
                      kCCOptionPKCS7Padding,
                      [key cStringUsingEncoding:NSASCIIStringEncoding],
                      kCCKeySizeAES128,
                      [ivPtr], /*IV should be something random (not null and not constant)*/
                      [self bytes], dataLength, /* input */
                      buffer, bufferSize, /* output */
                      &numBytesEncrypted
                  );


また、CCCrypt のコール時に CBC モードが選択されており、IV が指定されていない (nil) 場合は、すべてがゼロの IVが使用されます。
References
[1] J. Viega, G. McGraw Building Secure Software Addison-Wesley
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.5
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.1
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[6] Standards Mapping - CIS Kubernetes Benchmark complete
[7] Standards Mapping - Common Weakness Enumeration CWE ID 329
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[9] Standards Mapping - FIPS200 MP
[10] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-12 Cryptographic Key Establishment and Management (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-12 Cryptographic Key Establishment and Management
[13] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[14] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[15] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[16] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[17] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[18] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[19] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3)
[20] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[21] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[22] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[23] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.6.1, Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.6.1, Requirement 6.3.1.3, Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.6.1, Requirement 6.5.3
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.6.1, Requirement 6.5.3
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.6.1, Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.6.1, Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.6.1, Requirement 6.5.3
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.6.1, Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.4 - Use of Cryptography
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.4 - Use of Cryptography
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.4 - Use of Cryptography
[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.structural.objc.weak_encryption_insecure_initialization_vector
Abstract
初期化ベクトルは、暗号化の疑似ランダム数値の生成機能を使用して作成する必要があります。
Explanation
初期化ベクトル (IV) は、暗号化の疑似ランダム数値の生成機能を使用して作成する必要があります。ランダム IV を使用しないと、暗号文の推測が非常に容易になり、辞書攻撃による危険が高まります。

例 1: 次のコードは IV として鍵を再利用します。


from Crypto.Cipher import AES
from Crypto import Random
...
key = Random.new().read(AES.block_size)
cipher = AES.new(key, AES.MODE_CTR, IV=key)


鍵を IV として使用すると、攻撃者は鍵を復元し、データを復号できます。
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.5
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.1
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[5] Standards Mapping - CIS Kubernetes Benchmark complete
[6] Standards Mapping - Common Weakness Enumeration CWE ID 329
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[8] Standards Mapping - FIPS200 MP
[9] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-12 Cryptographic Key Establishment and Management (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-12 Cryptographic Key Establishment and Management
[12] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[13] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[14] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[15] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[16] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[17] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[18] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3)
[19] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[20] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[21] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[22] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.6.1, Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.6.1, Requirement 6.3.1.3, Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.6.1, Requirement 6.5.3
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.6.1, Requirement 6.5.3
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.6.1, Requirement 6.5.3
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.6.1, Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.6.1, Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.6.1, Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.4 - Use of Cryptography
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.4 - Use of Cryptography
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.4 - Use of Cryptography
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.semantic.python.weak_encryption_insecure_initialization_vector
Abstract
初期化ベクトルは、暗号化の疑似ランダム数値の生成機能を使用して作成する必要があります。
Explanation
初期化ベクトル (IV) は、暗号化の疑似ランダム数値の生成機能を使用して作成する必要があります。ランダム IV を使用しないと、暗号文の推測が非常に容易になり、辞書攻撃による危険が高まります。

例 1: 次のコードは IV として鍵を再利用します。


require 'openssl'
...
cipher = OpenSSL::Cipher::AES.new('256-GCM')
cipher.encrypt
@key = cipher.random_key
cipher.iv=@key

encrypted = cipher.update(data) + cipher.final # encrypts data without hardcoded IV
...


鍵を IV として使用すると、攻撃者は鍵を復元し、データを復号できます。
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.5
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.1
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[5] Standards Mapping - CIS Kubernetes Benchmark complete
[6] Standards Mapping - Common Weakness Enumeration CWE ID 329
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[8] Standards Mapping - FIPS200 MP
[9] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-12 Cryptographic Key Establishment and Management (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-12 Cryptographic Key Establishment and Management
[12] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[13] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[14] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[15] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[16] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[17] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[18] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3)
[19] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[20] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[21] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[22] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.6.1, Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.6.1, Requirement 6.3.1.3, Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.6.1, Requirement 6.5.3
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.6.1, Requirement 6.5.3
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.6.1, Requirement 6.5.3
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.6.1, Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.6.1, Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.6.1, Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.4 - Use of Cryptography
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.4 - Use of Cryptography
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.4 - Use of Cryptography
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.structural.ruby.weak_encryption_insecure_initialization_vector
Abstract
初期化ベクトルは、暗号化の疑似ランダム数値の生成機能を使用して作成する必要があります。
Explanation
初期化ベクトル (IV) は、暗号化の疑似ランダム数値の生成機能を使用して作成する必要があります。ランダム IV を使用しないと、暗号文の推測が非常に容易になり、辞書攻撃による危険が高まります。

例 1: 次のコードは、ハードコーディングされたバイトを使用してランダムでない IV を作成します。


...
let cStatus = CCCrypt(UInt32(kCCEncrypt),
UInt32(kCCAlgorithmAES128),
UInt32(kCCOptionPKCS7Padding),
key,
keyLength,
"0123456789012345", 
plaintext, 
plaintextLength,
ciphertext, 
ciphertextLength,
&numBytesEncrypted)


また、CCCrypt のコール時に CBC モードが選択されており、IV が指定されていない (nil) 場合は、すべてがゼロの IVが使用されます。
References
[1] J. Viega, G. McGraw Building Secure Software Addison-Wesley
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.5
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.1
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[6] Standards Mapping - CIS Kubernetes Benchmark complete
[7] Standards Mapping - Common Weakness Enumeration CWE ID 329
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[9] Standards Mapping - FIPS200 MP
[10] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-12 Cryptographic Key Establishment and Management (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-12 Cryptographic Key Establishment and Management
[13] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[14] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[15] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[16] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[17] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[18] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[19] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3)
[20] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[21] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[22] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[23] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.6.1, Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.6.1, Requirement 6.3.1.3, Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.6.1, Requirement 6.5.3
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.6.1, Requirement 6.5.3
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.6.1, Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.6.1, Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.6.1, Requirement 6.5.3
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.6.1, Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.4 - Use of Cryptography
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.4 - Use of Cryptography
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.4 - Use of Cryptography
[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.structural.swift.weak_encryption_insecure_initialization_vector

Weak Encryption: Insecure Mode of Operation

Abstract
安全でない利用モードによって暗号化アルゴリズムを使用しないでください。
Explanation
ブロック暗号化利用モードはアルゴリズムの一種で、暗号化の単一ブロックの利用をブロック長より大きなデータ量の安全な転送に繰り返し適用する方法を表すものです。利用モードには、Electronic Codebook (ECB)、Cipher Block Chaining (CBC)、Cipher Feedback (CFB)、Counter (CTR) などがあります。

ECB モードでは、同一の平文ブロックに同じ暗号文を生成するため、本質的に脆弱です。CBC モードは Padding Oracle 攻撃に対して脆弱です。CTR モードにはこのような脆弱性はないため、より推奨されます。

例 1: 次のコードでは、ECB モードで AES 暗号を使用しています。


  ...
  var objAesCryptoService = new AesCryptoServiceProvider();
  objAesCryptoService.Mode = CipherMode.ECB;
  objAesCryptoService.Padding = PaddingMode.PKCS7;
  objAesCryptoService.Key = securityKeyArray;
  var objCrytpoTransform = objAesCryptoService.CreateEncryptor();
  ...
References
[1] CVE 2014-3566
[2] Timing vulnerabilities with CBC-mode symmetric decryption using padding
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[7] Standards Mapping - CIS Kubernetes Benchmark complete
[8] Standards Mapping - Common Weakness Enumeration CWE ID 327
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[10] Standards Mapping - FIPS200 MP
[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[14] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[15] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[16] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[18] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[20] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.9.3 Cryptographic Software and Devices Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.2 Algorithms (L2 L3), 8.3.7 Sensitive Private Data (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[21] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[22] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[23] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[24] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.4 - Use of Cryptography
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.4 - Use of Cryptography
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.4 - Use of Cryptography
[36] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 327
[37] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 327
[38] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 327
[39] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.semantic.dotnet.weak_encryption_insecure_mode_of_operation
Abstract
安全でない利用モードによって暗号化アルゴリズムを使用しないでください。
Explanation
ブロック暗号化利用モードはアルゴリズムの一種で、暗号化の単一ブロックの利用をブロック長より大きなデータ量の安全な転送に繰り返し適用する方法を表すものです。利用モードには、Electronic Codebook (ECB)、Cipher Block Chaining (CBC)、Cipher Feedback (CFB)、Counter (CTR) などがあります。

ECB モードでは、同一の平文ブロックに同じ暗号文を生成するため、本質的に脆弱です。CBC モードは Padding Oracle 攻撃に対して脆弱です。CTR モードにはこのような脆弱性はないため、より推奨されます。

例 1: 次のコードでは、ECB モードで AES 暗号を使用しています。


EVP_EncryptInit_ex(&ctx, EVP_aes_256_ecb(), NULL, key, iv);
References
[1] CVE 2014-3566
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[6] Standards Mapping - CIS Kubernetes Benchmark complete
[7] Standards Mapping - Common Weakness Enumeration CWE ID 327
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[9] Standards Mapping - FIPS200 MP
[10] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[13] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[14] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[15] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[16] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[17] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[18] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[19] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.9.3 Cryptographic Software and Devices Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.2 Algorithms (L2 L3), 8.3.7 Sensitive Private Data (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[20] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[21] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[22] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[23] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.4 - Use of Cryptography
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.4 - Use of Cryptography
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.4 - Use of Cryptography
[35] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 327
[36] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 327
[37] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 327
[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.semantic.cpp.weak_encryption_insecure_mode_of_operation
Abstract
安全でない利用モードによって暗号化アルゴリズムを使用しないでください。
Explanation
ブロック暗号化利用モードはアルゴリズムの一種で、暗号化の単一ブロックの利用をブロック長より大きなデータ量の安全な転送に繰り返し適用する方法を表すものです。利用モードには、Electronic Codebook (ECB)、Cipher Block Chaining (CBC)、Cipher Feedback (CFB)、Counter (CTR) などがあります。

ECB モードでは、同一の平文ブロックに同じ暗号文を生成するため、本質的に脆弱です。CBC モードは Padding Oracle 攻撃に対して脆弱です。CTR モードにはこのような脆弱性はないため、より推奨されます。

例 1: 次のコードでは、CBC モードで AES 暗号を使用しています。


...
    block, err := aes.NewCipher(key)
	if err != nil {
		panic(err)
	}

	ciphertext := make([]byte, aes.BlockSize+len(plaintext))
	iv := ciphertext[:aes.BlockSize]
	if _, err := io.ReadFull(rand.Reader, iv); err != nil {
		panic(err)
	}

	mode := cipher.NewCBCEncrypter(block, iv)
	mode.CryptBlocks(ciphertext[aes.BlockSize:], plaintext)
...
References
[1] CVE 2014-3566
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[6] Standards Mapping - CIS Kubernetes Benchmark complete
[7] Standards Mapping - Common Weakness Enumeration CWE ID 327
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[9] Standards Mapping - FIPS200 MP
[10] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[13] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[14] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[15] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[16] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[17] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[18] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[19] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.9.3 Cryptographic Software and Devices Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.2 Algorithms (L2 L3), 8.3.7 Sensitive Private Data (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[20] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[21] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[22] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[23] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.4 - Use of Cryptography
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.4 - Use of Cryptography
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.4 - Use of Cryptography
[35] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 327
[36] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 327
[37] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 327
[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.semantic.golang.weak_encryption_insecure_mode_of_operation
Abstract
安全でない利用モードによって暗号化アルゴリズムを使用しないでください。
Explanation
ブロック暗号化利用モードはアルゴリズムの一種で、暗号化の単一ブロックの利用をブロック長より大きなデータ量の安全な転送に繰り返し適用する方法を表すものです。利用モードには、Electronic Codebook (ECB)、Cipher Block Chaining (CBC)、Cipher Feedback (CFB)、Counter (CTR) などがあります。

ECB モードでは、同一の平文ブロックに同じ暗号文を生成するため、本質的に脆弱です。CBC モードは Padding Oracle 攻撃に対して脆弱です。CTR モードにはこのような脆弱性はないため、より推奨されます。

例 1: 次のコードでは、ECB モードで AES 暗号を使用しています。


...
SecretKeySpec key = new SecretKeySpec(keyBytes, "AES");
Cipher cipher = Cipher.getInstance("AES/ECB/PKCS7Padding", "BC");
cipher.init(Cipher.ENCRYPT_MODE, key);
...
References
[1] CVE 2014-3566
[2] Manuel Egele, David Brumley, Yanick Fratantonio, Christopher Kruegel An Empirical Study of Cryptographic Misuse in Android Applications
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[7] Standards Mapping - CIS Kubernetes Benchmark complete
[8] Standards Mapping - Common Weakness Enumeration CWE ID 327
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[10] Standards Mapping - FIPS200 MP
[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[14] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[15] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[16] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[18] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[20] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.9.3 Cryptographic Software and Devices Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.2 Algorithms (L2 L3), 8.3.7 Sensitive Private Data (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[21] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[22] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[23] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[24] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.4 - Use of Cryptography
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.4 - Use of Cryptography
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.4 - Use of Cryptography
[36] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 327
[37] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 327
[38] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 327
[39] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.semantic.java.weak_encryption_insecure_mode_of_operation
Abstract
安全でない利用モードによって暗号化アルゴリズムを使用しないでください。
Explanation
ブロック暗号化利用モードはアルゴリズムの一種で、暗号化の単一ブロックの利用をブロック長より大きなデータ量の安全な転送に繰り返し適用する方法を表すものです。利用モードには、Electronic Codebook (ECB)、Cipher Block Chaining (CBC)、Cipher Feedback (CFB)、Counter (CTR) などがあります。

ECB モードでは、同一の平文ブロックに同じ暗号文を生成するため、本質的に脆弱です。CBC モードは Padding Oracle 攻撃に対して脆弱です。CTR モードにはこのような脆弱性はないため、より推奨されます。

例 1: 次のコードでは、ECB モードで AES 暗号を使用しています。


...
ccStatus = CCCrypt( kCCEncrypt,
                    kCCAlgorithmAES,
                    kCCOptionECBMode, // Uses ECB mode
                    key,
                    kCCKeySizeAES128,
                    iv,
                    plaintext,
                    sizeof(plaintext),
                    ciphertext,
                    sizeof(ciphertext),
                    &numBytesEncrypted);
...
References
[1] CVE 2014-3566
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[6] Standards Mapping - CIS Kubernetes Benchmark complete
[7] Standards Mapping - Common Weakness Enumeration CWE ID 327
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[9] Standards Mapping - FIPS200 MP
[10] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[13] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[14] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[15] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[16] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[17] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[18] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[19] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.9.3 Cryptographic Software and Devices Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.2 Algorithms (L2 L3), 8.3.7 Sensitive Private Data (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[20] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[21] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[22] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[23] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.4 - Use of Cryptography
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.4 - Use of Cryptography
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.4 - Use of Cryptography
[35] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 327
[36] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 327
[37] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 327
[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.semantic.objc.weak_encryption_insecure_mode_of_operation
Abstract
安全でない利用モードによって暗号化アルゴリズムを使用しないでください。
Explanation
ブロック暗号化利用モードはアルゴリズムの一種で、暗号化の単一ブロックの利用をブロック長より大きなデータ量の安全な転送に繰り返し適用する方法を表すものです。利用モードには、Electronic Codebook (ECB)、Cipher Block Chaining (CBC)、Cipher Feedback (CFB)、Counter (CTR) などがあります。

ECB モードでは、同一の平文ブロックに同じ暗号文を生成するため、本質的に脆弱です。CBC モードは Padding Oracle 攻撃に対して脆弱です。CTR モードにはこのような脆弱性はないため、より推奨されます。

例 1: 次のコードでは、ECB モードで AES 暗号を使用しています。


from Crypto.Cipher import AES
from Crypto import Random
...
key = Random.new().read(AES.block_size)
random_iv = Random.new().read(AES.block_size)
cipher = AES.new(key, AES.MODE_ECB, random_iv)
References
[1] CVE 2014-3566
[2] Friends Don't Let Friends Use ECB-Mode Encryption
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[7] Standards Mapping - CIS Kubernetes Benchmark complete
[8] Standards Mapping - Common Weakness Enumeration CWE ID 327
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[10] Standards Mapping - FIPS200 MP
[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[14] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[15] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[16] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[18] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[20] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.9.3 Cryptographic Software and Devices Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.2 Algorithms (L2 L3), 8.3.7 Sensitive Private Data (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[21] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[22] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[23] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[24] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.4 - Use of Cryptography
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.4 - Use of Cryptography
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.4 - Use of Cryptography
[36] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 327
[37] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 327
[38] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 327
[39] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.semantic.python.weak_encryption_insecure_mode_of_operation
Abstract
安全でない利用モードによって暗号化アルゴリズムを使用しないでください。
Explanation
ブロック暗号化利用モードはアルゴリズムの一種で、暗号化の単一ブロックの利用をブロック長より大きなデータ量の安全な転送に繰り返し適用する方法を表すものです。利用モードには、Electronic Codebook (ECB)、Cipher Block Chaining (CBC)、Cipher Feedback (CFB)、Counter (CTR) などがあります。

ECB モードでは、同一の平文ブロックに同じ暗号文を生成するため、本質的に脆弱です。CBC モードは Padding Oracle 攻撃に対して脆弱です。CTR モードにはこのような脆弱性はないため、より推奨されます。

例 1: 次のコードでは、ECB モードで AES 暗号を使用しています。


require 'openssl'
...
cipher = OpenSSL::Cipher::AES.new('256-ECB')
References
[1] CVE 2014-3566
[2] Friends Don't Let Friends Use ECB-Mode Encryption
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[7] Standards Mapping - CIS Kubernetes Benchmark complete
[8] Standards Mapping - Common Weakness Enumeration CWE ID 327
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[10] Standards Mapping - FIPS200 MP
[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[14] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[15] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[16] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[18] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[20] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.9.3 Cryptographic Software and Devices Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.2 Algorithms (L2 L3), 8.3.7 Sensitive Private Data (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[21] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[22] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[23] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[24] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.4 - Use of Cryptography
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.4 - Use of Cryptography
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.4 - Use of Cryptography
[36] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 327
[37] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 327
[38] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 327
[39] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.structural.ruby.weak_encryption_insecure_mode_of_operation
Abstract
安全でない利用モードによって暗号化アルゴリズムを使用しないでください。
Explanation
ブロック暗号化利用モードはアルゴリズムの一種で、暗号化の単一ブロックの利用をブロック長より大きなデータ量の安全な転送に繰り返し適用する方法を表すものです。利用モードには、Electronic Codebook (ECB)、Cipher Block Chaining (CBC)、Cipher Feedback (CFB)、Counter (CTR) などがあります。

ECB モードでは、同一の平文ブロックに同じ暗号文を生成するため、本質的に脆弱です。CBC モードは Padding Oracle 攻撃に対して脆弱です。CTR モードにはこのような脆弱性はないため、より推奨されます。

例 1: 次のコードでは、ECB モードで AES 暗号を使用しています。


...
ccStatus = CCCrypt(UInt32(kCCEncrypt),
                UInt32(kCCAlgorithmAES128),
                UInt32(kCCOptionECBMode),
                keyData.bytes,
                keyLength,
                keyData.bytes,
                data.bytes,
                data.length,
                cryptData.mutableBytes,
                cryptData.length,
                &numBytesEncrypted)
...
References
[1] CVE 2014-3566
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[6] Standards Mapping - CIS Kubernetes Benchmark complete
[7] Standards Mapping - Common Weakness Enumeration CWE ID 327
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[9] Standards Mapping - FIPS200 MP
[10] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[13] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[14] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[15] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[16] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[17] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[18] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[19] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.9.3 Cryptographic Software and Devices Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.2 Algorithms (L2 L3), 8.3.7 Sensitive Private Data (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[20] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[21] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[22] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[23] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.4 - Use of Cryptography
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.4 - Use of Cryptography
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.4 - Use of Cryptography
[35] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 327
[36] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 327
[37] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 327
[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.structural.swift.weak_encryption_insecure_mode_of_operation

Weak Encryption: Insufficient Key Size

Abstract
強力な暗号化アルゴリズムでも、鍵のサイズが不十分だと、Brute-Force 攻撃に対して脆弱となる可能性があります。
Explanation
現在の暗号化ガイドラインでは、RSA アルゴリズムでは最小でも 2048 ビットの鍵の長さを使用する必要があるとされています。しかし、演算処理能力とファクタリング技術が進歩し続ける限り [1]、将来的に推奨される鍵のサイズが増大するのは避けられません。

例 1: 次のコードは、512 ビットの暗号鍵の RSA アルゴリズムを使用しています。

  static public byte[] EncryptWithRSA(byte[] plaintext, RSAParameters key) {
    try {
      RSACryptoServiceProvider rsa = new RSACryptoServiceProvider(512);
      rsa.ImportParameters(key);
      return rsa.Encrypt(plaintext, true);
    }
    catch(CryptographicException e) {
      Console.WriteLine(e.Message);
      return null;
    }
  }


対称鍵暗号の場合、鍵の長さは最低でも 128 ビットである必要があります。
References
[1] J. Cheng 307-digit key crack endangers 1024-bit RSA
[2] Cryptographic Algorithms and Key Sizes for Personal Identity Verification NIST
[3] B. Chess and J. West, Secure Programming with Static Analysis. Boston, MA: Addison-Wesley, 2007.
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.0
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[8] Standards Mapping - CIS Kubernetes Benchmark complete
[9] Standards Mapping - Common Weakness Enumeration CWE ID 326
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[11] Standards Mapping - FIPS200 MP
[12] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-12 Cryptographic Key Establishment and Management (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-12 Cryptographic Key Establishment and Management
[15] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[16] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[18] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[20] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[21] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[22] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[23] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[24] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[25] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.6.1, Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.6.1, Requirement 6.3.1.3, Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.6.1, Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.6.1, Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.6.1, Requirement 6.5.3
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.6.1, Requirement 6.5.3
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.6.1, Requirement 6.5.3
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.6.1, Requirement 6.2.4
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.semantic.dotnet.weak_encryption_insufficient_key_size
Abstract
強力な暗号化アルゴリズムでも、鍵のサイズが不十分だと、Brute-Force 攻撃に対して脆弱となる可能性があります。
Explanation
現在の暗号化ガイドラインでは、RSA アルゴリズムでは最小でも 2048 ビットの鍵の長さを使用する必要があるとされています。しかし、演算処理能力とファクタリング技術が進歩し続ける限り [1]、将来的に推奨される鍵のサイズが増大するのは避けられません。

例 1: 次のコードは、512 ビットの RSA 暗号鍵を生成しています。

  EVP_PKEY * get_RSA_key() {
    unsigned long err;
    EVP_PKEY * pkey;
    RSA * rsa;
    rsa = RSA_generate_key(512, 35, NULL, NULL);
    if (rsa == NULL) {
      err = ERR_get_error();
      printf("Error = %s\n",ERR_reason_error_string(err));
      return NULL;
    }
    pkey = EVP_PKEY_new();
    EVP_PKEY_assign_RSA(pkey, rsa);
    return pkey;
  }


対称鍵暗号の場合、鍵の長さは最低でも 128 ビットである必要があります。
References
[1] J. Cheng 307-digit key crack endangers 1024-bit RSA
[2] Cryptographic Algorithms and Key Sizes for Personal Identity Verification NIST
[3] B. Chess and J. West, Secure Programming with Static Analysis. Boston, MA: Addison-Wesley, 2007.
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.0
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[8] Standards Mapping - CIS Kubernetes Benchmark complete
[9] Standards Mapping - Common Weakness Enumeration CWE ID 326
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[11] Standards Mapping - FIPS200 MP
[12] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-12 Cryptographic Key Establishment and Management (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-12 Cryptographic Key Establishment and Management
[15] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[16] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[18] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[20] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[21] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[22] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[23] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[24] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[25] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.6.1, Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.6.1, Requirement 6.3.1.3, Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.6.1, Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.6.1, Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.6.1, Requirement 6.5.3
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.6.1, Requirement 6.5.3
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.6.1, Requirement 6.5.3
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.6.1, Requirement 6.2.4
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.structural.cpp.weak_encryption_insufficient_key_size
Abstract
強力な暗号化アルゴリズムでも、鍵のサイズが不十分だと、Brute-Force 攻撃に対して脆弱となる可能性があります。
Explanation
現在の暗号化ガイドラインでは、RSA アルゴリズムでは最小でも 2048 ビットの鍵の長さを使用する必要があるとされています。対称鍵暗号の場合、鍵の長さは最低でも 128 ビットである必要があります。しかし、演算処理能力とファクタリング技術が進歩し続ける限り [1]、将来的に推奨される鍵のサイズが増大するのは避けられません。

例 1: 次のコードでは、1024 ビットの RSA 鍵を生成しています。

  ...
  myPrivateKey := rsa.GenerateKey(rand.Reader, 1024);
  ...
References
[1] J. Cheng 307-digit key crack endangers 1024-bit RSA
[2] Cryptographic Algorithms and Key Sizes for Personal Identity Verification NIST
[3] B. Chess and J. West, Secure Programming with Static Analysis. Boston, MA: Addison-Wesley, 2007.
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.0
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[8] Standards Mapping - CIS Kubernetes Benchmark complete
[9] Standards Mapping - Common Weakness Enumeration CWE ID 326
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[11] Standards Mapping - FIPS200 MP
[12] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-12 Cryptographic Key Establishment and Management (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-12 Cryptographic Key Establishment and Management
[15] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[16] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[18] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[20] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[21] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[22] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[23] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[24] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[25] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.6.1, Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.6.1, Requirement 6.3.1.3, Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.6.1, Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.6.1, Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.6.1, Requirement 6.5.3
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.6.1, Requirement 6.5.3
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.6.1, Requirement 6.5.3
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.6.1, Requirement 6.2.4
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.structural.golang.weak_encryption_insufficient_key_size
Abstract
強力な暗号化アルゴリズムでも、鍵のサイズが不十分だと、Brute-Force 攻撃に対して脆弱となる可能性があります。
Explanation
現在の暗号化ガイドラインでは、RSA アルゴリズムでは最小でも 2048 ビットの鍵の長さを使用する必要があるとされています。しかし、演算処理能力とファクタリング技術が進歩し続ける限り [1]、将来的に推奨される鍵のサイズが増大するのは避けられません。

例 1: 次のコードは、512 ビットの RSA 暗号鍵を生成しています。

  public static KeyPair getRSAKey() throws NoSuchAlgorithmException {
    KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
    keyGen.initialize(512);

    KeyPair key = keyGen.generateKeyPair();
    return key;
  }


対称鍵暗号の場合、鍵の長さは最低でも 128 ビットである必要があります。
References
[1] J. Cheng 307-digit key crack endangers 1024-bit RSA
[2] Cryptographic Algorithms and Key Sizes for Personal Identity Verification NIST
[3] B. Chess and J. West, Secure Programming with Static Analysis. Boston, MA: Addison-Wesley, 2007.
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.0
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[8] Standards Mapping - CIS Kubernetes Benchmark complete
[9] Standards Mapping - Common Weakness Enumeration CWE ID 326
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[11] Standards Mapping - FIPS200 MP
[12] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-12 Cryptographic Key Establishment and Management (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-12 Cryptographic Key Establishment and Management
[15] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[16] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[18] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[20] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[21] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[22] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[23] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[24] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[25] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.6.1, Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.6.1, Requirement 6.3.1.3, Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.6.1, Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.6.1, Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.6.1, Requirement 6.5.3
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.6.1, Requirement 6.5.3
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.6.1, Requirement 6.5.3
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.6.1, Requirement 6.2.4
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.structural.java.weak_encryption_insufficient_key_size
Abstract
強力な暗号化アルゴリズムでも、鍵のサイズが不十分だと、Brute-Force 攻撃に対して脆弱となる可能性があります。
Explanation
現在の暗号化ガイドラインでは、RSA アルゴリズムでは最小でも 2048 ビットの鍵の長さを使用する必要があるとされています。しかし、演算処理能力とファクタリング技術が進歩し続ける限り [1]、将来的に推奨される鍵のサイズが増大するのは避けられません。

例 1: 次のコードは、512 ビットの RSA 鍵を生成します。

  ...
  crmfObject = crypto.generateCRMFRequest(
                "CN=" + name.value,
                password.value,
                authenticator,
        	keyTransportCert,
                "setCRMFRequest();",
                512, null, "rsa-dual-use");
  ...


対称鍵暗号の場合、鍵の長さは最低でも 128 ビットである必要があります。
References
[1] J. Cheng 307-digit key crack endangers 1024-bit RSA
[2] Cryptographic Algorithms and Key Sizes for Personal Identity Verification NIST
[3] B. Chess and J. West, Secure Programming with Static Analysis. Boston, MA: Addison-Wesley, 2007.
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.0
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[8] Standards Mapping - CIS Kubernetes Benchmark complete
[9] Standards Mapping - Common Weakness Enumeration CWE ID 326
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[11] Standards Mapping - FIPS200 MP
[12] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-12 Cryptographic Key Establishment and Management (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-12 Cryptographic Key Establishment and Management
[15] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[16] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[18] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[20] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[21] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[22] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[23] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[24] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[25] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.6.1, Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.6.1, Requirement 6.3.1.3, Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.6.1, Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.6.1, Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.6.1, Requirement 6.5.3
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.6.1, Requirement 6.5.3
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.6.1, Requirement 6.5.3
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.6.1, Requirement 6.2.4
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.structural.javascript.weak_encryption_insufficient_key_size
Abstract
強力な暗号化アルゴリズムでも、鍵のサイズが不十分だと、Brute-Force 攻撃に対して脆弱となる可能性があります。
Explanation
現在の暗号化ガイドラインでは、RSA アルゴリズムでは最小でも 2048 ビットの鍵の長さを使用する必要があるとされています。しかし、演算処理能力とファクタリング技術が進歩し続ける限り [1]、将来的に推奨される鍵のサイズが増大するのは避けられません。対称鍵暗号の場合、鍵の長さは最低でも 128 ビットである必要があります。

例 1: 次のコードは、脆弱な暗号化アルゴリズムと不十分な鍵サイズを使用しています。

...
CCCrypt(kCCEncrypt,
        kCCAlgorithmDES,
        kCCOptionPKCS7Padding,
        key,
        kCCKeySizeDES, // 64-bit key size
        iv,
        plaintext,
        sizeof(plaintext),
        ciphertext,
        sizeof(ciphertext),
        &numBytesEncrypted);
...
References
[1] J. Cheng 307-digit key crack endangers 1024-bit RSA
[2] Cryptographic Algorithms and Key Sizes for Personal Identity Verification NIST
[3] B. Chess and J. West, Secure Programming with Static Analysis. Boston, MA: Addison-Wesley, 2007.
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.0
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[8] Standards Mapping - CIS Kubernetes Benchmark complete
[9] Standards Mapping - Common Weakness Enumeration CWE ID 326
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[11] Standards Mapping - FIPS200 MP
[12] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-12 Cryptographic Key Establishment and Management (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-12 Cryptographic Key Establishment and Management
[15] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[16] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[18] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[20] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[21] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[22] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[23] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[24] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[25] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.6.1, Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.6.1, Requirement 6.3.1.3, Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.6.1, Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.6.1, Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.6.1, Requirement 6.5.3
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.6.1, Requirement 6.5.3
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.6.1, Requirement 6.5.3
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.6.1, Requirement 6.2.4
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.structural.objc.weak_encryption_insufficient_key_size
Abstract
強力な暗号化アルゴリズムでも、鍵のサイズが不十分だと、Brute-Force 攻撃に対して脆弱となる可能性があります。
Explanation
現在の暗号化ガイドラインでは、RSA アルゴリズムでは最小でも 2048 ビットの鍵の長さを使用する必要があるとされています。しかし、演算処理能力とファクタリング技術が進歩し続ける限り [1]、将来的に推奨される鍵のサイズが増大するのは避けられません。

例 1: 次のコードは、1024 ビットの RSA 暗号鍵を生成しています。

...
$keysize = 1024;
$options = array('private_key_bits' => $keysize, 'private_key_type' => OPENSSL_KEYTYPE_RSA);
$res = openssl_pkey_new($options);
...


対称鍵暗号の場合、鍵の長さは最低でもトリプル DES で 168 ビット、AES で 128 ビットにする必要があります。
References
[1] J. Cheng 307-digit key crack endangers 1024-bit RSA
[2] Cryptographic Algorithms and Key Sizes for Personal Identity Verification NIST
[3] B. Chess and J. West, Secure Programming with Static Analysis. Boston, MA: Addison-Wesley, 2007.
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.0
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[8] Standards Mapping - CIS Kubernetes Benchmark complete
[9] Standards Mapping - Common Weakness Enumeration CWE ID 326
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[11] Standards Mapping - FIPS200 MP
[12] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-12 Cryptographic Key Establishment and Management (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-12 Cryptographic Key Establishment and Management
[15] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[16] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[18] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[20] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[21] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[22] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[23] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[24] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[25] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.6.1, Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.6.1, Requirement 6.3.1.3, Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.6.1, Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.6.1, Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.6.1, Requirement 6.5.3
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.6.1, Requirement 6.5.3
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.6.1, Requirement 6.5.3
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.6.1, Requirement 6.2.4
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.structural.php.weak_encryption_insufficient_key_size
Abstract
強力な暗号化アルゴリズムでも、鍵のサイズが不十分だと、Brute-Force 攻撃に対して脆弱となる可能性があります。
Explanation
現在の暗号化ガイドラインでは、RSA アルゴリズムでは最小でも 2048 ビットの鍵の長さを使用する必要があるとされています。しかし、演算処理能力とファクタリング技術が進歩し続ける限り [1]、将来的に推奨される鍵のサイズが増大するのは避けられません。

例 1: 次のコードは、1024 ビットの RSA 暗号鍵を生成しています。

...
from Crypto.PublicKey import RSA
key = RSA.generate(1024)
...


対称鍵暗号の場合、鍵の長さは最低でもトリプル DES で 168 ビット、AES で 128 ビットにする必要があります。
References
[1] J. Cheng 307-digit key crack endangers 1024-bit RSA
[2] Cryptographic Algorithms and Key Sizes for Personal Identity Verification NIST
[3] B. Chess and J. West, Secure Programming with Static Analysis. Boston, MA: Addison-Wesley, 2007.
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.0
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[8] Standards Mapping - CIS Kubernetes Benchmark complete
[9] Standards Mapping - Common Weakness Enumeration CWE ID 326
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[11] Standards Mapping - FIPS200 MP
[12] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-12 Cryptographic Key Establishment and Management (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-12 Cryptographic Key Establishment and Management
[15] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[16] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[18] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[20] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[21] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[22] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[23] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[24] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[25] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.6.1, Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.6.1, Requirement 6.3.1.3, Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.6.1, Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.6.1, Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.6.1, Requirement 6.5.3
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.6.1, Requirement 6.5.3
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.6.1, Requirement 6.5.3
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.6.1, Requirement 6.2.4
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.structural.python.weak_encryption_insufficient_key_size
Abstract
強力な暗号化アルゴリズムでも、鍵のサイズが不十分だと、Brute-Force 攻撃に対して脆弱となる可能性があります。
Explanation
現在の暗号化ガイドラインでは、RSA アルゴリズムでは最小でも 2048 ビットの鍵の長さを使用する必要があるとされています。しかし、演算処理能力とファクタリング技術が進歩し続ける限り [1]、将来的に推奨される鍵のサイズが増大するのは避けられません。

例 1: 次のコードは、1024 ビットの RSA 暗号鍵を生成しています。

  require 'openssl'
  ...
  pkey = OpenSSL::PKey::RSA.new 1024
  ...


対称鍵暗号に関しては、AES の場合、鍵の長さは最低でも 128 ビットである必要があります。
References
[1] J. Cheng 307-digit key crack endangers 1024-bit RSA
[2] Cryptographic Algorithms and Key Sizes for Personal Identity Verification NIST
[3] B. Chess and J. West, Secure Programming with Static Analysis. Boston, MA: Addison-Wesley, 2007.
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.0
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[8] Standards Mapping - CIS Kubernetes Benchmark complete
[9] Standards Mapping - Common Weakness Enumeration CWE ID 326
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[11] Standards Mapping - FIPS200 MP
[12] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-12 Cryptographic Key Establishment and Management (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-12 Cryptographic Key Establishment and Management
[15] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[16] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[18] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[20] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[21] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[22] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[23] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[24] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[25] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.6.1, Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.6.1, Requirement 6.3.1.3, Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.6.1, Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.6.1, Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.6.1, Requirement 6.5.3
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.6.1, Requirement 6.5.3
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.6.1, Requirement 6.5.3
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.6.1, Requirement 6.2.4
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.structural.ruby.weak_encryption_insufficient_key_size
Abstract
強力な暗号化アルゴリズムでも、鍵のサイズが不十分だと、Brute-Force 攻撃に対して脆弱となる可能性があります。
Explanation
現在の暗号化ガイドラインでは、RSA アルゴリズムでは最小でも 2048 ビットの鍵の長さを使用する必要があるとされています。しかし、演算処理能力とファクタリング技術が進歩し続ける限り [1]、将来的に推奨される鍵のサイズが増大するのは避けられません。対称鍵暗号の場合、鍵の長さは最低でも 128 ビットである必要があります。

例 1: 次のコードは、脆弱な暗号化アルゴリズムと不十分な鍵サイズを使用しています。

...
let iv = getTrueRandomIV()
...
let cStatus = CCCrypt(UInt32(kCCEncrypt),
UInt32(kCCAlgorithmDES),
UInt32(kCCOptionPKCS7Padding),
key,
UInt32(kCCKeySizeDES), // 64-bit key size
iv, 
plaintext, 
plaintextLength,
ciphertext, 
ciphertextLength,
&numBytesEncrypted)
...
References
[1] J. Cheng 307-digit key crack endangers 1024-bit RSA
[2] Cryptographic Algorithms and Key Sizes for Personal Identity Verification NIST
[3] B. Chess and J. West, Secure Programming with Static Analysis. Boston, MA: Addison-Wesley, 2007.
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.0
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[8] Standards Mapping - CIS Kubernetes Benchmark complete
[9] Standards Mapping - Common Weakness Enumeration CWE ID 326
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[11] Standards Mapping - FIPS200 MP
[12] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-12 Cryptographic Key Establishment and Management (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-12 Cryptographic Key Establishment and Management
[15] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[16] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[18] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[20] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[21] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[22] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[23] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[24] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[25] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.6.1, Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.6.1, Requirement 6.3.1.3, Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.6.1, Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.6.1, Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.6.1, Requirement 6.5.3
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.6.1, Requirement 6.5.3
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.6.1, Requirement 6.5.3
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.6.1, Requirement 6.2.4
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.structural.swift.weak_encryption_insufficient_key_size
Abstract
強力な暗号化アルゴリズムでも、鍵のサイズが不十分だと、Brute-Force 攻撃に対して脆弱となる可能性があります。
Explanation
現在の暗号化ガイドラインでは、RSA アルゴリズムでは最小でも 2048 ビットの鍵の長さを使用する必要があるとされています。しかし、演算処理能力とファクタリング技術が進歩し続ける限り [1]、将来的に推奨される鍵のサイズが増大するのは避けられません。

対称鍵暗号の場合、鍵の長さは最低でも 128 ビットである必要があります。
References
[1] J. Cheng 307-digit key crack endangers 1024-bit RSA
[2] Cryptographic Algorithms and Key Sizes for Personal Identity Verification NIST
[3] B. Chess and J. West, Secure Programming with Static Analysis. Boston, MA: Addison-Wesley, 2007.
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.0
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[8] Standards Mapping - CIS Kubernetes Benchmark complete
[9] Standards Mapping - Common Weakness Enumeration CWE ID 326
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[11] Standards Mapping - FIPS200 MP
[12] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-12 Cryptographic Key Establishment and Management (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-12 Cryptographic Key Establishment and Management
[15] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[16] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[18] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[20] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[21] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[22] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[23] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[24] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[25] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.6.1, Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.6.1, Requirement 6.3.1.3, Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.6.1, Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.6.1, Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.6.1, Requirement 6.5.3
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.6.1, Requirement 6.5.3
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.6.1, Requirement 6.5.3
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.6.1, Requirement 6.2.4
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.structural.vb.weak_encryption_insufficient_key_size

Weak Encryption: Missing Required Step

Abstract
対称鍵生成、暗号化、または復号化プロセスの間に、コードは必須ステップの呼び出しに失敗します。
Explanation
対称鍵の生成および秘密鍵の暗号化または復号化には、複数のステップが伴います。必須ステップのいずれか 1 つでも欠落すると、生成される対称鍵または暗号文の強度が損なわれるか、既存の暗号文が正しく復号化されない場合があります。

例 1: 次のコードは EVP_DecryptUpdate へのコールをスキップしており、暗号文の複合化に失敗する原因になります。


...
EVP_DecryptInit_ex(&ctx, EVP_aes_256_gcm(), NULL, key, iv);
...
if(!EVP_DecryptFinal_ex(&ctx, outBuf+outBytes, &tmpOutBytes))
  prtErrAndExit(1, "ERROR: EVP_DecryptFinal_ex did not work...\n");
...
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.5
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.1
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[5] Standards Mapping - CIS Kubernetes Benchmark complete
[6] Standards Mapping - Common Weakness Enumeration CWE ID 325
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[8] Standards Mapping - FIPS200 MP
[9] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[12] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[13] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[14] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[15] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[16] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[17] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[18] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3)
[19] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[20] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[21] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[22] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.controlflow.cpp.weak_encryption_missing_required_step
Abstract
対称鍵生成、暗号化、または復号化プロセスの間に、コードは必須ステップの呼び出しに失敗します。
Explanation
対称鍵の生成および秘密鍵の暗号化または復号化には、複数のステップが伴います。必須ステップのいずれか 1 つでも欠落すると、生成される対称鍵または暗号文の強度が損なわれるか、既存の暗号文が正しく復号化されない場合があります。

例 1: 次のコードは KeyGenerator の初期化ステップをスキップし、推奨より小さな鍵を使用することが考えられます。


...
final String CIPHER_INPUT = "123456ABCDEFG";
KeyGenerator keyGenerator = KeyGenerator.getInstance("AES");

SecretKey secretKey = keyGenerator.generateKey();
byte[] byteKey = secretKey.getEncoded();
....
References
[1] JavaDoc for KeyGenerator Sun Microsystems
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.5
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.1
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[6] Standards Mapping - CIS Kubernetes Benchmark complete
[7] Standards Mapping - Common Weakness Enumeration CWE ID 325
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[9] Standards Mapping - FIPS200 MP
[10] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[13] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[14] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[15] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[16] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[17] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[18] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[19] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3)
[20] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[21] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[22] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[23] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.controlflow.java.weak_encryption_missing_required_step
Abstract
対称鍵生成、暗号化、または復号化プロセスの間に、コードは必須ステップの呼び出しに失敗します。
Explanation
対称鍵の生成および秘密鍵の暗号化または復号化には、複数のステップが伴います。必須ステップのいずれか 1 つでも欠落すると、生成される対称鍵または暗号文の強度が損なわれるか、既存の暗号文が正しく復号化されない場合があります。

例 1: 次のコードは OpenSSL::Cipher#update へのコールを省略します。その結果、暗号文を解読できません。


require 'openssl'
...
decipher = OpenSSL::Cipher::AES.new(128, :GCM)
decipher.decrypt
decipher.key = key
decipher.iv = iv

plain = decipher.final #missed update method
...
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.5
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.1
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[5] Standards Mapping - CIS Kubernetes Benchmark complete
[6] Standards Mapping - Common Weakness Enumeration CWE ID 325
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[8] Standards Mapping - FIPS200 MP
[9] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[12] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[13] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[14] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[15] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[16] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[17] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[18] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3)
[19] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[20] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[21] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[22] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.controlflow.ruby.weak_encryption_missing_required_step

Weak Encryption: Stream Cipher

Abstract
暗号化されたデータがディスクに保存されているとき、または鍵が複数回使用される場合、ストリーム暗号の使用は危険です。
Explanation
ストリーム暗号は "key re-use" 攻撃に対して脆弱です。これは "two-time pad" 攻撃とも呼ばれています。同じ鍵が複数回使用される場合、暗号文の 2 つの文字列を XOR し、鍵を無効にして XOR した平文のみを残すことが簡単にできるため、このタイプの脆弱性が発生します。人間の言語をフォーマットする方法のため、通常、元の 2 つのメッセージに簡単に戻ります。
前述の攻撃を止めるには新しい初期化ベクトル (IV) を使用する必要があるため、ストリーム暗号は暗号化データの保存に適しません。次のいずれかを意味するためです。
1) IV としてディスク セクターを使用する:
保存したデータの変更が必要になるたびに同じ IV を再使用する必要があるため、これは安全ではありません。
2) 新しい IV をディスク セクターにマッピングするために複雑なシステムを使用する:
これは保守管理が難しくなります。このようなアプローチでは、継続的に更新する必要があり、ユーザーが読み取れないようにする必要があり、暗号化されていない平文だけの場合よりかなり多くのディスク領域を使用する暗号文を必要とします。

以上の 2 点により、暗号化されたデータを保存する目的で、ブロック暗号の代わりにストリーム暗号を使用することはマイナスになります。ストリーム暗号のもう 1 つの問題は、認証機能がないため、「ビット フリッピング」攻撃に対して脆弱になることです。"CTR" など、一部のブロック暗号はストリーム暗号と同じように動作するため、この同じ攻撃に対して脆弱性になります。

例 1: 次のコードはストリーム暗号を生成し、そのストリーム暗号は定数 IV でデータを暗号化し、ディスクに保存するために使用されます。


import (
    "crypto/aes"
    "crypto/cipher"
    "os"
)
...
iv = b'1234567890123456'
CTRstream = cipher.NewCTR(block, iv)
CTRstream.XORKeyStream(plaintext, ciphertext)
...
f := os.Create("data.enc")
f.Write(ciphertext)
f.Close()
Example 1 では、iv が定数初期化ベクトルとして設定されているため、再利用攻撃を受けやすくなります。
References
[1] Disk Encryption Theory Wikipedia
[2] Clemens Fruhwirth New Methods in Hard Disk Encryption
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.5
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 1.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[7] Standards Mapping - CIS Kubernetes Benchmark complete
[8] Standards Mapping - Common Weakness Enumeration CWE ID 327
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[10] Standards Mapping - FIPS200 MP
[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[14] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[15] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[16] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[18] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[20] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.9.3 Cryptographic Software and Devices Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.2 Algorithms (L2 L3), 8.3.7 Sensitive Private Data (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[21] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[22] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[23] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[24] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[36] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 327
[37] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 327
[38] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 327
[39] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.semantic.golang.weak_encryption_stream_cipher
Abstract
暗号化されたデータがディスクに保存されるとき、または鍵が複数回使用される場合、ストリーム暗号の使用は危険です。
Explanation
ストリーム暗号は "key re-use" 攻撃に対して脆弱です。これは "two-time pad" 攻撃とも呼ばれています。つまり、同じ鍵が複数回使用される場合、暗号文の 2 つの文字列を XOR し、鍵を無効にして XOR した平文のみを残すことが簡単にできます。人間の言語をフォーマットする方法のため、通常、元の 2 つのメッセージに簡単に戻ります。
前述の攻撃を止めるには新しい初期化ベクトル (IV) を使用する必要があるため、ストリーム暗号は暗号化データの保存に適しません。次のいずれかを意味するためです。
1) IV としてディスク セクターを使用する:
保存したデータを変更するたびに同じ IV を再使用する必要があるため、これは安全ではありません。
2) 新しい IV をディスク セクターにマッピングするシステムが複雑である:
これは保守管理が難しくなります。継続的に更新する必要があり、ユーザーが読み取れないようにする必要があり、暗号化されていない平文だけの場合よりかなり多くのディスク領域を使用する暗号文を必要とするためです。

以上の 2 点により、暗号化データを保存する目的で、ブロック暗号の代わりにストリーム暗号を使用することはマイナスになります。ストリーム暗号のもう 1 つの問題は、認証機能がないため、「ビット フリッピング」攻撃に対して脆弱になることです。"CTR" など、一部のブロック暗号はストリーム暗号と同じように動作するため、この同じ攻撃に対して脆弱性になります。

例 1: 次のコードはストリーム暗号を生成し、そのストリーム暗号は定数 IV でデータを暗号化し、ディスクに保存するために使用されます。


from Crypto.Cipher import AES
from Crypto import Random
...
key = Random.new().read(AES.block_size)
iv = b'1234567890123456'
cipher = AES.new(key, AES.MODE_CTR, iv, counter)
...
encrypted = cipher.encrypt(data)
f = open("data.enc", "wb")
f.write(encrypted)
f.close()
...
Example 1 では、iv が定数初期化ベクトルとして設定されているため、再利用攻撃を受けやすくなります。
References
[1] Disk Encryption Theory Wikipedia
[2] Clemens Fruhwirth New Methods in Hard Disk Encryption
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.5
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 1.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[7] Standards Mapping - CIS Kubernetes Benchmark complete
[8] Standards Mapping - Common Weakness Enumeration CWE ID 327
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[10] Standards Mapping - FIPS200 MP
[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[14] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[15] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[16] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[18] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[20] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.9.3 Cryptographic Software and Devices Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.2 Algorithms (L2 L3), 8.3.7 Sensitive Private Data (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[21] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[22] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[23] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[24] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[36] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 327
[37] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 327
[38] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 327
[39] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.semantic.python.weak_encryption_stream_cipher
Abstract
保存されているデータと共に使用するとき、あるいは鍵が複数回使用される場合、ストリーム暗号は危険です。
Explanation
ストリーム暗号は "key re-use" 攻撃に対して脆弱です。これは "two-time pad" 攻撃とも呼ばれています。つまり、同じ鍵が複数回使用される場合、暗号文の 2 つの文字列を XOR し、鍵を無効にして XOR した平文のみを残すことが簡単にできます。人間の言語をフォーマットする方法のため、通常、元の 2 つのメッセージに簡単に戻ります。
前述の攻撃を止めるには新しい初期化ベクトル (IV) を使用する必要があるため、ストリーム暗号は暗号化データの保存に適しません。次のいずれかを意味するためです。
1) IV としてディスク セクターを使用する:
保存したデータを変更するたびに同じ IV を再使用する必要があるため、これは安全ではありません。
2) 新しい IV をディスク セクターにマッピングするシステムが複雑である:
これは保守管理が難しくなります。継続的に更新する必要があり、ユーザーが読み取れないようにする必要があり、暗号化されていない平文だけの場合よりかなり多くのディスク領域を使用する暗号文を必要とするためです。

以上の 2 点により、暗号化データを保存する目的で、ブロック暗号の代わりにストリーム暗号を使用することはマイナスになります。ストリーム暗号のもう 1 つの問題は、認証機能がないため、「ビット フリッピング」攻撃に対して脆弱になることです。"CTR" など、一部のブロック暗号はストリーム暗号と同じように動作するため、この同じ攻撃に対して脆弱性になります。

例 1: 次のコードはストリーム暗号を生成し、そのストリーム暗号は定数 IV でデータを暗号化し、ディスクに保存するために使用されます。


require 'openssl'
...
cipher = OpenSSL::Cipher.new('AES-256-CTR')
cipher.encrypt
cipher.iv='iv'
...
encrypted = cipher.update(data) + cipher.final
File.open('my_encrypted_data', 'w') do |file|
  file.write(encrypted)
end
Example 1 では、OpenSSL::Cipher#iv= が定数初期化ベクトルとして設定されているため、再利用攻撃を受けやすくなります。
References
[1] Disk Encryption Theory Wikipedia
[2] Clemens Fruhwirth New Methods in Hard Disk Encryption
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.5
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 1.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[7] Standards Mapping - CIS Kubernetes Benchmark complete
[8] Standards Mapping - Common Weakness Enumeration CWE ID 327
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[10] Standards Mapping - FIPS200 MP
[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[14] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[15] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[16] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[18] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[20] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.9.3 Cryptographic Software and Devices Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.2 Algorithms (L2 L3), 8.3.7 Sensitive Private Data (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[21] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[22] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[23] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[24] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[36] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 327
[37] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 327
[38] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 327
[39] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.structural.ruby.weak_encryption_stream_cipher

Weak Encryption: User-Controlled Key Size

Abstract
鍵サイズ パラメーターを使用する暗号関数には、汚染された鍵サイズ値を渡さないでください。
Explanation
ユーザー制御の値から鍵サイズを判別できる場合、攻撃者が空の鍵を指定できるようになり、その空の鍵で暗号化されたデータは比較的容易に復号化できます。非ゼロ値が必要な場合でも、攻撃者は可能な範囲で最小の値を指定でき、暗号化のセキュリティが損なわれます。

Weak Encryption: User-Controlled Key Size の問題は、次の場合に発生します。

1. 信頼できないソースからデータがプログラムに入り込んだ場合。

2. ユーザー制御のデータは、鍵サイズ パラメーターに部分的に含まれるか、鍵サイズ パラメーター自体として暗号化関数の中で使用されます。

多くのソフトウェア セキュリティの脆弱性と同様、Weak Encryption: User-Controlled Key Size は目的を達成するための手段であって、目的そのものではありません。基本的には、この脆弱性は単純なものです。攻撃者は悪意のあるデータをアプリケーションに渡し、暗号化の実行中にそのデータが鍵サイズ値の全体または一部として使用されます。

ユーザー制御の鍵サイズがある場合の問題は、多様な攻撃が可能になる点です。

1. 攻撃者は、この脆弱性を利用して暗号化処理にゼロの鍵サイズを指定し、任意のデータにアクセスできるようにします。ここから、各種アルゴリズムを空の鍵とともに使用して独自のデータを復号化し、アプリケーションに使用されている暗号化実装についての情報を漏洩させようとする試みを、難なく行えるようになります。これにより、攻撃者はクラッキング作業の中で特定のアルゴリズムに的を絞ることができ、他のユーザーの暗号化データを容易に復号化できるようになります。
2. 攻撃者は、他のユーザーの暗号化鍵サイズを操作するか、または他のユーザーがゼロの (または可能な限り小さい) 暗号化鍵サイズを使用するように仕組んで、(使用されている暗号化アルゴリズムの情報を得た上で) 他のユーザーの暗号化されたデータを読み取り可能にできます。

例 1: 次のコードは、ユーザー制御の鍵サイズ パラメーターを使用して RSA 暗号化を実行します。

    ...
    RSACryptoServiceProvider rsa1 = new RSACryptoServiceProvider(Convert.ToInt32(tx.Text));
    ...
Example 1 のコードは正常に実行されますが、この機能を使用すれば誰でもテキストボックス値 tx.Text を変更することで暗号化アルゴリズムの鍵サイズ パラメーターを操作できるようになります。プログラムが頒布された後は、悪意のあるユーザーが所定の暗号化実行の鍵サイズを判別したかどうかを知るのは極めて難しいため、ユーザー制御の鍵サイズに関する問題を元に戻すのは非常に困難です。
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[5] Standards Mapping - CIS Kubernetes Benchmark complete
[6] Standards Mapping - Common Weakness Enumeration CWE ID 326
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[8] Standards Mapping - FIPS200 MP
[9] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-12 Cryptographic Key Establishment and Management (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-12 Cryptographic Key Establishment and Management
[12] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[13] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[14] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[15] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[16] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[17] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[18] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[19] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[20] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[21] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[22] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.6.1, Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.6.1, Requirement 6.3.1.3, Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.6.1, Requirement 6.5.3
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.6.1, Requirement 6.5.3
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.6.1, Requirement 6.5.3
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.6.1, Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.6.1, Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.6.1, Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.dataflow.dotnet.weak_encryption_user_controlled_key_size
Abstract
鍵サイズを受け取る暗号関数は汚染された鍵サイズ値を受け取る可能性があります。
Explanation
ユーザー制御の値から鍵サイズを判別できる場合、攻撃者が空の鍵を指定できるようになり、その空の鍵で暗号化されたデータは比較的容易に復号化できます。非ゼロ値が必要な場合でも、攻撃者は可能な範囲で最小の値を指定でき、暗号化のセキュリティが損なわれます。

脆弱な暗号化: ユーザー制御による鍵サイズの問題は、次の場合に発生します。

1.信頼できないソースからデータがプログラムに入り込んだ場合。

2.ユーザー制御のデータは、鍵サイズ パラメーターに部分的に含まれるか、鍵サイズ パラメーター自体として暗号化関数の中で使用されます。

多くのソフトウェアのセキュリティ脆弱性と同様に、脆弱な暗号化: ユーザー制御による鍵サイズは、それ自体が目的ではなく目標を達成するための手段です。基本的には、この脆弱性は単純なものです。攻撃者は悪意のあるデータをアプリケーションに渡し、暗号化を実行するためにそのデータが鍵サイズ値の全体または一部として使用されます。

ユーザー制御の鍵サイズがある場合の問題は、多様な攻撃が可能になる点です。

1.攻撃者は、この脆弱性を利用して暗号化処理にゼロの鍵サイズを指定し、任意のデータにアクセスできるようにします。各種アルゴリズムを空の鍵とともに使用して独自のデータを復号化し、アプリケーションに使用されている暗号化実装についての情報を漏洩させようとする試みを、難なく行えるようになります。これにより、攻撃者はクラッキング作業の中で特定のアルゴリズムに的を絞ることができ、他のユーザーの暗号化データを容易に復号化できるようになります。
2.攻撃者は、他のユーザーの暗号化鍵サイズを操作するか、または他のユーザーがゼロ (または別の小さい数値) の暗号化鍵サイズを使用するように仕組んで、(使用されている暗号化アルゴリズムの情報を得た上で) 他のユーザーの暗号化されたデータを読み取り可能にできます。

例 1: 次のコードはユーザー制御の導出鍵長を使用して RSA 鍵を生成します。

...
rsa.GenerateKey(random, user_input)
...
Example 1 のコードは正常に実行されますが、変数 user_input はユーザーが制御できるため、この機能を使用できる人は誰でも暗号化アルゴリズムの鍵サイズ パラメーターを操作できるようになります。ソフトウェアがリリースされた後は、ユーザー制御の鍵サイズに関する問題を元に戻すのは非常に困難です。悪意のあるユーザーが所定の暗号化実行の鍵サイズを制御したかどうかを知るのは極めて困難です。
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[5] Standards Mapping - CIS Kubernetes Benchmark complete
[6] Standards Mapping - Common Weakness Enumeration CWE ID 326
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[8] Standards Mapping - FIPS200 MP
[9] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-12 Cryptographic Key Establishment and Management (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-12 Cryptographic Key Establishment and Management
[12] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[13] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[14] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[15] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[16] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[17] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[18] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[19] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[20] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[21] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[22] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.6.1, Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.6.1, Requirement 6.3.1.3, Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.6.1, Requirement 6.5.3
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.6.1, Requirement 6.5.3
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.6.1, Requirement 6.5.3
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.6.1, Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.6.1, Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.6.1, Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.dataflow.golang.weak_encryption_user_controlled_key_size
Abstract
鍵サイズ パラメーターを使用する暗号関数には、汚染された鍵サイズ値を渡さないでください。
Explanation
ユーザー制御の値から鍵サイズを判別できる場合、攻撃者が空の鍵を指定できるようになり、その空の鍵で暗号化されたデータは比較的容易に復号化できます。非ゼロ値が必要な場合でも、攻撃者は可能な範囲で最小の値を指定でき、暗号化のセキュリティが損なわれます。

脆弱な暗号化:ユーザー制御による鍵サイズの問題は、次の場合に発生します。

1. 信頼できないソースからデータがプログラムに入り込んだ場合。

2. ユーザー制御のデータは、鍵サイズ パラメーターに部分的に含まれるか、鍵サイズ パラメーター自体として暗号化関数の中で使用されます。

多くのソフトウェアのセキュリティ脆弱性と同様に、脆弱な暗号化:ユーザー制御による鍵サイズは、それ自体が目的ではなく目標を達成するための手段です。基本的には、この脆弱性は単純なものです。攻撃者は悪意のあるデータをアプリケーションに渡し、暗号化の実行中にそのデータが鍵サイズ値の全体または一部として使用されます。

ユーザー制御の鍵サイズがある場合の問題は、多様な攻撃が可能になる点です。

1. 攻撃者は、この脆弱性を利用して暗号化処理にゼロの鍵サイズを指定し、任意のデータにアクセスできるようにします。ここから、各種アルゴリズムを空の鍵とともに使用して独自のデータを復号化し、アプリケーションに使用されている暗号化実装についての情報を漏洩させようとする試みを、難なく行えるようになります。これにより、攻撃者はクラッキング作業の中で特定のアルゴリズムに的を絞ることができ、他のユーザーの暗号化データを容易に復号化できるようになります。
2. 攻撃者は、他のユーザーの暗号化鍵サイズを操作するか、または他のユーザーがゼロの (または可能な限り小さい) 暗号化鍵サイズを使用するように仕組んで、(使用されている暗号化アルゴリズムの情報を得た上で) 他のユーザーの暗号化されたデータを読み取り可能にできます。

例 1: 次のコードは、ユーザー制御の鍵サイズ パラメーターを使用して AES 暗号化を実行します。

...
Properties prop = new Properties();
prop.load(new FileInputStream("config.properties"));
String keySize = prop.getProperty("keySize");
...
PBEKeySpec spec = new PBEKeySpec(
                password.toCharArray(),
                saltBytes,
                pswdIterations,
                Integer.parseInt(keySize)
                );
SecretKey secretKey = factory.generateSecret(spec);
SecretKeySpec secret = new SecretKeySpec(secretKey.getEncoded(), "AES");
...
Example 1 のコードは正常に実行されますが、この機能を使用すれば誰でもプロパティ keySize を変更することで暗号化アルゴリズムの鍵サイズ パラメーターを操作できるようになります。プログラムが頒布された後は、悪意のあるユーザーが所定の暗号化実行の鍵サイズを判別したかどうかを知るのは極めて難しいため、ユーザー制御の鍵サイズに関する問題を元に戻すのは非常に困難です。
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[5] Standards Mapping - CIS Kubernetes Benchmark complete
[6] Standards Mapping - Common Weakness Enumeration CWE ID 326
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[8] Standards Mapping - FIPS200 MP
[9] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-12 Cryptographic Key Establishment and Management (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-12 Cryptographic Key Establishment and Management
[12] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[13] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[14] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[15] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[16] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[17] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[18] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[19] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[20] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[21] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[22] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.6.1, Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.6.1, Requirement 6.3.1.3, Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.6.1, Requirement 6.5.3
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.6.1, Requirement 6.5.3
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.6.1, Requirement 6.5.3
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.6.1, Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.6.1, Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.6.1, Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.dataflow.java.weak_encryption_user_controlled_key_size
Abstract
鍵サイズ パラメーターを使用する暗号関数には、汚染された鍵サイズ値を渡さないでください。
Explanation
ユーザー制御の値から鍵サイズを判別できる場合、攻撃者が空の鍵を指定できるようになり、その空の鍵で暗号化されたデータは比較的容易に復号化できます。非ゼロ値が必要な場合でも、攻撃者は可能な範囲で最小の値を指定でき、暗号化のセキュリティが損なわれます。

脆弱な暗号化:ユーザー制御による鍵サイズの問題は、次の場合に発生します。

1. 信頼できないソースからデータがプログラムに入り込んだ場合。

2. ユーザー制御のデータは、鍵サイズ パラメーターに部分的に含まれるか、鍵サイズ パラメーター自体として暗号化関数の中で使用されます。

多くのソフトウェアのセキュリティ脆弱性と同様に、脆弱な暗号化:ユーザー制御による鍵サイズは、それ自体が目的ではなく目標を達成するための手段です。基本的には、この脆弱性は単純なものです。攻撃者は悪意のあるデータをアプリケーションに渡し、暗号化の実行中にそのデータが鍵サイズ値の全体または一部として使用されます。

ユーザー制御の鍵サイズがある場合の問題は、多様な攻撃が可能になる点です。

1. 攻撃者は、この脆弱性を利用して暗号化処理にゼロの鍵サイズを指定し、任意のデータにアクセスできるようにします。ここから、各種アルゴリズムを空の鍵とともに使用して独自のデータを復号化し、アプリケーションに使用されている暗号化実装についての情報を漏洩させようとする試みを、難なく行えるようになります。これにより、攻撃者はクラッキング作業の中で特定のアルゴリズムに的を絞ることができ、他のユーザーの暗号化データを容易に復号化できるようになります。
2. 攻撃者は、他のユーザーの暗号化鍵サイズを操作するか、または他のユーザーがゼロの (または可能な限り小さい) 暗号化鍵サイズを使用するように仕組んで、(使用されている暗号化アルゴリズムの情報を得た上で) 他のユーザーの暗号化されたデータを読み取り可能にできます。

例 1: 次のコードは、ユーザー制御の鍵サイズ パラメーターを使用して AES 暗号化を実行します。

...
@property (strong, nonatomic) IBOutlet UITextField *inputTextField;
...
CCCrypt(kCCEncrypt,
        kCCAlgorithmAES,
        kCCOptionPKCS7Padding,
        key,
        sizeof(_inputTextField.text),
        iv,
        plaintext,
        sizeof(plaintext),
        ciphertext,
        sizeof(ciphertext),
        &numBytesEncrypted);
...
Example 1 のコードは正常に実行されますが、この機能を使用すれば誰でも UITextField inputTextField のテキストを変更することで暗号化アルゴリズムの鍵サイズ パラメーターを操作できるようになります。プログラムが頒布された後は、悪意のあるユーザーが所定の暗号化実行の鍵サイズを判別したかどうかを知るのは極めて難しいため、ユーザー制御の鍵サイズに関する問題を元に戻すのは非常に困難です。
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[5] Standards Mapping - CIS Kubernetes Benchmark complete
[6] Standards Mapping - Common Weakness Enumeration CWE ID 326
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[8] Standards Mapping - FIPS200 MP
[9] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-12 Cryptographic Key Establishment and Management (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-12 Cryptographic Key Establishment and Management
[12] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[13] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[14] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[15] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[16] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[17] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[18] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[19] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[20] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[21] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[22] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.6.1, Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.6.1, Requirement 6.3.1.3, Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.6.1, Requirement 6.5.3
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.6.1, Requirement 6.5.3
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.6.1, Requirement 6.5.3
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.6.1, Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.6.1, Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.6.1, Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.dataflow.objc.weak_encryption_user_controlled_key_size
Abstract
鍵サイズ パラメーターを使用する暗号関数には、汚染された鍵サイズ値を渡さないでください。
Explanation
ユーザー制御の値から鍵サイズを判別できる場合、攻撃者が空の鍵を指定できるようになり、その空の鍵で暗号化されたデータは比較的容易に復号化できます。非ゼロ値が必要な場合でも、攻撃者は可能な範囲で最小の値を指定でき、暗号化のセキュリティが損なわれます。

脆弱な暗号化: ユーザー制御による鍵サイズの問題は、次の場合に発生します。

1.信頼できないソースからデータがプログラムに入り込んだ場合。

2.ユーザー制御のデータは、鍵サイズ パラメーターに部分的に含まれるか、鍵サイズ パラメーター自体として暗号化関数の中で使用されます。

多くのソフトウェアのセキュリティ脆弱性と同様に、脆弱な暗号化: ユーザー制御による鍵サイズは、それ自体が目的ではなく目標を達成するための手段です。基本的には、この脆弱性は単純なものです。攻撃者は悪意のあるデータをアプリケーションに渡し、暗号化の実行中にそのデータが鍵サイズ値の全体または一部として使用されます。

ユーザー制御の鍵サイズがある場合の問題は、多様な攻撃が可能になる点です。

1.攻撃者は、この脆弱性を利用して暗号化処理にゼロの鍵サイズを指定し、任意のデータにアクセスできるようにします。ここから、各種アルゴリズムを空の鍵とともに使用して独自のデータを復号化し、アプリケーションに使用されている暗号化実装についての情報を漏洩させようとする試みを、難なく行えるようになります。これにより、攻撃者はクラッキング作業の中で特定のアルゴリズムに的を絞ることができ、他のユーザーの暗号化データを容易に復号化できるようになります。
2.攻撃者は、他のユーザーの暗号化鍵サイズを操作するか、または他のユーザーがゼロの (または可能な限り小さい) 暗号化鍵サイズを使用するように仕組んで、(使用されている暗号化アルゴリズムの情報を得た上で) 他のユーザーの暗号化されたデータを読み取り可能にできます。

例 1: 次のコードはパスワードから鍵を導出しますが、ユーザー制御の導出鍵長を使用します。

...
$hash = hash_pbkdf2('sha256', $password, $random_salt, 100000, strlen($password));
...
Example 1 のコードは正常に実行されますが、変数 user_input はユーザーが制御できるため、この機能を使用できる人は誰でも暗号化アルゴリズムの鍵サイズ パラメーターを操作できるようになります。プログラムが頒布された後は、悪意のあるユーザーが所定の暗号化実行の鍵サイズを判別したかどうかを知るのは極めて難しいため、ユーザー制御の鍵サイズに関する問題を元に戻すのは非常に困難です。
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[5] Standards Mapping - CIS Kubernetes Benchmark complete
[6] Standards Mapping - Common Weakness Enumeration CWE ID 326
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[8] Standards Mapping - FIPS200 MP
[9] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-12 Cryptographic Key Establishment and Management (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-12 Cryptographic Key Establishment and Management
[12] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[13] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[14] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[15] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[16] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[17] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[18] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[19] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[20] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[21] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[22] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.6.1, Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.6.1, Requirement 6.3.1.3, Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.6.1, Requirement 6.5.3
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.6.1, Requirement 6.5.3
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.6.1, Requirement 6.5.3
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.6.1, Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.6.1, Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.6.1, Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.dataflow.php.weak_encryption_user_controlled_key_size
Abstract
鍵サイズ パラメーターを使用する暗号関数には、汚染された鍵サイズ値を渡さないでください。
Explanation
ユーザー制御の値から鍵サイズを判別できる場合、攻撃者が空の鍵を指定できるようになり、その空の鍵で暗号化されたデータは比較的容易に復号化できます。非ゼロ値が必要な場合でも、攻撃者は可能な範囲で最小の値を指定でき、暗号化のセキュリティが損なわれます。

脆弱な暗号化:ユーザー制御による鍵サイズの問題は、次の場合に発生します。

1. 信頼できないソースからデータがプログラムに入り込んだ場合。

2. ユーザー制御のデータは、鍵サイズ パラメーターに部分的に含まれるか、鍵サイズ パラメーター自体として暗号化関数の中で使用されます。

多くのソフトウェアのセキュリティ脆弱性と同様に、脆弱な暗号化:ユーザー制御による鍵サイズは、それ自体が目的ではなく目標を達成するための手段です。基本的には、この脆弱性は単純なものです。攻撃者は悪意のあるデータをアプリケーションに渡し、暗号化の実行中にそのデータが鍵サイズ値の全体または一部として使用されます。

ユーザー制御の鍵サイズがある場合の問題は、多様な攻撃が可能になる点です。

1. 攻撃者は、この脆弱性を利用して暗号化処理にゼロの鍵サイズを指定し、任意のデータにアクセスできるようにします。ここから、各種アルゴリズムを空の鍵とともに使用して独自のデータを復号化し、アプリケーションに使用されている暗号化実装についての情報を漏洩させようとする試みを、難なく行えるようになります。これにより、攻撃者はクラッキング作業の中で特定のアルゴリズムに的を絞ることができ、他のユーザーの暗号化データを容易に復号化できるようになります。
2. 攻撃者は、他のユーザーの暗号化鍵サイズを操作するか、または他のユーザーがゼロの (または可能な限り小さい) 暗号化鍵サイズを使用するように仕組んで、(使用されている暗号化アルゴリズムの情報を得た上で) 他のユーザーの暗号化されたデータを読み取り可能にできます。

例 1: 次のコードはパスワードから鍵を導出しますが、ユーザー制御の導出鍵長を使用します。

...
dk = hashlib.pbkdf2_hmac('sha256', password, random_salt, 100000, dklen=user_input)
...
Example 1 のコードは正常に実行されますが、変数 user_input はユーザーが制御できるため、この機能を使用できる人は誰でも暗号化アルゴリズムの鍵サイズ パラメーターを操作できるようになります。プログラムが頒布された後は、悪意のあるユーザーが所定の暗号化実行の鍵サイズを判別したかどうかを知るのは極めて難しいため、ユーザー制御の鍵サイズに関する問題を元に戻すのは非常に困難です。
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[5] Standards Mapping - CIS Kubernetes Benchmark complete
[6] Standards Mapping - Common Weakness Enumeration CWE ID 326
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[8] Standards Mapping - FIPS200 MP
[9] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-12 Cryptographic Key Establishment and Management (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-12 Cryptographic Key Establishment and Management
[12] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[13] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[14] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[15] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[16] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[17] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[18] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[19] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[20] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[21] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[22] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.6.1, Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.6.1, Requirement 6.3.1.3, Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.6.1, Requirement 6.5.3
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.6.1, Requirement 6.5.3
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.6.1, Requirement 6.5.3
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.6.1, Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.6.1, Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.6.1, Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.dataflow.python.weak_encryption_user_controlled_key_size
Abstract
鍵サイズ パラメーターを使用する暗号関数には、汚染された鍵サイズ値を渡さないでください。
Explanation
ユーザー制御の値から鍵サイズを判別できる場合、攻撃者が空の鍵を指定できるようになり、その空の鍵で暗号化されたデータは比較的容易に復号化できます。非ゼロ値が必要な場合でも、攻撃者は可能な範囲で最小の値を指定でき、暗号化のセキュリティが損なわれます。

脆弱な暗号化:ユーザー制御による鍵サイズの問題は、次の場合に発生します。

1. 信頼できないソースからデータがプログラムに入り込んだ場合。

2. ユーザー制御のデータは、鍵サイズ パラメーターに部分的に含まれるか、鍵サイズ パラメーター自体として暗号化関数の中で使用されます。

多くのソフトウェアのセキュリティ脆弱性と同様に、脆弱な暗号化:ユーザー制御による鍵サイズは、それ自体が目的ではなく目標を達成するための手段です。基本的には、この脆弱性は単純なものです。攻撃者は悪意のあるデータをアプリケーションに渡し、暗号化の実行中にそのデータが鍵サイズ値の全体または一部として使用されます。

ユーザー制御の鍵サイズがある場合の問題は、多様な攻撃が可能になる点です。

1. 攻撃者は、この脆弱性を利用して暗号化処理にゼロの鍵サイズを指定し、任意のデータにアクセスできるようにします。ここから、各種アルゴリズムを空の鍵とともに使用して独自のデータを復号化し、アプリケーションに使用されている暗号化実装についての情報を漏洩させようとする試みを、難なく行えるようになります。これにより、攻撃者はクラッキング作業の中で特定のアルゴリズムに的を絞ることができ、他のユーザーの暗号化データを容易に復号化できるようになります。
2. 攻撃者は、他のユーザーの暗号化鍵サイズを操作するか、または他のユーザーがゼロの (または可能な限り小さい) 暗号化鍵サイズを使用するように仕組んで、(使用されている暗号化アルゴリズムの情報を得た上で) 他のユーザーの暗号化されたデータを読み取り可能にできます。

例 1: 次のコードはパスワードから鍵を導出しますが、ユーザー制御の導出鍵長を使用します。

...
dk = OpenSSL::PKCS5.pbkdf2_hmac(password, random_salt, 100000, user_input, digest)
...
Example 1 のコードは正常に実行されますが、変数 user_input はユーザーが制御できるため、この機能を使用できる人は誰でも暗号化アルゴリズムの鍵サイズ パラメーターを操作できるようになります。プログラムが頒布された後は、悪意のあるユーザーが所定の暗号化実行の鍵サイズを判別したかどうかを知るのは極めて難しいため、ユーザー制御の鍵サイズに関する問題を元に戻すのは非常に困難です。
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[5] Standards Mapping - CIS Kubernetes Benchmark complete
[6] Standards Mapping - Common Weakness Enumeration CWE ID 326
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[8] Standards Mapping - FIPS200 MP
[9] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-12 Cryptographic Key Establishment and Management (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-12 Cryptographic Key Establishment and Management
[12] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[13] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[14] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[15] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[16] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[17] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[18] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[19] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[20] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[21] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[22] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.6.1, Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.6.1, Requirement 6.3.1.3, Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.6.1, Requirement 6.5.3
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.6.1, Requirement 6.5.3
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.6.1, Requirement 6.5.3
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.6.1, Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.6.1, Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.6.1, Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.dataflow.ruby.weak_encryption_user_controlled_key_size
Abstract
鍵サイズ パラメーターを使用する暗号関数には、汚染された鍵サイズ値を渡さないでください。
Explanation
ユーザー制御の値から鍵サイズを判別できる場合、攻撃者が空の鍵を指定できるようになり、その空の鍵で暗号化されたデータは比較的容易に復号化できます。非ゼロ値が必要な場合でも、攻撃者は可能な範囲で最小の値を指定でき、暗号化のセキュリティが損なわれます。

Weak Encryption: User-Controlled Key Size の問題は、次の場合に発生します。

1. 信頼できないソースからデータがプログラムに入り込んだ場合。

2. ユーザー制御のデータは、鍵サイズ パラメーターに部分的に含まれるか、鍵サイズ パラメーター自体として暗号化関数の中で使用されます。

多くのソフトウェア セキュリティの脆弱性と同様、Weak Encryption: User-Controlled Key Size は目的を達成するための手段であって、目的そのものではありません。基本的には、この脆弱性は単純なものです。攻撃者は悪意のあるデータをアプリケーションに渡し、暗号化の実行中にそのデータが鍵サイズ値の全体または一部として使用されます。

ユーザー制御の鍵サイズがある場合の問題は、多様な攻撃が可能になる点です。

1. 攻撃者は、この脆弱性を利用して暗号化処理にゼロの鍵サイズを指定し、任意のデータにアクセスできるようにします。ここから、各種アルゴリズムを空の鍵とともに使用して独自のデータを復号化し、アプリケーションに使用されている暗号化実装についての情報を漏洩させようとする試みを、難なく行えるようになります。これにより、攻撃者はクラッキング作業の中で特定のアルゴリズムに的を絞ることができ、他のユーザーの暗号化データを容易に復号化できるようになります。
2. 攻撃者は、他のユーザーの暗号化鍵サイズを操作するか、または他のユーザーがゼロの (または可能な限り小さい) 暗号化鍵サイズを使用するように仕組んで、(使用されている暗号化アルゴリズムの情報を得た上で) 他のユーザーの暗号化されたデータを読み取り可能にできます。

例 1: 次のコードは、ユーザー制御の鍵サイズ パラメーターを使用して AES 暗号化を実行します。

...
@IBOutlet weak var inputTextField : UITextField!
...
let key = (inputTextField.text as NSString).dataUsingEncoding(NSUTF8StringEncoding)
let keyPointer = UnsafePointer<UInt8>(key.bytes)
let keyLength = size_t(key.length)
...
let operation : CCOperation = UInt32(kCCEncrypt)
let algoritm : CCAlgorithm = UInt32(kCCAlgorithmAES128)
let options : CCOptions = UInt32(kCCOptionPKCS7Padding)
var numBytesEncrypted :size_t = 0
CCCrypt(operation,
        algorithm,
        options,
        keyPointer,
        keyLength,
        iv,
        plaintextPointer,
        plaintextLength,
        ciphertextPointer,
        ciphertextLength,
        &numBytesEncrypted)
...
Example 1 のコードは正常に実行されますが、この機能を使用すれば誰でも UITextField inputTextField のテキストを変更することで暗号化アルゴリズムの鍵サイズ パラメーターを操作できるようになります。プログラムが頒布された後は、悪意のあるユーザーが所定の暗号化実行の鍵サイズを判別したかどうかを知るのは極めて難しいため、ユーザー制御の鍵サイズに関する問題を元に戻すのは非常に困難です。
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[5] Standards Mapping - CIS Kubernetes Benchmark complete
[6] Standards Mapping - Common Weakness Enumeration CWE ID 326
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[8] Standards Mapping - FIPS200 MP
[9] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-12 Cryptographic Key Establishment and Management (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-12 Cryptographic Key Establishment and Management
[12] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[13] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[14] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[15] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[16] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[17] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[18] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[19] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[20] Standards Mapping - OWASP Mobile 2023 M10 Insufficient Cryptography
[21] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[22] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.6.1, Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.6.1, Requirement 6.3.1.3, Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.6.1, Requirement 6.5.3
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.6.1, Requirement 6.5.3
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.6.1, Requirement 6.5.3
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.6.1, Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.6.1, Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.6.1, Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.dataflow.swift.weak_encryption_user_controlled_key_size

Weak SecurityManager Check: Overridable Method

Abstract
セキュリティチェックを実行する最終ではない (final ではない) メソッドは、上書きされる可能性があるため、セキュリティチェックが省略される可能性があります。
Explanation
メソッドが子クラスにより上書きされる場合、子クラスは親クラスでセキュリティチェックを省略する場合があります。
例 1: 次のコード doSecurityCheck() は、セキュリティチェックを実行しますが、子クラスにより上書きされる可能性があります。

public class BadSecurityCheck {
    private int id;

    public BadSecurityCheck() {
        doSecurityCheck();
        id = 1;
    }
    protected void doSecurityCheck() {
        SecurityManager sm = System.getSecurityManager();
        if (sm != null) {
            sm.checkPermission(new SomePermission("SomeAction"));
        }
    }
}


この例では、SecurityManager 権限が付与されていない場合、SecurityException 例外がスローされます。これはランタイム例外で、プログラムの実行は停止されます。BadSecurityCheckfinal でなく、doSecurityCheck() メソッドは protectedfinal でないため、このクラスをサブクラス化して関数をオーバーライドすることができます。

例 2: 次のコードでは、サブクラスによって doSecurityCheck() がオーバーライドされています。 


public class EvilSubclass extends BadSecurityCheck {
    private int id;

    public EvilSubclass() {
        super();
    }
    protected void doSecurityCheck() {
        //do nothing
    }
}
EvilSubclass をインスタンス化すると、最初にコンストラクタが super() でスーパークラスのコンストラクタを呼び出します。その結果、関数 doSecurityCheck() が呼ばれますが、Java は最初にサブクラス内の関数を探してからスーパークラスを探すため、セキュリティ チェックを回避する攻撃者のメソッドが呼び出され、id1 に設定されます。
References
[1] M. S. Ware, "Writing secure Java code: taxonomy of heuristics and an evaluation of static analysis tools," M.S. Thesis, James Madison University, 2008.
[2] MET03-J. Methods that perform a security check must be declared private or final CERT
[3] EXTEND-5: Limit the extensibility of classes and methods Oracle
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[8] Standards Mapping - Common Weakness Enumeration CWE ID 358
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001764, CCI-001774, CCI-002165
[10] Standards Mapping - FIPS200 MP
[11] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement
[14] Standards Mapping - OWASP Top 10 2013 A7 Missing Function Level Access Control
[15] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[16] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[17] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[18] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[27] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
desc.structural.java.weak_securitymanager_check_overridable_method

Weak WS-SecurityPolicy: Insecure Transport

Abstract
アプリケーション設定では、すべての機密情報が HTTPS を使用して転送されるようにする必要があります。
Explanation
アプリケーションが機密情報を処理し、メッセージレベルの暗号化を使用しない場合は、暗号化されたトランスポート チャネルを介した通信のみを許可する必要があります。

例 1: 次のトランスポート バインディングは、HTTPS ではなく HTTP を使用します。

<sp:TransportBinding>
  <wsp:Policy>
    <sp:TransportToken>
      <wsp:Policy>
        <sp:HttpToken/>
       </wsp:Policy>
    </sp:TransportToken>
    ...
</sp:TransportBinding>
References
[1] SALT WSSP 1.2 Policy File Example Oracle
[2] WS-SecurityPolicy 1.2 OASIS
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.5
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[7] Standards Mapping - CIS Kubernetes Benchmark complete
[8] Standards Mapping - Common Weakness Enumeration CWE ID 254
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-001453, CCI-002418, CCI-002420, CCI-002421, CCI-002422, CCI-002890, CCI-003123
[10] Standards Mapping - FIPS200 CM, SC
[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-8 Transmission Confidentiality and Integrity (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-8 Transmission Confidentiality and Integrity
[14] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[15] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications
[16] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection
[17] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[18] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[19] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[20] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[21] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective C.4.1 - Web Software Communications
[33] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 319
[34] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[35] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)
[58] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.config.webservices.weak_ws-securitypolicy_insecure_transport