Kingdom: Security Features
Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management.
Insecure Transport: Missing Perfect Forward Secrecy
Abstract
The target application does not support a cipher suite that implements Perfect Forward Secrecy (PFS).
Explanation
Perfect Forward Secrecy (PFS) preserves the secrecy of previous encrypted communications between two parties over a secure communication channel, even if the private key necessary to decrypt communications for a given session is compromised. It is implemented via a function of key exchange protocols used to establish a shared secret between the client and server. [1] In public key encryption schemes without PFS, as message decryption operations are performed using a static long-term private key, if that private key is compromised at a given point in time, all previous communications can be decrypted. Vulnerabilities such as "Heartbleed" (CVE-2014-0160) [5] in the OpenSSL library [6] that can allow an attacker to steal a server's static long-term private key demonstrate the danger in using cipher suites that do not implement PFS.
PFS mitigates this issue by only using a static long-term private key for authentication, while random short-term private keys are used for session data encryption. PFS is commonly implemented using a Diffie-Hellman key exchange in ephemeral-static mode (DHE) or an Elliptic Curve Diffie-Hellman key exchange scheme with ephemeral keys (ECDHE). [2, 3, 4] For every TLS session established with DHE or ECDHE as the key exchange algorithm for a given cipher suite, the server is required to use a new Diffie-Hellman public/private key for the generation of the TLS master secret. [7] The server then signs this Diffie-Hellman public key using its static long-term private key to guarantee its authenticity. The server's static long-term private key is not used for the encryption of session data.
While a stolen ephemeral private key can enable an attacker to decipher some encrypted communications, the scope of the compromise is limited to the specific session for which the ephemeral key is associated. As such, do not log ephemeral keys.
PFS mitigates this issue by only using a static long-term private key for authentication, while random short-term private keys are used for session data encryption. PFS is commonly implemented using a Diffie-Hellman key exchange in ephemeral-static mode (DHE) or an Elliptic Curve Diffie-Hellman key exchange scheme with ephemeral keys (ECDHE). [2, 3, 4] For every TLS session established with DHE or ECDHE as the key exchange algorithm for a given cipher suite, the server is required to use a new Diffie-Hellman public/private key for the generation of the TLS master secret. [7] The server then signs this Diffie-Hellman public key using its static long-term private key to guarantee its authenticity. The server's static long-term private key is not used for the encryption of session data.
While a stolen ephemeral private key can enable an attacker to decipher some encrypted communications, the scope of the compromise is limited to the specific session for which the ephemeral key is associated. As such, do not log ephemeral keys.
References
[1] Dierks, T. and Rescorla, E. The Transport Layer Security (TLS) Protocol Version 1.2 Network Working Group]
[2] Rescorla, E. Diffie-Hellman Key Agreement Method Network Working Group]
[3] Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., and Moeller, B. Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS) Network Working Group]
[4] CVE-2014-0160 Mitre]
[5] OpenSSL: Cryptography and SSL/TLS Toolkit OpenSSL Software Foundation]
[6] Diffie-Hellman key exchange Wikipedia]
[7] Apache Module mod_ssl Apache Software Foundation]
[8] Module ngx_http_ssl_module NGINX Inc.]
[9] Cipher Suites in Schannel Microsoft]
[10] How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll Microsoft]
[11] Standards Mapping - Common Weakness Enumeration CWE ID 326
[12] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-001453, CCI-002418, CCI-002420, CCI-002421, CCI-002422, CCI-002890, CCI-003123
[13] Standards Mapping - FIPS200 CM, SC
[14] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[15] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), MA-4 Nonlocal Maintenance (P2), SC-8 Transmission Confidentiality and Integrity (P1)
[16] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, MA-4 Nonlocal Maintenance, SC-8 Transmission Confidentiality and Integrity
[17] Standards Mapping - OWASP API 2023 API10 Unsafe Consumption of APIs
[18] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 6.2.7 Algorithms (L3), 6.2.1 Algorithms (L1 L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[19] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection
[20] Standards Mapping - OWASP Mobile 2024 M5 Insecure Communication
[21] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[22] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications
[23] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection
[24] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[25] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[26] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography, Control Objective C.4.1 - Web Software Communications
[38] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 327
[39] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3260.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3260 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3260 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3260 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3260 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3260 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3260 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[60] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[61] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)
[62] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dynamic.xtended_preview.insecure_transport_missing_perfect_forward_secrecy