You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Create a new risk for "Insecure or Wrong Usage of Cryptographic Key (MASVS-CRYPTO-2)" using the following information:
According to NIST SP 800-57 Part 1 Revision 5, Section 5.2 on Key Usage, it is recommended that a single key be dedicated to a single purpose, such as encryption, integrity authentication, key wrapping, random bit generation, or digital signatures. This recommendation is based on a number of considerations:
Using the same key for different cryptographic processes can compromise the security of those processes.
The potential damage from a compromised key is minimized if its use is limited.
Different uses of keys can conflict, reducing their effectiveness. For example, a key used for both key transport and digital signatures may have conflicting retention and destruction requirements due to their different cryptoperiods.
However, NIST also recognizes exceptions where a single process using a key can effectively perform multiple roles, such as a digital signature that provides both integrity and source authentication, or a symmetric key used for authenticated encryption that simultaneously encrypts and authenticates data. This approach emphasizes security efficiency without compromising the integrity of the key and the data it protects.
Create "risks/MASVS-CRYPTO/2-***-****/insecure-key-usage/risk.md" including the following content:
---
title: Insecure or Wrong Usage of Cryptographic Keyalias: insecure-key-usageplatform: [android, ios]profiles: [L2]mappings:
masvs-v1: [MSTG-CRYPTO-5]masvs-v2: [MASVS-CRYPTO-2]mastg-v1: [MASTG-TEST-0062, MASTG-TEST-0015]
---
## Overview## Impact## Modes of Introduction## Mitigations
When creating the corresponding tests, use the following areas to guide you:
authorized key algorithm
key reuse for different purposes or operations (encrypt, decrypt, sign,...)
MASTG v1 Refactoring:
If the risk has a MASVS v1 ID, you can use it to search for related tests in the MASTG and use them as input to define your risks and associated tests.
Description
Create a new risk for "Insecure or Wrong Usage of Cryptographic Key (MASVS-CRYPTO-2)" using the following information:
According to NIST SP 800-57 Part 1 Revision 5, Section 5.2 on Key Usage, it is recommended that a single key be dedicated to a single purpose, such as encryption, integrity authentication, key wrapping, random bit generation, or digital signatures. This recommendation is based on a number of considerations:
However, NIST also recognizes exceptions where a single process using a key can effectively perform multiple roles, such as a digital signature that provides both integrity and source authentication, or a symmetric key used for authenticated encryption that simultaneously encrypts and authenticates data. This approach emphasizes security efficiency without compromising the integrity of the key and the data it protects.
Create "
risks/MASVS-CRYPTO/2-***-****/insecure-key-usage/risk.md
" including the following content:To complete the sections follow the guidelines from Writing MASTG Risks & Tests
Use at least the following references:
When creating the corresponding tests, use the following areas to guide you:
MASTG v1 Refactoring:
If the risk has a MASVS v1 ID, you can use it to search for related tests in the MASTG and use them as input to define your risks and associated tests.
Acceptance Criteria
risks/MASVS-CRYPTO/2-***-****/insecure-key-usage/risk.md
)The text was updated successfully, but these errors were encountered: