Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New Risk - Cryptographic Keys Access Not Restricted [crypto-key-access-not-restricted] #2582

Open
4 tasks
cpholguera opened this issue Mar 1, 2024 · 0 comments
Open
4 tasks

New Risk - Cryptographic Keys Access Not Restricted [crypto-key-access-not-restricted] #2582

cpholguera opened this issue Mar 1, 2024 · 0 comments
Labels
MASTG Refactor MASVS-CRYPTO
Milestone
MAS Risks and Tes...

Comments

@cpholguera
Copy link
Collaborator

Description

Create a new risk for "Cryptographic Keys Access Not Restricted (MASVS-CRYPTO-2)" using the following information:

Ensuring that cryptographic keys are accessible only under strict conditions, such as when the device is unlocked by an authenticated user, within secure application contexts, or for limited periods of time, is critical to maintaining the confidentiality and integrity of encrypted data.

Create "risks/MASVS-CRYPTO/2-***-****/crypto-key-access-not-restricted/risk.md" including the following content:

---
title: Cryptographic Keys Access Not Restricted
alias: crypto-key-access-not-restricted
platform: [android, ios]
profiles: [L2]
mappings:
  masvs-v2: [MASVS-CRYPTO-2, MASVS-AUTH-2, MASVS-AUTH-3]
  mastg-v1: []

---

## Overview

## Impact

## Modes of Introduction

## Mitigations

To complete the sections follow the guidelines from Writing MASTG Risks & Tests

Use at least the following references:

When creating the corresponding tests, use the following areas to guide you:

  • from a Background Process
  • locked device (iOS kSecAttrAccessibleWhenUnlockedThisDeviceOnly, Android setUnlockedDeviceRequired)
  • time-based access (duration)
  • Require User Presence
  • application-specific password
  • biometric authentication
  • key use restricted e.g. requiring user auth with biometrics, User Presence.
  • especially for sensitive operations
  • keys restricted/authorized for a duration of time or specific crypto operation, etc.

MASTG v1 Refactoring:

If the risk has a MASVS v1 ID, you can use it to search for related tests in the MASTG and use them as input to define your risks and associated tests.

Acceptance Criteria

  • The risk has been created in the correct directory (risks/MASVS-CRYPTO/2-***-****/crypto-key-access-not-restricted/risk.md)
  • The risk content follows the guidelines
  • At least one GitHub Issue has been created for the corresponding tests (derived from "Modes of Introduction")
  • The risk indicates the related MASTG v1 tests in its metadata.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
MASTG Refactor MASVS-CRYPTO
Projects
None yet
Milestone
MAS Risks and Tests - MASVS-CRYPTO
Development

No branches or pull requests
1 participant
@cpholguera