CWE-1394: Use of Default Cryptographic Key
Learn about CWE-1394 (Use of Default Cryptographic Key), its security impact, exploitation methods, and prevention guidelines.
What is Use of Default Cryptographic Key?
• Overview: Use of Default Cryptographic Key occurs when a software product relies on a pre-set cryptographic key for critical operations. This is often intended to ease setup but can pose a security risk if not changed.
• Exploitation Methods:
- Attackers can exploit this vulnerability by using known default keys to decrypt sensitive data or impersonate legitimate users.
- Common attack patterns include scanning for systems using default keys and executing automated tools to gain unauthorized access.
• Security Impact:
- Direct consequences include unauthorized access to sensitive information and the ability to perform actions as a legitimate user.
- Potential cascading effects involve spreading attacks to other systems and data breaches affecting multiple organizations.
- Business impact can include financial losses, reputational damage, and regulatory penalties.
• Prevention Guidelines:
- Specific code-level fixes include prompting or enforcing users to change default keys upon setup.
- Security best practices involve using unique cryptographic keys for each deployment and regularly rotating keys.
- Recommended tools and frameworks include key management systems and automated security scanning tools to detect default keys.
Corgea can automatically detect and fix Use of Default Cryptographic Key in your codebase. Try Corgea free today.
Technical Details
Likelihood of Exploit: Not specified
Affected Languages: Not Language-Specific
Affected Technologies: Not Technology-Specific
Vulnerable Code Example
// This code uses a default cryptographic key, which is a serious vulnerability.
// If an attacker gains access to this key, they can decrypt sensitive data.
const crypto = require('crypto');
const key = Buffer.from('default-key-1234567890123456'); // Default cryptographic key
const iv = crypto.randomBytes(16);
function encrypt(text) {
const cipher = crypto.createCipheriv('aes-256-cbc', key, iv);
let encrypted = cipher.update(text, 'utf8', 'hex');
encrypted += cipher.final('hex');
return encrypted;
}
// Usage
const sensitiveData = "Secret Information";
console.log("Encrypted:", encrypt(sensitiveData));
How to fix Use of Default Cryptographic Key?
To fix the use of a default cryptographic key, you should:
- Generate a unique key for each user or session: Avoid hardcoding cryptographic keys in your code. Generate them dynamically and store them securely.
- Use a secure key management system: Store keys in a secure vault or use environment variables to manage keys safely.
- Rotate keys regularly: Implement key rotation policies to minimize the impact of key compromise.
Fixed Code Example
// In this fixed version, we dynamically generate a cryptographic key for each session
// and store it securely. This eliminates the risk of using a default key.
const crypto = require('crypto');
const iv = crypto.randomBytes(16); // Initialization vector should remain random
function encrypt(text) {
const key = getKeyFromSecureVault(); // Retrieve a secure key from a vault or environment
const cipher = crypto.createCipheriv('aes-256-cbc', key, iv);
let encrypted = cipher.update(text, 'utf8', 'hex');
encrypted += cipher.final('hex');
return encrypted;
}
// Example of using a secure key management system
function getKeyFromSecureVault() {
// This is a placeholder function. In production, use a secure vault or environment variables.
// Ensure the key is securely generated and stored.
return process.env.CRYPTO_KEY ? Buffer.from(process.env.CRYPTO_KEY, 'hex') : crypto.randomBytes(32);
}
// Usage
const sensitiveData = "Secret Information";
console.log("Encrypted:", encrypt(sensitiveData));
In the fixed code example, the getKeyFromSecureVault function is used to retrieve a cryptographic key, which should ideally be stored securely in a vault or as an environment variable. The crypto.randomBytes(32) function is used to generate a secure random key if no key is available in the environment, ensuring each session or user has a unique key. This approach adheres to best practices for cryptographic key management, significantly reducing the risk of key compromise.