...
| Code Block | ||||
|---|---|---|---|---|
| ||||
int validate(char *username) {
char *password;
char *checksum;
password = read_password();
checksum = compute_checksum(password);
erase(password); /* securelySecurely erase password */
return !strcmp(checksum, get_stored_checksum(username));
}
|
...
- If encrypting or hashing sensitive data, do not implement your own encryption functions (or library). Use proven secure crypto libraries, which have been extensively tested for security.
- If using standard crypto libraries, be aware that there are they have certain requirements (documented with the library) for the key sizes and other properties. Choose keys satisfying that satisfy these conditions.
- Do not store the encryption keys (you can derive the key from the hash of the user's password or any other cryptographic mechanism, provided the above condition holds). If the key is to be stored, store it securely.
...
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
...
...
...
...
| 311, |
...
| Missing encryption of sensitive data CWE-326, |
...
| Inadequate encryption strength |
...
...
...
...
| 798, |
...
| Use of hard-coded credentials |
Bibliography
...