Vulnerability

Encryption keys should not be hardcoded

Description

    The PowerBuilder code rule "Encryption keys should not be hardcoded" states that any encryption keys used in PowerBuilder code should not be stored as plain text in the code. Instead, the encryption keys should be stored in a secure location outside of the code and referenced from there. This ensures that the encryption keys are kept secure and not exposed to potential attackers who may be able to access the code. It also makes it easier to manage the keys in the event that they need to be changed or updated.

Key Benefits

  • Security: Encryption keys that are hardcoded can be easily accessed, making data vulnerable to theft.
  • Integrity: Keeping encryption keys in a secure location ensures that only authorized users can access the data.
  • Reliability: Encryption keys that are hardcoded can be easily changed or replaced, making the system less reliable.

 

Non-compliant Code Example

Blob lb_data
Blob lb_key
Blob lb_iv
Blob lb_encrypt

lb_data = Blob("Test AES", EncodingANSI!)
lb_key = Blob("Test Key12345678", EncodingANSI!) //Non compliant code (Encryption key is hardcoded)
lb_iv = Blob("Test IV 12345678", EncodingANSI!) //Non compliant code (Initialization vector  key is hardcoded)

CrypterObject lnv_CrypterObject
lnv_CrypterObject = Create CrypterObject

//Non compliant code (SymmetricEncrypt used hardcoded encryption and initialization vector keys)
lb_encrypt = lnv_CrypterObject.SymmetricEncrypt(AES!, lb_data, lb_key, &
    OperationModeCBC!, lb_iv, PKCSPadding!) 

//Non compliant code (SymmetricDecrypt used hardcoded encryption and initialization vector keys)
lblb_decrypt = lnv_CrypterObject.SymmetricDecrypt(AES!, lb_encrypt, Blob("Test Key123456789", EncodingANSI!), &
    OperationModeCBC!, Blob("Test IV 12345678", EncodingANSI!), PKCSPadding!)
Blob lb_data
Blob lb_privKey
Blob lb_pubKey
Blob lb_encrypt
Blob lb_decrypt
Blob lb_signature
Integer li_isPass

lb_data = Blob("Test Rsa", EncodingANSI!)
lb_pubKey = Blob("Test Key12345678", EncodingANSI!) //Non compliant code (Encryption key is hardcoded)
lb_privKey = Blob("Test Key44345678", EncodingANSI!) //Non compliant code (Encryption key is hardcoded)

CrypterObject lnv_CrypterObject
lnv_CrypterObject = Create CrypterObject

//Non compliant code (AsymmetricEncrypt used hardcoded key)
lb_encrypt = lnv_CrypterObject.AsymmetricEncrypt(RSA!, lb_data, lb_pubKey)

//Non compliant code (AsymmetricDecrypt used hardcoded key)
lb_decrypt = lnv_CrypterObject.AsymmetricDecrypt(RSA!, lb_encrypt, lb_privKey)

//Non compliant code (AsymmetricVerifySign used hardcoded key)
li_isPass = lnv_CrypterObject.AsymmetricVerifySign(RSA!, lb_data, lb_pubKey, lb_signature)

//Non compliant code (AsymmetricSign used hardcoded key)
lb_signature = lnv_CrypterObject.AsymmetricSign(RSA!, lb_data, lb_privKey)

Compliant Code Example

function string VEEncryption (Blob lb_key,Blob lb_iv)
Blob lb_data
Blob lb_encrypt
Blob lb_decrypt

lb_data = Blob("Test AES", EncodingANSI!)

CrypterObject lnv_CrypterObject
lnv_CrypterObject = Create CrypterObject

//Compliant code
lb_encrypt = lnv_CrypterObject.SymmetricEncrypt(AES!, lb_data, lb_key, &
OperationModeCBC!, lb_iv, PKCSPadding!)

//Compliant code
lb_decrypt = lnv_CrypterObject.SymmetricDecrypt(AES!, lb_encrypt, lb_key, &
OperationModeCBC!, lb_iv, PKCSPadding!)

Return ""
end function
Blob lb_data
Blob lb_privKey
Blob lb_pubKey
Blob lb_encrypt
Blob lb_decrypt
Blob lb_signature
Integer li_isPass

lb_data = Blob("Test Rsa", EncodingANSI!)

CrypterObject lnv_CrypterObject
lnv_CrypterObject = Create CrypterObject

lnv_CrypterObject.AsymmetricGenerateKey(RSA!, 1024, lb_privKey, lb_pubKey)

//Compliant code
lb_encrypt = lnv_CrypterObject.AsymmetricEncrypt(RSA!, lb_data, lb_pubKey)

//Compliant code
lb_decrypt = lnv_CrypterObject.AsymmetricDecrypt(RSA!, lb_encrypt, lb_privKey)

//Compliant code
li_isPass = lnv_CrypterObject.AsymmetricVerifySign(RSA!, lb_data, lb_pubKey, lb_signature)

//Compliant code
lb_signature = lnv_CrypterObject.AsymmetricSign(RSA!, lb_data, lb_privKey)
Visual Expert 2024
 VEPBRULE78