Home
Encryption keys should not be hardcoded
Description
The PowerBuilder code rule "Encryption keys should not be hardcoded" states that any encryption keys used in PowerBuilder code should not be stored as plain text in the code. Instead, the encryption keys should be stored in a secure location outside of the code and referenced from there. This ensures that the encryption keys are kept secure and not exposed to potential attackers who may be able to access the code. It also makes it easier to manage the keys in the event that they need to be changed or updated.
Key Benefits
- Security: Encryption keys that are hardcoded can be easily accessed, making data vulnerable to theft.
- Integrity: Keeping encryption keys in a secure location ensures that only authorized users can access the data.
- Reliability: Encryption keys that are hardcoded can be easily changed or replaced, making the system less reliable.
Non-compliant Code Example
Blob lb_data Blob lb_key Blob lb_iv Blob lb_encrypt lb_data = Blob("Test AES", EncodingANSI!) lb_key = Blob("Test Key12345678", EncodingANSI!) //Non compliant code (Encryption key is hardcoded) lb_iv = Blob("Test IV 12345678", EncodingANSI!) //Non compliant code (Initialization vector key is hardcoded) CrypterObject lnv_CrypterObject lnv_CrypterObject = Create CrypterObject //Non compliant code (SymmetricEncrypt used hardcoded encryption and initialization vector keys) lb_encrypt = lnv_CrypterObject.SymmetricEncrypt(AES!, lb_data, lb_key, & OperationModeCBC!, lb_iv, PKCSPadding!) //Non compliant code (SymmetricDecrypt used hardcoded encryption and initialization vector keys) lblb_decrypt = lnv_CrypterObject.SymmetricDecrypt(AES!, lb_encrypt, Blob("Test Key123456789", EncodingANSI!), & OperationModeCBC!, Blob("Test IV 12345678", EncodingANSI!), PKCSPadding!)
Blob lb_data Blob lb_privKey Blob lb_pubKey Blob lb_encrypt Blob lb_decrypt Blob lb_signature Integer li_isPass lb_data = Blob("Test Rsa", EncodingANSI!) lb_pubKey = Blob("Test Key12345678", EncodingANSI!) //Non compliant code (Encryption key is hardcoded) lb_privKey = Blob("Test Key44345678", EncodingANSI!) //Non compliant code (Encryption key is hardcoded) CrypterObject lnv_CrypterObject lnv_CrypterObject = Create CrypterObject //Non compliant code (AsymmetricEncrypt used hardcoded key) lb_encrypt = lnv_CrypterObject.AsymmetricEncrypt(RSA!, lb_data, lb_pubKey) //Non compliant code (AsymmetricDecrypt used hardcoded key) lb_decrypt = lnv_CrypterObject.AsymmetricDecrypt(RSA!, lb_encrypt, lb_privKey) //Non compliant code (AsymmetricVerifySign used hardcoded key) li_isPass = lnv_CrypterObject.AsymmetricVerifySign(RSA!, lb_data, lb_pubKey, lb_signature) //Non compliant code (AsymmetricSign used hardcoded key) lb_signature = lnv_CrypterObject.AsymmetricSign(RSA!, lb_data, lb_privKey)
Compliant Code Example
function string VEEncryption (Blob lb_key,Blob lb_iv) Blob lb_data Blob lb_encrypt Blob lb_decrypt lb_data = Blob("Test AES", EncodingANSI!) CrypterObject lnv_CrypterObject lnv_CrypterObject = Create CrypterObject //Compliant code lb_encrypt = lnv_CrypterObject.SymmetricEncrypt(AES!, lb_data, lb_key, & OperationModeCBC!, lb_iv, PKCSPadding!) //Compliant code lb_decrypt = lnv_CrypterObject.SymmetricDecrypt(AES!, lb_encrypt, lb_key, & OperationModeCBC!, lb_iv, PKCSPadding!) Return "" end function
Blob lb_data Blob lb_privKey Blob lb_pubKey Blob lb_encrypt Blob lb_decrypt Blob lb_signature Integer li_isPass lb_data = Blob("Test Rsa", EncodingANSI!) CrypterObject lnv_CrypterObject lnv_CrypterObject = Create CrypterObject lnv_CrypterObject.AsymmetricGenerateKey(RSA!, 1024, lb_privKey, lb_pubKey) //Compliant code lb_encrypt = lnv_CrypterObject.AsymmetricEncrypt(RSA!, lb_data, lb_pubKey) //Compliant code lb_decrypt = lnv_CrypterObject.AsymmetricDecrypt(RSA!, lb_encrypt, lb_privKey) //Compliant code li_isPass = lnv_CrypterObject.AsymmetricVerifySign(RSA!, lb_data, lb_pubKey, lb_signature) //Compliant code lb_signature = lnv_CrypterObject.AsymmetricSign(RSA!, lb_data, lb_privKey)