2020-06-30 12:48:39 +02:00
|
|
|
include::../description.adoc[]
|
|
|
|
|
|
|
|
|
|
== Noncompliant Code Example
|
|
|
|
|
|
|
|
|
|
----
|
|
|
|
|
Blob cryptoKey = Crypto.generateAesKey(256);
|
|
|
|
|
Blob hardcoded_iv = Blob.valueOf('hardcoded IV');
|
|
|
|
|
Blob data = Blob.valueOf('some secret data');
|
|
|
|
|
Blob encryptedData = Crypto.encrypt('AES256', hardcoded_iv, key, data); // Noncompliant, the IV is hardcoded
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
== Compliant Solution
|
|
|
|
|
|
|
|
|
|
----
|
|
|
|
|
Blob cryptoKey = Crypto.generateAesKey(256);
|
|
|
|
|
Blob data = Blob.valueOf('some secret data');
|
|
|
|
|
Blob encryptedData = Crypto.encryptWithManagedIV('AES256', key, data);
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
== See
|
|
|
|
|
|
2021-04-26 17:29:13 +02:00
|
|
|
* https://www.owasp.org/index.php/Top_10-2017_A6-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration
|
|
|
|
|
* http://cwe.mitre.org/data/definitions/329[MITRE, CWE-329] - CWE-329: Not Using an Unpredictable IV with CBC Mode
|
2020-06-30 12:48:39 +02:00
|
|
|
* http://cwe.mitre.org/data/definitions/330[MITRE, CWE-330] - Use of Insufficiently Random Values
|
2021-04-26 17:29:13 +02:00
|
|
|
* https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf[NIST, SP-800-38A] - Recommendation for Block Cipher Modes of Operation
|
2020-06-30 12:48:39 +02:00
|
|
|
* https://developer.salesforce.com/page/Apex_Crypto_Class[Using the Apex Crypto Class]
|
