146 – Remove cryptographic keys from RAM

Summary

Cryptographic keys should not remain in RAM for more than 5 seconds.

Description

When cryptographic keys are used for encryption or decryption operations, they are loaded into the computer's or device's RAM. Even after the cryptographic operation is completed, there is a risk of residual data remaining in the RAM. This residual data might persist for a short period before being overwritten by other data.

Supported In

Advanced: True

References

• OWASP10-A7. Identification and authentication failures
• PADSS-2_5_3. Secure cryptographic key storage
• SANS25-18. Use of hard-coded credentials
• CMMC-SC_L2-3_13_16. Data at rest
• HITRUST-10_g. Key management
• FEDRAMP-SC-13. Cryptographic protection
• ISO27002-8_24. Use of cryptography
• OWASPSCP-6. Cryptographic practices
• BSAFSS-EN_3-1. Software protects and validates encryption keys
• C2M2-9_5_e. Implement data security for cybersecurity architecture
• PCI-3_7_3. Secure cryptographic key storage
• ISO27001-8_24. Use of cryptography
• OWASPMASVS-CRYPTO-2. The app performs key management according to industry best practices
• CWE25-798. Use of hard-coded credentials

Last updated

2024/02/05