338 – Implement perfect forward secrecy

Summary

Critical communications should travel through a secure channel that implements perfect forward secrecy.

Description

All communications between the client and the server should take place over channels that are protected and encrypted. Secure channels often use a single secret to encrypt all communications. Therefore, if that secret is breached, all past communications can be decrypted and compromised. Perfect forward secrecy is attained when each message in a conversation is encrypted using a different secret. Thus, if a secret is breached, only a small portion of a conversation can be compromised, which represents an increase in the overall security of the system.

Supported In

Advanced: True

References

• CAPEC-117. Interception
• CWE-319. Cleartext transmission of sensitive information
• OWASP10-A2. Cryptographic failures
• OWASPM10-M3. Insecure communication threat agents
• NYDFS-500_15. Encryption of nonpublic information
• PADSS-2_5_4. Cryptographic key changes for keys
• CMMC-AC_L2-3_1_13. Remote access confidentiality
• CMMC-SC_L1-3_13_1. Boundary protection
• CMMC-SC_L2-3_13_15. Communications authenticity
• HITRUST-01_y. Teleworking
• HITRUST-09_s. Information exchange policies and procedures
• FEDRAMP-SC-8. Transmission confidentiality and integrity
• OSSTMM3-10_7_3. Telecommunications security (controls verification) - Privacy
• OSSTMM3-11_7_3. Data networks security (controls verification) - Privacy
• ISSAF-A_2_7. Assessment - Compromise remote users or sites
• PTES-2_17_1. Pre-engagement interactions - Emergency contact information
• PTES-4_5_3. Threat capability analysis - Communication mechanisms
• MVSP-2_8. Application design controls - Encryption
• OWASPSCP-9. Communication security
• OWASPSCP-14. General coding practices
• BSAFSS-VM_3-2. Vulnerability management
• NIST800171-1_13. Employ cryptographic mechanisms to protect the confidentiality of remote access sessions
• OSAMM-OM. Operational Management
• ASVS-2_7_4. Out of band verifier
• C2M2-9_5_c. Implement data security for cybersecurity architecture
• PCI-3_4_2. Use secure remote-access technologies
• PCI-3_7_9. Secure transmission and storage of cryptographic keys
• PCI-4_2_1. Strong cryptography during transmission
• PCI-8_3_2. Strong authentication for users and administrators is established
• SIGLITE-SL_78. Are applications used to transmit, process or store scoped data?
• SIGLITE-SL_160. Do agreements with third parties who have access or potential access to scoped data, address confidentiality, audit, security, and privacy, including but not limited to incident response, monitoring, data sharing and secure disposal of scoped data?
• SIG-D_6_1. Asset and information management
• SIG-H_4_1. Access control
• SIG-N_1_15_4. Network security
• SIG-U_1_9_15. Server security
• CASA-2_2_5. General Authenticator Security
• CASA-2_7_4. Out of Band Verifier

Last updated

2023/09/18