硬编码加密密钥¶
ID: swift/hardcoded-key
Kind: path-problem
Security severity: 8.1
Severity: error
Precision: high
Tags:
- security
- external/cwe/cwe-321
Query suites:
- swift-code-scanning.qls
- swift-security-extended.qls
- swift-security-and-quality.qls
不应使用硬编码密钥创建加密密码。使用硬编码密钥加密的数据更容易被恢复。
建议¶
使用随机生成的密钥材料初始化加密密码。
示例¶
以下示例显示了使用各种加密密钥实例化密码的几种情况。在“BAD”情况下,密钥材料是硬编码的,这使得加密数据容易被恢复。在“GOOD”情况下,密钥材料是随机生成的,并且没有被硬编码,这保护了加密数据免遭恢复。
func encrypt(padding : Padding) {
// ...
// BAD: Using hardcoded keys for encryption
let key: Array<UInt8> = [0x2a, 0x3a, 0x80, 0x05]
let keyString = "this is a constant string"
let ivString = getRandomIV()
_ = try AES(key: key, blockMode: CBC(), padding: padding)
_ = try AES(key: keyString, iv: ivString)
_ = try Blowfish(key: key, blockMode: CBC(), padding: padding)
_ = try Blowfish(key: keyString, iv: ivString)
// GOOD: Using randomly generated keys for encryption
var key = [Int8](repeating: 0, count: 10)
let status = SecRandomCopyBytes(kSecRandomDefault, key.count - 1, &key)
if status == errSecSuccess {
let keyString = String(cString: key)
let ivString = getRandomIV()
_ = try AES(key: key, blockMode: CBC(), padding: padding)
_ = try AES(key: keyString, iv: ivString)
_ = try Blowfish(key: key, blockMode: CBC(), padding: padding)
_ = try Blowfish(key: keyString, iv: ivString)
}
// ...
}