Hardcoded Cryptographic Key

kotlin.hardcoded_cryptographic_key

Severity

critical

Resource

Predictability

Language

Kotlin

Description

Cryptographic keys that are hardcoded into source code can be easily extracted and exploited by malicious actors. This practice compromises the security of the application, as these keys are not changeable without altering the source code.

Rationale

Hardcoding cryptographic keys in source code is a risky practice as it exposes sensitive information that should remain secret. The concern arises because hardcoded keys are not modifiable without a code change, making them an attractive target for attackers who can access the source code or binaries.

Consider the following Kotlin example:

import javax.crypto.Cipher
import javax.crypto.spec.SecretKeySpec

class CryptoExample {

    companion object {
        private const val ALGORITHM = "AES"
        // Potential timing vulnerability by hardcoding the key
        private val KEY = "1234567890123456".toByteArray()
    }

    @Throws(Exception::class)
    fun encrypt(data: String): ByteArray {
        val secretKey = SecretKeySpec(KEY, ALGORITHM)
        val cipher = Cipher.getInstance(ALGORITHM)
        cipher.init(Cipher.ENCRYPT_MODE, secretKey)
        return cipher.doFinal(data.toByteArray())
    }
}

In this example, the cryptographic key is hardcoded directly into the class. If this code is compiled and distributed, anyone with access to the binary can retrieve and misuse the key, nullifying any intended cryptographic protection.

Remediation

To remediate this vulnerability, cryptographic keys should be managed securely, never hardcoding them in source code. Instead, use environmental variables, configuration files, or dedicated secrets management services that provide secure storage and retrieval of sensitive data.

An alternative is to perform cryptographic operations using an external, managed service. Known as Key Management Services (KMS), they provide different features including key generation and storage, key rotation and lifecycle management, encryption / decryption and other cryptographic operations like digital signatures, key wrapping, secure random number generation, etc.

For the previous hardcoded key, the fix gets the key material from environment variable. KMS or a secrets vault could be used alternatively.

import javax.crypto.Cipher
import javax.crypto.spec.SecretKeySpec
import java.nio.file.Files
import java.nio.file.Paths

class CryptoExample {

    companion object {
        private const val ALGORITHM = "AES"
    }

    @Throws(Exception::class)
    fun encrypt(data: String): ByteArray {
        val key = retrieveKeyFromSecureLocation()
        val secretKey = SecretKeySpec(key, ALGORITHM)
        val cipher = Cipher.getInstance(ALGORITHM)
        cipher.init(Cipher.ENCRYPT_MODE, secretKey)
        return cipher.doFinal(data.toByteArray())
    }

    @Throws(Exception::class)
    private fun retrieveKeyFromSecureLocation(): ByteArray {
        val keyPath = System.getenv("CRYPTO_KEY_PATH")
        return Files.readAllBytes(Paths.get(keyPath))
    }
}

In the improved example, the method retrieveKeyFromSecureLocation() retrieves the key from a specified, secure location, such as an environment variable or configuration file. This approach enhances security by keeping the cryptographic keys outside the source code, allowing them to be rotated and managed without altering the application code.

References

CWE-321 : Use of Hard-coded Cryptographic Key.
OWASP - Top 10 2021 Category A02 : Cryptographic Failures.
Cryptographic Storage Cheat Sheet, in OWASP Cheat Sheet Series.
CERT Java Coding Standard MSC03-J : Never hard code sensitive information.