Understanding Cryptography, Cryptographic Failure Vulnerability & its Preventions
9Learning objective of this article:
1. Brief Introduction to Cryptography
2. Types of Cryptography
3. Understanding Cryptographic Failure Vulnerability with Examples
4. Preventive Measures to Avoid Cryptographic Failure
1. Brief Introduction to Cryptography
Cryptography means to secure the communication from unwanted people where information is encrypted into ciphertext. The word crypt is a Greek word which means “secret” or “hidden”, graphy means process. The process to secure the information (which is in transit or at rest) from change or from theft is called cryptography. A mathematical concept “algorithm” is used to encrypt the data. Cryptography is implemented in many technologies like protocols (HTTPS, FTPS, SMTPS), passwords, authentication, website certificate etc.
There are four basic objectives of cryptography; confidentiality, authenticity, integrity and non-repudiation.
· Confidentiality refers to the secrecy of data, which means only a concerned person can read the information and this is the core of cryptography.
· Authenticity refers to the verification, which means both sender and receiver can verify each other. Thus, information is deemed to be received or sent to the trusted parties.
· Integrity refers to the originality. Which means information which is at rest or at transit must be original and should not be modified by third party (attacker).
· Non-repudiation refers to denial, which means through the cryptography both sender and receiver cannot deny of having information communication. Thus, a goal of cryptography is to provide non-repudiation in information transmission.
2. Types of Cryptography
There are two types of cryptography; encryption and hashing.
1. Encryption is two way and reversible. It output of encryption is the length if input data. It can be easily retrieved using decryption key. The core purpose of encryption is confidentiality. Encryption is further divided into symmetric and asymmetric encryption.
a) Symmetric encryption: Symmetric encryption is also known as secret key or private key encryption. It is easy and fast form of cryptography where information is encrypted and decrypted using a single key. It is most commonly used where data is at rest for example disk drive and other data storage protection devices. Examples of symmetric encryption are AES, 3DES (derived from DES), RC4.
b) Asymmetrical encryption: Asymmetrical encryption is also known as public key encryption which uses two keys where one key is public and the other is private. It is mostly used in web security, email security or another where information has to exchange over a public network. Examples of asymmetrical encryption are DH, RSA.
2. Unlike the encryption (that is two-way), hashing is unidirectional where information is irreversible. Hashing converts information into a fixed length which means regardless of the size of input it will assign a fixed length to the output. The core purpose of hashing is integrity. Examples of hashing are MD5 and SHA3 (derived from SHA family).
3. Understanding Cryptographic Failure Vulnerability
When there is non-existent or a weak cryptographic algorithm on web application, there is a risk of data exposure, this is called cryptographic failure. Formerly it was known as sensitive data exposure (2017: A03) but now its ranked on top 10 vulnerabilities in OWASP 2021. Apart from data exposure, cryptographic failure can hinder business systems. There are numerous reasons of cryptographic failure, like using weak ciphers, poor cryptographic key management, using deprecated hash functions like MD5 or SHA1, missing encryption, passwords are being used as cryptographic keys, re-using weak keys, keys stored in source code repositories, using unauthenticated encryptions etc.
Lets’ take an example of man in the middle attack that is a cryptographic failure. As the name suggests, this is an attack when a man in the middle interrupts between the communication. When bank let say, not using HTTPS it would be easier for an attacker to interfere and read the communication through HTTP. Thus, this bank will fail to maintain information security at a very basic level.
Let’s take another example of using weak ciphers. Weak ciphers refer to using deprecated or a very low sized key less than 128 bits. Using 3DES is one of the examples of weak cipher. Here an attacker will be easily cracking the key as the key is not multilayered or is very weak.
Another example would be unencrypted admin and file backups which are very prompt to extract data.
4. Preventive Measures to Avoid Cryptographic Failure
Following are must take preventions to avoid cryptographic failure.
· Use Updated Cryptographic Algorithms, Keys, Functions: Instead of using/ developing old or weak cryptographic keys, it is advised to used modern cryptographic techniques.
· Employ Automated Key Generation: It is also known as key rotation. When a key is used for long time then there is a doubt of hacker’s attack. It is wise to change the key timely. Automated key generation help the developers in this context.
· Use Authenticated Encryption: Instead of using plain encryption, it is wise to used authenticated encryption where block ciphers increase data confidentiality and authenticity. Thus, it is hard to crack data in transit.
