Cryptography helps protect your data (through encryption) or establish identity (through authentication). Unfortunately, it’s very easy to get wrong. Improperly designed or deployed cryptography may cause system-wide security compromises that can include:
- Data risks: Sensitive data may be accessed and manipulated by malicious actors.
- Identity risks: Incorrect encryption and authentication – used to establish and verify identity – may enable identity theft or misattribution.
- Certification, compliance, and reputation: Certifications or auditing artifacts may be revoked, and negative press may put future business at risk.
You might be doing everything right and still have issues with cryptography. Where should you look to find hidden problems? Start with the following:
- Incorrect usage of well-designed cryptography: It’s easy to use the right code (well-known and battle-hardened like OpenSSL) in the wrong way. Some encryption schemes have multiple modes, parameters, or flags that need to be selected to best produce the intended results. A typical example of this includes not randomizing initialization vectors for algorithms requiring them, which could unknowingly reveal keys.
- Improper architecture can cause crypto to be bypassed: Even if cryptographic code is used properly, it is possible to architect a system in a way that renders the cryptographic implementation moot. A recent example of this includes the hack on the chat service Parler. An authentication system was implemented but was not enforced on the server, allowing arbitrary access to the API and enabling user data to be retrieved.
- Improperly implemented cryptographic algorithms: When implementing or optimizing an algorithm by hand, even one small error or corner case may weaken the functionality or security guarantee that the cryptographic implementation intended to provide.
- Use of legacy cryptographic protocols: Some cryptographic protocols do not provide the security guarantees that were originally expected of them. Using out-of-date or flawed protocols like DES for encryption, can provide a false sense of security.
- Unknown cryptographic dependencies: Cryptographic implementations may be in use through third-party libraries or dependencies that were pulled into a project or system for other purposes. These hidden dependencies may themselves be improperly designed and implemented, or may use legacy algorithms, leading to the same security flaws described above.
So, how do you know if your cryptography is properly designed and implemented? Galois can help you answer that question. As your partner, we will provide consulting, auditing, education and development services giving you the assurance you need so your systems deliver the results you expect.
Cryptography doesn’t have to be an unsolvable problem for your organization. Contact us to learn how we can partner with you to address your cryptography concerns.