Cryptography-based Vulnerabilities in Applications

Introduction to cryptography

Cryptography is designed to help protect the confidentiality, integrity and authenticity of data. By using an encryption algorithm, it is possible to transform data in a way that makes it impossible to read by anyone lacking knowledge of the secret key. Both hash functions and digital signatures can provide integrity protection, and a digital signature verifies the authenticity of a message as well.

However, these benefits of cryptographic algorithms only apply if the algorithms are used correctly. Cryptographic algorithms are very delicate, and a single mistake in design or implementation can render their protections meaningless.

Common cryptography errors

Cryptography can go wrong in a number of different ways. Some of the most common mistakes are trying to use insecure or custom algorithms, using algorithms with known weaknesses and misusing cryptography entirely.

Rolling your own cryptography

It seems that using a custom and secret encryption algorithm would protect data confidentiality better than a known one. If no one knows how an algorithm works, then it should be harder for someone to break it.

The problem with this theory is that most people are not trained cryptographers, and even trained cryptographers make mistakes when developing cryptographic algorithms. For every well-known and trusted encryption algorithm in use today, there are others that seemed like a good idea at the time but carried fatal weaknesses.

Take the Advanced Encryption Standard (AES), for example. The National Institute of Standards and Technology (NIST) put on a multi-year contest to select the AES. In August 1998, fifteen candidate algorithms were chosen from those submitted. Within a year, major vulnerabilities were discovered within five of the algorithms and another four had less-serious attacks.

These were algorithms developed by experienced cryptographers with knowledge of common cryptanalytic techniques, yet many were rapidly broken. Don’t try to create (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Howard Poston. Read the original post at: