ESCT: Part 12 - Cryptography
Introduction
Cryptography is the process of transforming information or data from its original form into one that is unreadable by systems, tools, or people unless they have a key. The part of the process that converts source data/information into the unreadable version is called encryption. Reversing that process is called decryption.
Like many concepts/technologies in security, cryptography is not new. Centuries of devisings ways to send messages between and among known and trusted senders/receivers while making those messages unreadable for enemies or anyone else for whom the message is not intended. Secret codes, etc.
Cryptography, like speaking or writing in code, is used whenever there something that needs to be kept secret in an environment where there are multiple other parties who could see or hear the secret but are not the intended recipient. The sender and receiver agree upon a code to exchange messages. Additionally, written notes can be stored and unless a reader has the code, won’t know what the actual message is.
Cryptography is used throughout applications to protect sensitive information that while is needed for the operation of the application and its components, is not intended to be openly shared. This module highlights how cryptography is applied
Table of Contents
Types and Algorithms
Description
There are two categories of cryptography, symmetric and asymmetric and within these categories, there are a variety of algorithms that are distinguished by: -how data gets chopped up to be encrypted -how many keys are involved in the encryption/decryption process -how the keys get generated/used (symmetric/asymmetric) -key size -number of cycles
In symmetric encryption, which is also called secret key encryption, a single key used for both encryption and decryption. Symmetric cryptography is bested used when performance and efficiency are important to the application component using/accessing the data to be secured.
In asymmetric encryption, which is also called public-key cryptography, two related but separate keys are generated and then one is used for encrypting while the other for decrpyting. The keys include one that is meant to be shared (pubic key) and one that must always be kept secret(private) but in this public key infrastructure (PKI) system, both keys work to secure client-server interactions, secure VPN connectsion, certificates, digital signatures, and help ensure the technology and data in the system is only accessible by authenticated, and authorized entities with keys.
When selecting an algorithm, best practice is to never build your own, and to always use established and proven algorithms, vetted and recommended by industry experts like NIST.
Example / Quiz
Implementation in Modern Applications
Description
Modern applications have many components that store, process, transmit a variety of information and data. Often that information/data consists of “secrets” or is otherwise sensitive. This includes things like personal information on customers, user credentials, of anything else application developers would like to keep secret.
API keys, database credentials, tokens, admin passwords and other credentials to access privileged components and features, senstivitve data (PII, healthcare), private keys, signing certificates, are all examples of information that should not be available for every users and indeed, kept internal to the organization.
To secure this data, look to implement cryptography both at rest and in transit.
In-transit, ensure all requests/responses are sent using the secure version of the HTTP protocol, HTTPS. HTTP over TLS. Additionally, For remote access into development environments, SSH, VPN - for access to sensitive development environment internal to an organization/remote accessover a network.
Example (Draft)
For elixir, ExCrypto module[ExCrypto](https://hexdocs.pm/ex_crypto/ExCrypto.html)
Consider what needs to be encrypted - sensitive data or any other data that
Data classification, regulatory implications that must be protected from unauthorized access/seeing
Confidentiality
For in-transit
use HTTPS which implements encryption over a channel. Diffie-Hellman
[Serving over HTTPS
](https://hexdocs.pm/plug/https.html)
[Erlang crypto module](https://elixir-lang.org/getting-started/erlang-libraries.html#the-crypto-module)
Related Concepts
Description
Hashing is sometimes implemented alongside encryption but has a different purpose. Cryptography used for confidentiality; keeping information secret except for intended recipient/audience.
Hashes are used to ensure the integrity of the data, meaning ensuring from its creation/generation to its final state, it remains unmodified and untampered with. Hash algorithms are one way functions that - compare starting hash from known good data, to end hash which will indicate changes. Hashing passwords is a common application. Comparing hashes to determine if correct password entered. Hash Algorithms - SHA1, SHA2, MD5 (obsolete) - follow recommendations from NIST Approved Hash Algorithms
Security Concerns
Cryptographic Failures are the number two most common issue on the OWASP Top 10 A02:2021 – Cryptographic Failures
Related weaknesses include CWE-327: Broken or Risky Crypto Algorithm, and CWE-331 Insufficient Entropy.
Most of the concerns around cytography amount to data being inadvertently being sent in cleartext, sensitive data, the use of old, weak or custom cryptographic algorithms or protocols that are ineffective against attacker efforts to uncover keys, . Best practics is to never build your own crypto mechanisms. Use proven and secure methods like the following: -Secure Hashes: SHA-1 has been deprecated as of 2011 with a transition plan released in 2022. Recommendation to move towards orther families SHA256 -Secure Encryption Algorithms; AES is the current standard; secure modes must be emplemented
Follow NIST Recommendations for configuring the most secure algorithms when building your applications and securing secrets and data.
Beware of hardcoding keys, private keys, in source code where they can be discovered by malicious actors. Avoid building your own cryptographic mechanisms or using outdated protocols.
Recommended algorithms NIST Encryption Standard https://csrc.nist.gov/Projects/Hash-Functions Elixir encryption, hashing, etc. Modules OWASP Top10 Use TLS
Example / Quiz
(True or False) You should build your own encryption from scratch. *Uncomment the line with your answer
# answer = True
# answer = False
IO.puts(answer)<- Previous Module: Secure SDLC Concepts || Next Module: Elixir Security ->
