Using the wrong cryptography
Sponsored Links
This presentation is the property of its rightful owner.
1 / 9

Using the wrong cryptography PowerPoint PPT Presentation

  • Uploaded on
  • Presentation posted in: General

Using the wrong cryptography. By VESMA System Architecture and Security. Home-grown cryptography. Don’t do it Rip the code out and replace it with library calls of respected algorithms. Protocol from low-level algorithms and wrong communication protocols.

Download Presentation

Using the wrong cryptography

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Using the wrong cryptography

Using the wrong cryptography



System Architecture and Security

Home grown cryptography

Home-grown cryptography

  • Don’t do it

  • Rip the code out and replace it with library calls of respected algorithms

Protocol from low level algorithms and wrong communication protocols

Protocol from low-level algorithms and wrong communication protocols

  • Don’t create your own security protocol

  • Use a well-understood/documented protocol

  • Don’t use outdated protocols (wrong!)

  • Use a high-level, tested security protocol

    - SSL 3 and TLS

    - IPSec

    - XMLDSig(signatures)

    - XMLEnc(encryption)

Failing to use salt

Weak key derivation function

Failing to use salt

  • Use random salt

  • New salt for each stream

  • Ensure salt is generated from a strong random number generator

  • The worse the computational performance, the better the protection from brute-force attacks

  • Slow down the attacker

Failing to use random iv

Failing to use random IV

  • Applies to block ciphers when using various chaining modes

  • Initialization vector must be cryptographically random

Weak cryptographic primitive

Weak cryptographic primitive

  • Don’t use outdated/broken security algorithms

    => Replace calls to weak algorithms with more secure versions

Wrong cryptographic primitive

  • Don’t use encryption for tamper detection

  • Use some form of encoding

  • Ensure algorithms appropriateness

  • Ongoing “cryptographic inventory”

C ryptographic primitive incorrect usage

Cryptographic primitive – incorrect usage

  • Misusing stream ciphers

  • Hashing concatenated data

  • Electronic code book

  • Encrypting known plain text

  • Validating a hash incorrectly

  • Don’t use stream ciphers, Do Integrity checking, Don’t use the same key, Encrypt 1K and then start real encryption

  • Hash two things individually

Integrity check

÷ Integrity check

  • Stream cipher -> Integrity check

  • Provide independent password verifier and integrity checks

  • Correct way to do integrity check is to create an HMAC of the data

  • Don’t use your integrity check as password verifier

Failure to use agile encryption

Failure to use Agile encryption

  • Accommodation of future software versions + new/updated encryption algorithms = agile encryption

  • KDF -> store the name of the derivation algorithm and the iteration count

  • Symmetric algorithms -> chaining and padding modes to be configurable

  • Protect cryptographic configuration data

  • Login