Using the wrong cryptography
1 / 9

Using the wrong cryptography - PowerPoint PPT Presentation

  • Uploaded on

Using the wrong cryptography. By VESMA System Architecture and Security. Home-grown cryptography. Don’t do it Rip the code out and replace it with library calls of respected algorithms. Protocol from low-level algorithms and wrong communication protocols.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Using the wrong cryptography' - yitta

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Using the wrong cryptography

Using the wrong cryptography



System Architecture and Security

Home grown cryptography
Home-grown cryptography

  • Don’t do it

  • Rip the code out and replace it with library calls of respected algorithms

Protocol from low level algorithms and wrong communication protocols
Protocol from low-level algorithms and wrong communication protocols

  • Don’t create your own security protocol

  • Use a well-understood/documented protocol

  • Don’t use outdated protocols (wrong!)

  • Use a high-level, tested security protocol

    - SSL 3 and TLS

    - IPSec

    - XMLDSig(signatures)

    - XMLEnc(encryption)

Failing to use salt

Weak key derivation function protocols

Failing to use salt

  • Use random salt

  • New salt for each stream

  • Ensure salt is generated from a strong random number generator

  • The worse the computational performance, the better the protection from brute-force attacks

  • Slow down the attacker

Failing to use random iv
Failing to use random IV protocols

  • Applies to block ciphers when using various chaining modes

  • Initialization vector must be cryptographically random

Weak cryptographic primitive
Weak protocolscryptographic primitive

  • Don’t use outdated/broken security algorithms

    => Replace calls to weak algorithms with more secure versions

Wrong cryptographic primitive

  • Don’t use encryption for tamper detection

  • Use some form of encoding

  • Ensure algorithms appropriateness

  • Ongoing “cryptographic inventory”

C ryptographic primitive incorrect usage
C protocolsryptographic primitive – incorrect usage

  • Misusing stream ciphers

  • Hashing concatenated data

  • Electronic code book

  • Encrypting known plain text

  • Validating a hash incorrectly

  • Don’t use stream ciphers, Do Integrity checking, Don’t use the same key, Encrypt 1K and then start real encryption

  • Hash two things individually

Integrity check
÷ Integrity check protocols

  • Stream cipher -> Integrity check

  • Provide independent password verifier and integrity checks

  • Correct way to do integrity check is to create an HMAC of the data

  • Don’t use your integrity check as password verifier

Failure to use agile encryption
Failure to use Agile encryption protocols

  • Accommodation of future software versions + new/updated encryption algorithms = agile encryption

  • KDF -> store the name of the derivation algorithm and the iteration count

  • Symmetric algorithms -> chaining and padding modes to be configurable

  • Protect cryptographic configuration data