Cryptographic failures Introduction
Why did everyone start switching to Signal and Telegram as soon as it was discovered that WhatsApp was leaking users’ information?
Why then did Whatsapp feel the need to add “end-to-end encryption” to its software?
Why has everyone started becoming cashless and using their credit or debit cards to do transactions online?
All of this is due to cryptography.
You can secure your data and information with cryptography. In terms of technology, it is used to encrypt and decrypt your data to prevent threat actors from accessing your private information. Since everyone is aware of what cryptography is, cryptographic failure means that your private or sensitive data is exposed due to bad cryptography techniques.
It’s crucial to be aware that it is ranked second in the most recent OWASP top 10 for 2021.
This vulnerability was previously known to be Sensitive Data Exposure and poses great risk to both web apps and applications. Various reasons can be there for this vulnerability, some of them are :
- CWE-259: Use of Hard-coded Password,
- CWE-327: Broken or Risky Crypto Algorithm, and
- CWE-331: Insufficient Entropy.
What occurs when these flaws result in failures?
Poor encryption closely correlates with a lack of security and creates a significant entry point for attackers. The consequences of this vulnerability are regarded as one of the most important security threats for both businesses and business users. Cryptographic failures are much more common and can even compromise systems.
Cryptography failures are commonly caused by the following security flaws:
- Transmitting secret data in plain text
- Use of old/less-secure algorithm
- Using a hard-coded password in configuration files
- Improper cryptographic key management
- Insufficient randomness for cryptographic functions
- Missing encryption
- Insecure implementation of certificate validation
- Use of deprecated hash functions
- Use of outdated padding methods
- Presence of sensitive data in source control
- Use of insecure initialization vectors
- Using passwords as crypto keys without a password-based key generation scheme
- Exploitable side-channel information or cryptographic error messages
Examples of Cryptographic Failures
Example 1: Cracking Unsalted Password Hashes Using Rainbow Tables
Today, it is not sufficient to merely encode passwords. Unsalted hashes are easily cracked with the right tools and methods. Any password cracking method is made more difficult by password salting since it lengthens the password. It becomes increasingly challenging the longer the salt is. However, if your passwords are unsalted, an attacker can use a rainbow table to decrypt them if you store them.
Example 2: Automated Database Encryption and Decryption
Database management systems today are serious about cryptography. They offer features like transparent data encryption (TDE), which takes care of encrypting data as it is written into the database, for this reason. But there’s a problem—when you retrieve the data, it’s also automatically decrypted. Thus, it is susceptible to cryptographic errors caused by methods like SQL injections.
Example 3: Lack of TLS encryption
A website allegedly doesn’t employ a solid protocol. There is a possibility that attackers can use this vulnerability to access your network traffic. Spying on network traffic is just one application of this. To name a few examples, an attacker may view every request made through your browser, alter requests, and steal session cookies from users. To access decrypted data, they can also force the transition from HTTPS to HTTP. This poses a serious risk due to the exposure of extremely private and sensitive information.
Example 4: Insecure Password Management
You’ve likely heard about a lot of instances where an “intern” unintentionally uploaded some code to a repository with hard-coded credentials. Thus, cryptographic failure resulted. Imagine a developer with access to a database uploading code to a public server using their login information. This is a result of the insecure administration of passwords and credentials.
Keys are attempted to be stolen, man-in-the-middle attacks are carried out, or data is attempted to be stolen from the server, while it is in transit, or from the browser.
Apart from all of this attackers can get hold of a complete database and leak sensitive information, achieving data theft, public listing, breaches, and many critical problems. You can also imagine admin credentials being stolen and the attacker gaining complete control of the server.
Mitigating Cryptographic Failures
All encryption keys should ideally be generated cryptographically, according to recommendations. They ought to be stored as a byte array. Passwords in plain text should never be left unencrypted; they should always be transformed into cipher text. Only a reliable encryption algorithm or technique should be used. Furthermore, security is increased by using lengthy salts for sensitive data.
Developers use a set of rules called “secure coding” to include security in the source code of their applications. These procedures guarantee that robust cryptography techniques are applied throughout the program instead of just on the components’ outside perimeters, lowering the possibility of cryptographic errors.
One such challenging area of security is cryptography. Conducting routine penetration testing is, therefore, necessary to make sure you haven’t overlooked anything. You can comprehend an attacker’s viewpoint of your application through it.
In conclusion, it is pretty obvious why cryptographic failures are included in the OWASP Top 10. Given that both large and small businesses have fallen victim to cryptographic errors, this should not be taken lightly.
Due to the fact that there are multiple bugs and loopholes that need to be fixed, the scope of improving cryptography in your program is fairly broad. Everything we’ve discussed thus far has made one clear: It is vital to evaluate the robustness of your application’s cryptography implementations and work toward strengthening it.