This is part 2 of 3 in the OWASP Top 10 Series
Cryptography comprises the tools and techniques used to protect data at rest and in transit to uphold the ideology of the CIA Triad. We are quite known for “not rolling your own crypto”. By using a widely accepted standard, you have some level of assurance that the algorithm will not be flawed. You only need to ensure that its implementation is secured. But this assurance is not always completely true. Traditional encryption techniques are not enough due to the rapidly changing threat environment. Weak encryptions might result in the exposure of sensitive data through potential vulnerabilities. And this is known as cryptographic failures. In this article, we’ll discuss in detail, what a cryptographic failure is, and how cryptographic failures affect businesses. Subsequently, we’ll discuss some examples and mitigation techniques.
OWASP Top 10 list was out in 2021 and as usual, it has enlightened us about the most dangerous and potential vulnerabilities. And cryptographic failure (previously known as Sensitive Data Exposure) has occupied the second position in the list of Top 10 vulnerabilities. So what is this all about?
As per OWASP, cryptographic failure is a symptom instead of a cause. Any failure responsible for the exposure of sensitive and critical data to an unauthorized entity can be considered a cryptographic failure.
There can be various reasons for cryptographic failure. Some of the Common Weakness Enumerations (CWEs) are:
So what happens when these weaknesses turn into failures? How do cryptographic failures affect businesses? Now that we have an idea of what cryptographic failure is, let’s try to understand how it impacts an organization and individuals.
Poor cryptography directly affects the security of an application and its data. Lack of security can let attackers steal and modify data to conduct fraud, and identity theft, which can lead to serious consequences.
Attackers try to steal keys, execute man-in-the-middle attacks, or steal data from the server, in transit, or from the browser. This again leads to compromise in sensitive information.
The impact of a cryptographic failure is not limited to stealing a piece of information from/of a user. Attackers can get hold of a complete database having thousands of sensitive information, data theft, public listing, breaches, and many critical problems with business-related data. You can also imagine a scenario where the credentials of an admin are stolen and the attacker gets complete control of a server. Cryptographic failures can result in irreparable damage to reputation and heavy lawsuits.
Let's say you have an application up and running. And now you want to assess if your application is vulnerable to cryptographic failures. Of course, if you want an answer to that backed by rigorous tests, you need to wait for those tests to happen. But there are some aspects that are so simple that just asking yourself a couple of questions can give you a sense of confidence.
Here are some of those questions:
If your answer to any of these questions is a “yes”, then you’re vulnerable to cryptographic failures. To understand how these questions decide your crypto-security and see how cryptographic failures happen, let’s look at some examples.
Just encoding passwords is not enough in this era. With powerful tools and techniques, unsalted hashes are not very difficult to crack. Password salting makes it difficult for any password cracking technique as the salt adds additional length to the password. The longer the salt, the more difficult it gets. However, If you’re storing unsalted passwords, an attacker can use a rainbow table to crack these passwords.
Modern database management systems are taking cryptography seriously. That’s why they provide features like transparent data encryption (TDE) that take care of the encryption of data as they’re written into the database. But the problem is that this data is also automatically decrypted when you retrieve it. So this still makes it vulnerable to cryptographic failures from techniques such as SQL injections.
Supposedly a website does not use strong protocol. Attackers can take advantage of this and get access to your network traffic. This is not just limited to spying on the network traffic. To think of possibilities, an attacker can access all the requests made through your browser, modify requests, and steal cookies of users’ sessions. They can also force the connection from HTTPS to HTTP to get access to decrypted data. This can be fatal as sensitive and highly confidential data is being exposed.
You’ve probably heard of many cases where an “intern” accidentally pushed some code with hard-coded credentials to a repository. And this led to cryptographic failure. Imagine a developer having access to a database pushing a code with their credentials on a public server. What a malicious actor could do with that is scary! This is a lack of secure password/credentials management.
It is recommended that all the encryption keys should be created cryptographically. They should be stored in the form of byte arrays. Plain text passwords should always be converted into cipher text or encrypt them using these keys. It should only be done using a strong encryption method or algorithm. Using lengthy salts for sensitive data additionally increases security.
Secure coding is a set of guidelines that developers follow to integrate security within the application’s code. These practices ensure the use of strong cryptography practices in various parts of the application rather than only on the perimeter of the application’s components. Therefore reducing the chances of cryptographic failures.
Cryptography is one such aspect of security that’s difficult to get perfectly right. That’s why to ensure that you haven’t missed out on anything, you need to conduct regular penetration testing. Penetration testing lets you understand an attacker’s perspective of your application. Therefore, thinking like an attacker helps in identifying any cryptographic and other weaknesses and helps prioritize fixes.
Long story short, It is quite clear why the OWASP Top 10 has cryptographic failures on their list. This is something that shouldn't be taken lightly as companies on a big scale and small have been a victim of cryptographic failures.
The scope of strengthening cryptography in your application is rather large because it’s not just a single loophole or a bug to fix. It is a collection of weaknesses or poor cryptographic practices that need to be addressed. One thing is clear from all the things we’ve covered so far - It is crucial to assess the strength of your cryptography implementations in your application and work towards improving it.