Definition by OWASP:
|
Many web applications do not properly protect sensitive data, such as
credit cards, Social Security Numbers, and authentication credentials, with appropriate
encryption or hashing. Attackers may steal or modify such weakly protected
data to conduct identity theft, credit card fraud, or other crimes.
|
Insecure Cryptography storage means web application important data easily exposed even
thought they encrypted and hashed values loss due to weak encryption or
Hashing. Its cause collection of vulnerabilities due to sensitive data loss may
lead to business reputation gets affected, personal information exposed (such
as credit card, Health records).
Who are the attackers?
User who
are using the system but they can’t access protected data which they are not
authorised to view? May be the internal
Administrator?
How the attackers will crack the
data?
Attackers
did not break the cryptography method. Instead they gain the access by breaking
Keys, Copying Clear text copies of sensitive data or access the data which are passed
easily to automatically decrypt.
What is encryption, Decryption,
hashing and salting?
Encryption & Decryption: Encryption means input data have
been transformed to cipher text which is illegible text by the use of algorithm. Decryption means process applied to unlock
the original input which is converting illegible text to legible text.
Hashing: Hashing means creating one way
digest input text for fixed length string that cannot converted to original
version.
Salting: Salting is a concept often related to
hashing and it involves adding a random string to input text before the hashing
process is executed
Common flaws in encryption and
hashing
·
Simply
not encrypting data which deserves to be encrypted.
·
If encryption
employed with weak key generation and storage, not rotating keys and use of
weak algorithm.
·
Use of
weak or unsalted hashes to protect password.
Common Encryption Algorithm:
Hashing Algorithm:
SHA (Simple Secure Hash algorithm) - Commonly used in
Asp.Net
MD5 -There have also been numerous
discoveries which discredit the security and viability of the MD5 algorithm.
Encryption Algorithm:
AES (Advanced Encryption Standard) -
Commonly used in Asp.Net Now a days
DES (Data Encryption Standard) –
older model it is very insecure.
Symmetric encryption:
Same Key
used to encrypt and decrypt the data. It’s a two way algorithm; the same
encryption algorithms used for encryption and simply reverse for decryption.
Commonly used nowadays with AES algorithm.
Asymmetric encryption:
Different
Key used for encrypts and decrypts. The encryption Key widely distributed and
decryption Key kept private. It is commonly implemented in SSL using RSA
Algorithm.
Cracking password:
Password cracking software available
in the market, if you hash and store password too can able to identify. Recently
Rainbow crack tool break MD5 hashed password tables restored by MD5 hash function
stolen directly off MSDN.
Protecting password from
cracking:
Use salting in hash function
make difficult to crack password. In salting combine random piece of data with password
make it difficult to crack in addition salt recreates the process when the user
logs on.
Use Asp.Net Membership
provider:
Using
the asp.net membership provider not only salting and hashing password but also uses
for the rich ecosystem to support registration and account management. Storing
data in database having data secured with SHA Hashing with salted default.
Prevent from Insecure Cryptographic storage
Ensure the below statements are verified
and done properly,
·
Consider the
threats for the data and ensure all the threaten data gets encrypted, protected
from threats.
·
Backed
files get encrypted and all Keys are managed and backed up separately.
·
Passwords
are hashed with strong algorithm with salt used.
Summary
Implement
encrypt. If not encrypted properly data can cracked. we can’t get “secure”
but we can damn well try and get as close to it as possible.
Example Attack Scenarios
Scenario #1:
An application encrypts credit cards in
a database to prevent exposure to end users. However, the database is set to
automatically decrypt queries against the credit card columns, allowing an SQL
injection flaw to retrieve all the credit cards in clear text. The system
should have been configured to allow only back end applications to decrypt
them, not the front end web application.
Scenario #2:
A backup tape is made of
encrypted health records, but the encryption key is on the same backup. The
tape never arrives at the backup centre.
Scenario #3:
The password database uses unsalted
hashes to store everyone’s passwords. A file upload flaw allows an attacker to
retrieve the password file. All the unsalted hashes can be brute forced in 4
weeks, while
RESOURCES
RESOURCES
No comments :
Post a Comment