aniediogo's blog

Cryptographic Failures

OWASP'10, 2021

Angela Chidiogo's photo
Angela Chidiogo
·

2 min read

Cryptography is a security system where information is transmitted through the use of codes or other mathematical operations or algorithms that are devoid of plaintext such that it becomes difficult for unintended parties to understand.

Cryptographic messages appear in cyphertexts to better secure both data at rest(useful data that are not in current use such as archives, stored passwords, unpublished files, user’s session credentials, etc) and data in transit( data that are being processed, currently in use, or being transmitted, etc)

Cryptographic failure is an encryption failure that leads to the leakage and exposure of sensitive data or information to unintended people or resources. cryptographic failures also occur when there is insufficient cryptography - a situation where cryptography does not provide enough level of security that is attainable within that time and is vulnerable to compromise.

Vulnerabilities that lead to cryptographic failures

:: Storing sensitive data in plain/readable texts.

:: Use of outdated and ensure encryption.

:: Poor usage of cryptographic keys.

:: Poor management of cryptographic functions.

:: Use of outdated hash functions.

:: Leaving sensitive data in source control

:: Using passwords as crypto keys.

Cryptographic failures exploits

:: Man-in-the-middle attack.

:: The exposure/leaking of data of critical and sensitive nature

:: Unauthorized access to sensitive data.

:: Protocol downgrades in cypher and transport.

Preventive measures for cryptographic failures

:: Classifying data and securing them according to sensitivity and risk level.

:: Periodic security audits to keep up with security measures that protect data in the various stages of its lifecycle.

:: Carefully dispose of sensitive data when they are no longer needed or usable.

:: Disable caching for private and sensitive data.

Use the right and updated cryptographic algorithms and functions.

:: Enforce authenticated encryption instead of plain encryption.

:: Avoid storing passwords using simple or unsalted hashes.

:: Regular change of cryptographic keys.

#management #data #security #people #transport #algorithms #algorithms #cryptography #change #change #infosec #owasptop10 #cyberawareness #cyberdefense #cyberattack #cybercareer