{"id":1593,"date":"2010-11-30T20:53:39","date_gmt":"2010-11-30T15:23:39","guid":{"rendered":"https:\/\/www.qadit.com\/blog\/?p=1593"},"modified":"2010-12-27T07:55:11","modified_gmt":"2010-12-27T02:25:11","slug":"some-common-key-management-mistakes","status":"publish","type":"post","link":"https:\/\/qadit.com\/blog\/some-common-key-management-mistakes\/","title":{"rendered":"Some Common Key Management Mistakes"},"content":{"rendered":"<p>In this article we look at some common cryptography pitfalls relating to the management of keys and other related issues. Some cryptography fundamentals have been listed below for purposes of clarity.<!--more--><\/p>\n<ul>\n<li><strong> Encryption<\/strong><\/li>\n<\/ul>\n<p>A cryptographic operation that transforms meaningful data to encrypted data using an encryption algorithm. Encryption can be symmetric or asymmetric.<\/p>\n<p>Symmetric encryption uses the same key to encrypt and decrypt data. Some examples of symmetric encryption systems are Data Encryption Standard (DES), Triple DES and Advanced Encryption System<\/p>\n<p>Asymmetric encryption uses a public key to encrypt information and a private key to decrypt information. The most common asymmetric encryption system is the RSA.<\/p>\n<p>Cryptographic protocols such as SSL use a combination of symmetric and asymmetric encryption.<\/p>\n<ul>\n<li><strong> Tokenization<\/strong><\/li>\n<\/ul>\n<p>A reversible operation that substitutes meaningful data to meaningless plaintext. For e.g. sensitive information such as credit card numbers can be tokenized \u2013converted to a random sequence of numbers and then accessed by applications. This will minimize the risk of using sensitive data by multiple applications.<\/p>\n<ul>\n<li><strong>Hashing<\/strong><\/li>\n<\/ul>\n<p>An irreversible cryptographic operation that transforms data to an illegible message-digest (hash). Hashing is used to ensure data integrity during data transfer. A message hash is computed before and after data is transmitted and the results are compared to ensure that data has not been changed during transfer.<\/p>\n<ul>\n<li><strong>Key Management<\/strong><\/li>\n<\/ul>\n<p>All operations associated with the secure creation, use, management, distribution and destruction of cryptographic keys.<\/p>\n<p><strong>Common cryptography blunders<\/strong><\/p>\n<p>a.\u00a0\u00a0\u00a0\u00a0\u00a0 Storing encryption keys \u2018somewhere in the system\u2019 this could be a file, registry entry or database record.<\/p>\n<p>b.\u00a0\u00a0\u00a0\u00a0\u00a0 Using password based encryption but storing the password in a file.<\/p>\n<p>c.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Compiling keys into the program-decompliers can be used to obtain the password<\/p>\n<p>d.\u00a0\u00a0\u00a0\u00a0\u00a0 Backing up the key with the cipher text<\/p>\n<p>e.\u00a0\u00a0\u00a0\u00a0\u00a0 Using a single key to encrypt all data. Cryptanalysts can use patterns in cipher text to detect encryption keys<\/p>\n<p>f.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Managing key rotation-Key rotation is mandated by legislation such as PCI-DSS to overcome potential pitfalls mentioned in the previous point. However planning key rotation is critical as it is an extremely time consuming activity that could result in prolonged downtime to complete the rotation.<\/p>\n<p>g.\u00a0\u00a0\u00a0\u00a0\u00a0 Using cryptography algorithms that are dependent on the application as a consequence when algorithms become redundant or are no longer secure then each application would have to be amended to incorporate a new algorithm.<\/p>\n<p>h.\u00a0\u00a0\u00a0\u00a0\u00a0 Using encryption at the wrong layer of the stack. Encryption should be built in at the application level instead of the database, network or server. Building encryption at the lower levels of the stack is considered easier than building in encryption at the application level. So for example if you have implemented a full disk encryption to encrypt data, then once data is decrypted then the data is available for all applications accessing the data including attack applications.<\/p>\n<p><strong>Some common solutions<\/strong><\/p>\n<p>a.\u00a0\u00a0\u00a0\u00a0\u00a0 Eliminate sensitive data if not required by business processes. If you don\u2019t have the data you can eliminate the risk.<\/p>\n<p>b.\u00a0\u00a0\u00a0\u00a0\u00a0 Minimize the use of business sensitive by limiting the number of applications accessing this data. Tokenizing data is an effective of using sensitive data across applications.<\/p>\n<p>c.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Further build encryption into the applications accessing sensitive data.<\/p>\n<p>d.\u00a0\u00a0\u00a0\u00a0\u00a0 Abstract cryptography out of the application by building encryption as a centralized service to which applications make calls to decrypt data. This will ensure that you can build the application without impacting the underlying encryption and vice-versa<\/p>\n<p>e.\u00a0\u00a0\u00a0\u00a0\u00a0 Using cryptographic hardware modules as these are harder to compromise than software based encryption.<\/p>\n<p>f.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Use industry standard tools and guidelines for algorithms.<\/p>\n<p>g.\u00a0\u00a0\u00a0\u00a0\u00a0 Use specialized encryption tools instead of customized solutions<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this article we look at some common cryptography pitfalls relating to the management of keys and other related issues. Some cryptography fundamentals have been listed below for purposes of clarity.<\/p>\n","protected":false},"author":5,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false},"version":2}},"categories":[78,12,13],"tags":[],"class_list":["post-1593","post","type-post","status-publish","format-standard","hentry","category-information-technology","category-itsec","category-network"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p9AH7Q-pH","_links":{"self":[{"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/posts\/1593","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/comments?post=1593"}],"version-history":[{"count":0,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/posts\/1593\/revisions"}],"wp:attachment":[{"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/media?parent=1593"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/categories?post=1593"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/tags?post=1593"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}