Preventing Insecure Cryptographic Storage
If you are not already familiar with the concept of Insecure Cryptographic Storage, we suggest you review the article entitled “What Is Insecure Cryptographic Storage?“.
For insight into how to detect Insecure Cryptographic Storage, please see the article entitled “How To Test For Insecure Cryptographic Storage“.
Secure Storage Options
There are several approaches to encrypting sensitive information at rest, one or more of which must be implemented to avoid Insecure Cryptographic Storage:
- Database Encryption: Most modern database platforms offer the ability to partially (i.e. selected columns) or entirely (by tablespace) encrypt storage. It is configured by the database administrator and is transparent to applications using the database. Note however that this approach only protects against theft of the database, as the data is fully accessible via a compromised account or application.
- Application Encryption: The application is responsible for encrypting data before storing it and and decrypting after reading it. One challenge here is all other applications seeking to share the data must also implement the same solution. The data is protected from database theft and database account compromise, but not application compromise. It is essential that the application employ a modern public encryption algorithm that is not known to have been compromised.
- Avoid storing the data. If it is not strictly necessary to persist sensitive data, then it is better not to.
All encryption solutions suffer the same problem, that of Key Management. The Key Management problem entails:
- Keys are sensitive information and must be protected, leading to a chicken and egg problem
- Keys must be periodically rotated (i.e. changed) in a manner similar to passwords
- Historical data (old keys and usage periods) must be kept so that backups can be decrypted using the appropriate key
- Keys must be accessible to all personnel and applications that have legitimate need to access them
The industry has embraced special network appliances called Hardware Security Modules (HSMs) as a secure repository for keys and other credentials. Password Vaults are a less expensive (software only) solution, and both Java and .NET provide simple facilities for key management.
About Affinity IT Security
We hope you found this article to be useful. Affinity IT Security is available to help you with your security testing and train your developers and testers. In fact, we train developers and IT staff how to hack applications and networks.
Perhaps it was a network scan or website vulnerability test that brought you here. If so, you are likely researching how to find, fix, or avoid a particular vulnerability. We urge you to be proactive and ensure that key individuals in your organization understand not only this issue, but also are more broadly aware of application security.
Contact us to learn how to better protect your enterprise.
Although every effort has been made to provide the most useful and highest quality information, it is unfortunate but inevitable that some errors, omissions, and typographical mistakes will appear in these articles. Consequently, Affinity IT Security will not be responsible for any loss or damages resulting directly or indirectly from any error, misunderstanding, software defect, example, or misuse of any content herein.