Cryptography is an important security security control for any application. It is essential in securing data at rest and in transit. But how do you know your team is following good and solid crypto practices? How do you know whether there are gaps that need to be addressed. Three questions you can ask your team to get an idea of whether your application is properly protecting clients’ data. This is not an exhaustive guide on cryptography, but a quick cheat sheet to help you figure out where do you stand in securing your client’s data. The three questions you need to ask are:
1. Do you have a list of sensitive data stored in your database? You can’t really protect what you don’t know. There are obvious sensitive data such as user passwords, credit card data, social security numbers, etc. But there are also non-obvious sensitive data such as customers names and addresses. In a lot of countries, the combination of a person’s name and address is considered private information and should be protected. Typically selling to larger organizations or Government departments requires a list of sensitive data collected by the application and their classifications. Also in the healthcare industry, patient records should be protected and is regulated in U.S by HIPAA and in Canada by PIPEDA.
2. Are you using the proper crypto for each data type? The next question is whether you are using the proper crypto for each data type. There are two main crypto types commonly used by developers:
a- Hashing: is the transformation of a string of characters into a usually shorter fixed-length value or key that represents the original string. Hashing is used when the original form of the information is not required which is suitable for storing passwords. Keep in mind that attackers could use rainbow tables so you will need to salt your passwords using a unique salt for each password before storing them in the database.
b- Encryption: there are two types of encryption; symmetric encryption which is used to encrypt data such as this is usually used to store data such as bank accounts, credit card numbers, etc. And asymmetric encryption which is used to mostly to exchange secret data.
c- Message Authentication Code (MAC): produces a digest of a message to ensure integrity. The way it works is pretty much like hashing except that it includes a secret key used to authenticate the message’s integrity. This is used a lot when sending data where integrity is more important than confidentiality. So it is not important for others to see the message but it is important for this message not to be changed while in transit.
3. Are you using the proper crypto algorithm? Now that we know the sensitive data that needs to be secured, and we know which crypto type to use. The next step is to ensure that we are using a solid algorithm for each crypto type:
a- Hashing: Anything less than SHA512 is considered weak today. MD5 has been broken several times and SHA1 has also been broken. Also, if you are using hashing to store passwords, they must be combined with a Salt that is unique to each user.
b- Encryption: for symmetric encryption AES and 3-DES are considered secure to use today. For key size, NIST 800-57 special publication has guidelines on minimum key sizes for each algorithm and how long this key size is good for. There are several well respected asymmetric algorithms out there, probably one of the most commonly used is RSA
c- For MACs: as it is one form of hashing, the same criteria for choosing an algorithm could also apply here.
Now this article is not supposed to be a complete guide on auditing crypto but it is intended to be a starting point on how to quickly and effectively find out gaps in your security controls designed to securely save data at rest.