fix

Introduction to Cryptographic Failures

OWASP Top 10 2021 details dangerous & potential vulnerabilities. An introduction to the second position on the list, cryptographic failures.

By
Omkar Hiremath
8 mins min read

TL;DR:

  • Cryptography is essential for data protection, but failures can lead to exposure of sensitive information.
  • Cryptographic failures can result from various weaknesses like hard-coded passwords and insufficient entropy.
  • The impact of cryptographic failures includes data theft, breaches, and reputation damage.
  • To mitigate cryptographic failures, use strong encryption keys, follow secure coding practices, and conduct regular penetration testing.
  • Businesses must assess and improve their cryptography implementations to prevent vulnerabilities.

Cryptography comprises the tools and techniques used to protect data at rest and in transit to uphold the ideology of the CIA Triad. We are quite known for “not rolling your crypto”. By using a widely accepted standard, you have some level of assurance that the algorithm will not be flawed. You only need to ensure that its implementation is secured. But this assurance is not always completely true. Traditional encryption techniques are not enough due to the rapidly changing threat environment. Weak encryptions might result in the exposure of sensitive data through potential vulnerabilities. This is known as a cryptographic failure. In this article, we’ll discuss in detail, what a cryptographic failure is, and how cryptographic failures affect businesses. In this article, we’ll delve into an introduction to cryptographic failures, exploring their impact on data security. Subsequently, we’ll discuss some examples and mitigation techniques.

Understanding Cryptographic Failures and Their Implications

OWASP Top 10 list was out in 2021 and as usual, it has enlightened us about the most dangerous and potential vulnerabilities. And cryptographic failure (previously known as Sensitive Data Exposure) has occupied the second position in the list of Top 10 vulnerabilities. So what is this all about?

As per OWASP, cryptographic failure is a symptom instead of a cause. Any failure responsible for the exposure of sensitive and critical data to an unauthorized entity can be considered a cryptographic failure.

There can be various reasons for cryptographic failure. Some of the Common Weakness Enumerations (CWEs) are:

  • CWE-259: Use of Hard-coded Password,
  • CWE-327: Broken or Risky Crypto Algorithm, and
  • CWE-331: Insufficient Entropy.

So what happens when these weaknesses turn into failures? How do cryptographic failures affect businesses? Now that we have an idea of what cryptographic failure is, let’s try to understand how it impacts an organization and individuals.

Exploring Real-World Examples of Cryptographic Failures and Their Consequences

Cryptographic failures have led to significant security breaches in various real-world scenarios. The Heartbleed vulnerability exposed sensitive information in OpenSSL implementations, while the Dual EC DRBG backdoor raised concerns about intentional weaknesses in encryption algorithms. WhatsApp's flaw allowed attackers to inject spyware through voice calls, compromising user privacy. The Exactis debacle resulted in the exposure of 340 million individual records, including names, phone numbers, and emails of US citizens. Similarly, Facebook faced a major incident where millions of user passwords were stored in plain text, accessible to employees. These examples underscore the critical importance of robust cryptographic practices and the potential consequences of failures in encryption systems, highlighting the need for continuous vigilance and improvement in cybersecurity measures.

Analyzing the Impact of Cryptographic Failures on Security

Poor cryptography directly affects the security of an application and its data. Lack of security can let attackers steal and modify data to conduct fraud, and identity theft, which can lead to serious consequences.

Attackers try to steal keys, execute man-in-the-middle attacks, or steal data from the server, in transit, or from the browser. This again leads to compromise in sensitive information.

The impact of a cryptographic failure is not limited to stealing a piece of information from/of a user. Attackers can get hold of a complete database having thousands of sensitive information, data theft, public listing, breaches, and many critical problems with business-related data. You can also imagine a scenario where the credentials of an admin are stolen and the attacker gets complete control of a server. Cryptographic failures can result in irreparable damage to reputation and heavy lawsuits.

Assessing Vulnerabilities in Your Application Related to Cryptographic Failures

Let's say you have an application up and running. Now you want to assess if your application is vulnerable to cryptographic failures. Of course, if you want an answer to that backed by rigorous tests, you need to wait for those tests to happen. But some aspects are so simple that just asking yourself a couple of questions can give you a sense of confidence.

Here are some of those questions:

  • Is data being transmitted in clear text?
  • Does my system store sensitive data in clear text?
  • Is my application using any old or weak encryption algorithms?
  • Am I using default configurations and keys for my cryptography systems?
  • Am I not following secure key management?
  • Is my application not using secure connections with valid certificates?

If your answer to any of these questions is a “yes”, then you’re vulnerable to cryptographic failures. To understand how these questions decide your crypto-security and see how cryptographic failures happen, let’s look at some examples.

Examining Instances of Cryptographic Failures in Various Scenarios

Scenario 1: Breaking Unsalted Password Hashes Using Rainbow Tables

Just encoding passwords is not enough in this era. With powerful tools and techniques, unsalted hashes are not very difficult to crack. Password salting makes it difficult for any password cracking technique as the salt adds additional length to the password. The longer the salt, the more difficult it gets. However, If you’re storing unsalted passwords, an attacker can use a rainbow table to crack these passwords.

Scenario 2: Challenges with Automated Database Encryption and Decryption

Modern database management systems are taking cryptography seriously. That’s why they provide features like transparent data encryption (TDE) that take care of the encryption of data as they’re written into the database. But the problem is that this data is also automatically decrypted when you retrieve it. So this still makes it vulnerable to cryptographic failures from techniques such as SQL injections.

Scenario 3: Risks Associated with Lack of TLS Encryption

Supposedly a website does not use strong protocol. Attackers can take advantage of this and get access to your network traffic. This is not just limited to spying on the network traffic. To think of possibilities, an attacker can access all the requests made through your browser, modify requests, and steal cookies of users’ sessions. They can also force the connection from HTTPS to HTTP to get access to decrypted data. This can be fatal as sensitive and highly confidential data is being exposed.

Scenario 4: Dangers of Insecure Password Management

You’ve probably heard of many cases where an “intern” accidentally pushed some code with hard-coded credentials to a repository. This led to cryptographic failure. Imagine a developer having access to a database pushing a code with their credentials on a public server. What a malicious actor could do with that is scary! This is a lack of secure password/credentials management.

Strategies for Preventing and Addressing Cryptographic Failures

Importance of Encryption Keys in Preventing Cryptographic Failures

It is recommended that all the encryption keys should be created cryptographically. They should be stored in the form of byte arrays. Plain text passwords should always be converted into cipher text or encrypt them using these keys. It should only be done using a strong encryption method or algorithm. Using lengthy salts for sensitive data additionally increases security.

Implementing Secure Coding Practices to Avoid Cryptographic Failures

Secure coding is a set of guidelines that developers follow to integrate security within the application’s code. These practices ensure the use of strong cryptography practices in various parts of the application rather than only on the perimeter of the application’s components. Therefore reducing the chances of cryptographic failures.

Conducting Penetration Testing to Identify Cryptographic Vulnerabilities

Cryptography is one such aspect of security that’s difficult to get perfectly right. That’s why to ensure that you haven’t missed out on anything, you need to conduct regular penetration testing. Penetration testing lets you understand an attacker’s perspective of your application. Therefore, thinking like an attacker helps in identifying any cryptographic and other weaknesses and helps prioritize fixes.

In Summary, Understanding and Addressing Cryptographic Failures

Long story short, It is quite clear why the OWASP Top 10 has cryptographic failures on their list. This is something that shouldn't be taken lightly as companies big scale and small have been a victim of cryptographic failures.

The scope of strengthening cryptography in your application is rather large because it’s not just a single loophole or a bug to fix. It is a collection of weaknesses or poor cryptographic practices that need to be addressed. One thing is clear from all the things we’ve covered so far - It is crucial to assess the strength of your cryptography implementations in your application and work towards improving it. Understanding the introduction to cryptographic failures is crucial to assessing the strength of your cryptography implementations.


About Software Secured:

Software Secured offers high-quality manual penetration testing combined with our proprietary testing stack to provide a more comprehensive test. Streamline multiple security projects in one place through Portal, the online reporting dashboard that allows you to manage tests, track SLAs, download reports, and view your security posture over time.

Software Secured offers baseline penetration testing for one-time proof of your application security or year-round security coverage through Penetration Testing as a Service (PTaaS). Software Secured also offers a variety of augmented services such as security code review, internal network pentesting, secure cloud review and threat modelling.

 If you are interested in learning more or booking a threat modelling service, please book a call with us.

About the author

Omkar Hiremath

Get security insights straight to your inbox

Additional resources

Here to get you started

Say goodbye to 300+ page penetration test reports

Providing the quality of the biggest names in security without the price tag and complications.

Book a 30 min consultation

Manual penetration testing

Full time Canadian hackers

Remediation support

CTA background