Cryptography is where information security lurches from the Hollywood image of spies and hackers and gets all boring and scientific. Still, plenty of developers would prefer to move cryptography concerns to the bottom of their priority list, somewhere between achieving world peace and sorting their sock drawers.
Not OK, devs, not OK.
Rules for devs to live by
One of the fathers of modern cryptography, Adi Shamir, recently said (and has been saying for years) that computer security isn't a solvable problem. Ignore that. Good crypto hygiene is important to your code's success. Fortunately, even if the algorithms are complex, the rules for implementation are simple. Here are three implementation rules to help developers:
Implementation rule 1: Don't roll your own
You're expected to become a crypto expert, but we already know you won't. Leave that to those who feel the call to devise the cryptography primitives on which crypto systems are built. Familiarize yourself with the basic terminology, and focus your efforts on appropriate implementation of established protocols.
Implementation rule 2: You've got to keep up with the Joneses
In this situation, the Joneses are the aforementioned hackers and spies. More realistically, they're any adversary that might find and exploit vulnerabilities in your code, as implemented by any customer, at any point in the code's life cycle. It's a tall order and one that all but asks you to predict the future.
What you can predict is that faster computers will always make it easier to quickly crack encryption. To that end, resolve to use up-to-date cryptography systems. The HP Security Research team recently updated its Crypto Manifesto guidance to reflect current best practices for the use of cryptographic hash, encryption and encoding algorithms, cryptographic keys, pseudo-random number generators, password-based key derivation functions, digital signature keys, entropy sources, and protocol versions. The changes are aptly described as "practical trade offs between maximal security and acceptable paranoia." Many of the standards that were quite acceptable when the original Manifesto was released in 2009 are now aggressively disallowed by current industry and government standards.
Implementation rule no. 3: You hold the key
Developers don't merely choose which crypto algorithms to implement; they choose the key lengths that control the behavior of each algorithm. The key, of course, is what makes it possible for data processed by the algorithm to be turned into incomprehensible strings and then back into meaningful information. The longer the key, the more difficult it is for a would-be attacker to unscramble the strings. Together, the key and the set of algorithms in use make up the cryptosystem.
Guard those keys
"Hold the key" isn't just a figure of speech here. Though algorithms are all quite public, each cryptosystem's keys should be closely protected. More specifically, in our modern age of asymmetric public-private key pairs, the private key of the cryptosystem, which handles signing encrypted strings and decrypting received strings, should be scrupulously guarded. Proper key management is an extremely important process (we'll take up the topic in another article). The public key, which handles encryption as well as verification of received strings, should include clear and correct attribution and should be properly signed by well trusted authorities.
If a symmetric key algorithm is used between two entities, both must be absolutely scrupulous about their single-shared private key. For an excellent example of a symmetric key system that seemed titanically resistant to cracking, only to fail when its key was compromised, grab some popcorn and watch The Imitation Game. The Enigma machines used a polyalphabetic substitution machine cipher—a symmetric key in action.
Keep learning
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed fast on the state of app sec testing with TechBeacon's Guide. Plus: Get Gartner's 2021 Magic Quadrant for AST.
Get a handle on the app sec tools landscape with TechBeacon's Guide to Application Security Tools 2021.
Download the free The Forrester Wave for Static Application Security Testing. Plus: Learn how a SAST-DAST combo can boost your security in this Webinar.
Understand the five reasons why API security needs access management.
Learn how to build an app sec strategy for the next decade, and spend a day in the life of an application security developer.
Build a modern app sec foundation with TechBeacon's Guide.
