👋Welcome
📖Resources
⚒️Tools
🔧Generic Development
☁️Web Development
- Generic
- APIs
☁️Cloud
- Cloud native
- Kubernetes
😈On the other side
- Red team

Powered by GitBook

On this page

About
Best practices
Resources
Tools
Sources

Was this helpful?

Generic Development

Cryptography

Cryptography is hard, difficult, but we must know about its importance

PreviousGit & other VCS NextGeneric

Last updated 1 year ago

Was this helpful?

About

Cryptography is the process of hiding or coding information so that only the person a message was intended for can read it. Cryptography remains important to protecting data and users, ensuring confidentiality, and preventing cyber criminals from intercepting sensitive corporate information. [2]

Cryptographic keys are a foundational element of modern cybersecurity. They serve to keep data safely encrypted and help maintain secure networks for client-server communication. Unfortunately, this makes them a prime target for hackers. A single compromised key can give access to a goldmine of personal data and valuable IP, as well as enable other malicious actions such as unauthorized system access or signing digital certificates. Yet, despite its importance, many software developers still do not prioritize cryptographic key protection. [3]

Best practices

Here are some best practices to follow regarding Cryptography and Cryptographic keys [1][2][3][4]:

NEVER use custom algorithms...
Encrypt all data in transit with secure protocols such as TLS with forward secrecy (FS) ciphers, cipher prioritization by the server, and secure parameters
Enforce encryption using directives like HTTP Strict Transport Security (HSTS)
Encrypt data at rest
Disable caching for response that contain sensitive data
Do NOT use legacy protocols for transporting sensitive data
Store passwords using strong adaptive and salted hashing functions with a work factor (delay factor), such as , , or
Always use authenticated encryption instead of just encryption
Perform encryption in the correct layer ()
Verify independently the effectiveness of configuration and settings
Use approved and appropriate cryptographic algorithms () ()
- Avoid deprecated cryptographic functions and padding schemes, such as , , v1.5
- Take into account Cipher modes () and Random padding ()
Never hard-code keys in your software
Minimise the storage of sensitive information
Use secure random number generation () and be aware of UUIDs and GUIDs generation ()
Limit keys to a single, specific purpose
Use hardware-backed security when posible
Separate Keys from data ()
Encrypt Stored Keys ()
Put robust in place (see section, the ones related with keys)
- Key generation ()
- Key lifetimes and rotation ()
- Key lifecycle ()
- Key storage () and backup ()
- Access protections and restrictions ()
Take advantage of for key protection gaps

Resources

Tools

Sources

[1]:

[2]:

[3]:

[4]:

🔧

Secrets management

white-box cryptography

A02 Cryptographic Failures - OWASP Top 10:2021

OWASP Proactive Controls: Protect Data Everywhere

OWASP Application Security Verification Standard (V7, 9, 10)

OWASP Cheat Sheet: Transport Layer Protection

OWASP Cheat Sheet: User Privacy Protection

OWASP Cheat Sheet: Password Storage

OWASP Cheat Sheet: Cryptographic Storage

OWASP Cheat Sheet: Key management

OWASP Cheat Sheet: HSTS

OWASP Testing Guide: Testing for weak cryptography

The Definitive Guide to Encryption Key Management Fundamentals (townsendsecurity.com)

Practical Cryptography for Developers (nakov.com)

OWASP Testing Guide: Testing for weak cryptography

Cryptography | NIST

What is Cryptography? Definition, Importance, Types | Fortinet

Five cryptographic key protection best practices - Security Boulevard

Key Management - OWASP Cheat Sheet Series