Cryptography

About

Cryptography is the process of hiding or coding information so that only the person a message was intended for can read it. Cryptography remains important to protecting data and users, ensuring confidentiality, and preventing cyber criminals from intercepting sensitive corporate information. [2]

Cryptographic keys are a foundational element of modern cybersecurity. They serve to keep data safely encrypted and help maintain secure networks for client-server communication. Unfortunately, this makes them a prime target for hackers. A single compromised key can give access to a goldmine of personal data and valuable IP, as well as enable other malicious actions such as unauthorized system access or signing digital certificates. Yet, despite its importance, many software developers still do not prioritize cryptographic key protection. [3]

Best practices

Here are some best practices to follow regarding Cryptography and Cryptographic keys [1][2][3][4]:

• NEVER use custom algorithms...

• Encrypt all data in transit with secure protocols such as TLS with forward secrecy (FS) ciphers, cipher prioritization by the server, and secure parameters

• Enforce encryption using directives like HTTP Strict Transport Security (HSTS)

• Encrypt data at rest

• Disable caching for response that contain sensitive data

• Do NOT use legacy protocols for transporting sensitive data

• Store passwords using strong adaptive and salted hashing functions with a work factor (delay factor), such as Argon2, scrypt, bcrypt or PBKDF2

• Always use authenticated encryption instead of just encryption

• Perform encryption in the correct layer (more info)

• Verify independently the effectiveness of configuration and settings

• Use approved and appropriate cryptographic algorithms (source) (more info)

  • Avoid deprecated cryptographic functions and padding schemes, such as MD5, SHA1, PKCS number 1 v1.5

  • Take into account Cipher modes (more info) and Random padding (more info)

• Never hard-code keys in your software

• Minimise the storage of sensitive information

• Use secure random number generation (more info) and be aware of UUIDs and GUIDs generation (more info)

• Limit keys to a single, specific purpose

• Use hardware-backed security when posible

• Separate Keys from data (more info)

• Encrypt Stored Keys (more info)

• Put robust key management in place (see Secrets management section, the ones related with keys)

  • Key generation (more info)

  • Key lifetimes and rotation (more info)

  • Key lifecycle (more info)

  • Key storage (more info) and backup (more info)

  • Access protections and restrictions (more info)

• Take advantage of white-box cryptography for key protection gaps

Resources

• A02 Cryptographic Failures - OWASP Top 10:2021

• OWASP Proactive Controls: Protect Data Everywhere

• OWASP Application Security Verification Standard (V7, 9, 10)

• OWASP Cheat Sheet: Transport Layer Protection

• OWASP Cheat Sheet: User Privacy Protection

• OWASP Cheat Sheet: Password Storage

• OWASP Cheat Sheet: Cryptographic Storage

• OWASP Cheat Sheet: Key management

• OWASP Cheat Sheet: HSTS

• OWASP Testing Guide: Testing for weak cryptography

• The Definitive Guide to Encryption Key Management Fundamentals (townsendsecurity.com)

• Practical Cryptography for Developers (nakov.com)

Tools

OWASP Testing Guide: Testing for weak cryptography

Sources

[1]: Cryptography | NIST

[2]: What is Cryptography? Definition, Importance, Types | Fortinet

[3]: Five cryptographic key protection best practices - Security Boulevard

[4]: Key Management - OWASP Cheat Sheet Series