How Common are Cryptographic Vulnerabilities?

How Common are Cryptographic Vulnerabilities?


how common are cryptographic
vulnerabilities so the answer in brief
is more common than you think
why is that
well when most people think
about cryptography they think about
encryption of data at rest okay so I’ve
got some sensitive data I’m gonna stick
it in my database and I’ll make sure
it’s encrypted while it’s there just in
case someone reads the database in an
unauthorized way and gets a hold of that
stuff but modern applications use
cryptography for many more things first
of all sure they encrypt data they’re
going to store they also encrypt data
for controls so for things like single
sign-on session management allowing one
part of the application to talk to
another part plus there’s all the
network protocols so likely I’ll be
sending data over TLS but I might have
application level crypto protocols
encrypting the data as well so there are
usually a lot more encryption inside an
application than we first think then how
common are the errors so generally
people know which algorithms are
supposed to be used but getting crypto
right unfortunately is a lot more
complicated than just using the right
algorithm there’s a whole story about
how to use the right kind of padding
modes how to generate and store the keys
in the right way how to put together the
cryptographic operations into a secure
protocol it’s extremely difficult even
experts often get it wrong in their
first attempt in this kind of design space
how common are mistakes where we get it
wrong
so it’s hard to be completely sure
but one way to find out
at least an indication is to take a look
at some public vulnerability databases
like the CVE list we took the CVE list
from 2018 and added up all of the errors
in there which are down to cryptographic
bugs so some of these are choosing the
wrong algorithm but a lot of them are
key management issues and issues to do
with using weak randomness for
cryptographic values and hard coding
cryptographic credentials all these
other rubber hits the road issues that
can go wrong when you actually try and
deploy cryptography so if you compare
these issues to for example a common
category like SQL injection you find out
there’s actually way more cryptographic
vulnerabilities in one year’s worth of
data in the CV database than there are
SQL injections which one might think is
pretty common category

Add a Comment

Your email address will not be published. Required fields are marked *