A naive approach would be to just review the source code and search for cryptographic calls. However, this is both time-consuming and error-prone: what will the parameters be when this function is actually called? Which provider will respond to the call? Are we sure this isn’t dead code or an unused part of a library? On top of this, a lot of crypto in large applications is called by third party intermediate libraries and components of application frameworks for which source code might not even be available.
Some applications will have documentation for their crypto operations, but often this is too imprecise, inaccurate or incomplete. For long-lived applications, the developers who worked on the cryptography or chose the third party libraries might have left the organisation.
Automated Crypto Cartography
Our Analyzer software traces all the cryptographic operations an application makes while it runs. We’ve just added a feature that will let you visualise and explore these operations. The visualisation is interactive, so you can drill down and apply filters to take a tour by algorithm, mechanism, key-length, package or classname.
You can also observe the lifecycle of specific keys to see what they are used for. You can go right down to individual crypto operations you can see the full parameters and stacktrace of where the call came from.
You can visualise many applications at once, to identify where across your estate you are using particular algorithms or keylengths. This information is boon for crypto agility projects, pre-migration preparations and crypto policy enforcement.
Get a demo
If you think the Cryptosense Crypto Cartography tool could be useful for your project, we can arrange a trial. The tool currently works on Java only but Microsoft .NET and PKCS#11 versions will soon be available. As a first step, get in touch to arrange a demo.