November 20, 2020

Keep Calm and Carry On: Why you may already have the solution to Post-Quantum Cryptography

These are anxious times. For the worriers among us 2020 has been a bumper year. We’ve had a global pandemic and the rise of Fascism in democratic countries. Not content with this, the techno-literate fretful have added ‘Quantum Supremacy’ (i.e. the point at which quantum computers outperform their digital traditional cousins) to the list of concerns.

It is easy to forget that an absolutely secure computer system does not exist. Public key cryptography like RSA, elliptic curve, Diffie-Hellman, etc. makes it absurdly difficult, but not impossible to circumvent its well-designed security measures. If it wasn’t for the small issue of the Heat Death of the Universe, a traditional computer could access your client’s private data in a mere few hundred billion years. That is to say vulnerabilities exist, but currently they are practically impossible to exploit.

Inevitably the greatest threat to your encrypted data will always be bad cryptography practices and human error, but quantum computing, unbound by the limitations of traditional digital computation, makes cracking public key encryption entirely possible.

The Doom and Gloom

Depending on the quality of the qubits involved, 2048-bit RSA encryption can be cracked in 8 hours or, if you have a few thousand perfectly stable qubits, a handful of seconds. Symmetric cryptography might withstand a quantum attack but the effective keysize would be halved. The catastrophic consequences are unlimited. Think about how easy it would be to force a code update using a forged signature leading to the takeover of millions of devices. Billions of financial transactions are now insecure.
Continue reading →

October 27, 2020

FedRAMP and FIPS 140-2 Cryptography

If you want to supply cloud-based services to the US Federal Government, you have to get FedRAMP approval. This certification process covers a whole host of security issues, but is very specific about its requirements on cryptography: you have to use FIPS 140-2 validated modules wherever cryptography is needed.

This is a stronger requirement than just using the NIST recommended (or “FIPS compliant”) algorithms: you have to be able to show that the implementation of these algorithms has passed a FIPS 140-2 validation in an approved lab.

Proving that your application uses only these modules can be time-consuming for large applications. For example in Java, if you call cryptography through the standard JCE interface without giving an explicit provider, the JVM figures out at run-time which provider should respond based on the algorithms available and the provider order.

On top of this, the current Bouncy Castle FIPS implementation (which is the only show in town as far as software-only FIPS 140-2-validated Java providers go at the moment) can run in both FIPS and non-FIPS mode. Setting FIPS mode is also a run-time property, and not stable across threads.

screenshot of the FIPS verifier rule in Cryptosense Analyzer

Cryptosense Analyzer highlighting non-FIPS validated modules in use

Fortunately you don’t have to do this by hand any more: Cryptosense Analyzer can now detect whether a FIPS-validated module has been used in the right mode, and produce reports that enable you to export issues to developers or vendors for fixes, or submit to an auditor to show you’re complying with the requirement.

Find out more about how Cryptosense Analyzer helps detect FIPS validated crypto modules in the video below, or get in touch for a demo.

July 31, 2020

What is a Keyblock?

In financial cryptography and PCI standards, a Key Block is an encrypted key stored with its metadata in a cryptographically secure way. That means that the key’s usage information and other parameters can’t be altered by an attacker by tampering with the encrypted key.

To understand why they are useful, and why their adoption is now a big deal in the financial services industry, we have to look at a little history.

A Brief History of PINs

We all have experience of using PIN codes at ATMs (cash machines) to authenticate ourselves to our bank and withdraw money. How does the issuing bank check we used the correct PIN? Likely we would imagine all the customer PINs being stored hashed in a database, somewhat like passwords, but in fact for historical reasons the system is quite different.

Continue reading →

June 3, 2020

Cryptography Inventory – Best Practice Tips

Here’s a roundup of best practice tips for getting started with your cryptography inventory project.

The information below is a summary based on our experience of cryptography inventory projects with some of our clients. If you’d like more detail, we have an on-demand webinar series and a whitepaper on this subject.

Cryptography Inventory Tips

Why am I building an Inventory?

This may seem obvious, but in large organizations where the inventory is required by multiple teams for different reasons, conflicts can easily arise.

Ease of data collection and usability of the end result are critical factors in the success of the inventory project. Consider the type of queries that different teams will ask of the inventory across the next 3-5 years. Can we predict any changes in the type of information that we will want to record over that time? For example, the driving factor behind your cryptography inventory project today is to become more crypto-agile, yet once it has been built, what happens if the compliance team now want to use it?

Continue reading →

May 7, 2020

ANSSI TLS recommendations v1.2 in Cryptosense Discovery

Our cryptography service discovery site discovery.cryptosense.com detects servers under a given domain name and runs SSH and TLS scanners against each of them. The results are checked against best practices carefully defined by Cryptosense. You can also choose to check your results against other widely known standards: ECRYPT and NIST.

Continue reading →

April 7, 2020

The Zoom Encryption Protocol – Why ECB Is Bad

If you use Zoom video-conferencing software, you probably be aware of the recent controversy about the security of their encryption protocols.

In this short video, Graham gives his take on the controversy:

In particular, Graham thinks arguments about whether ECB mode encryption allows a passive attacker to reconstruct the video stream are missing the point: using ECB mode may well allow nastier active attacks, involving splicing the stream to provoke errors or other behaviour that could allow chunks of encrypted data to be revealed.

As of writing this, Zoom are working on a security update. We’re hoping they will be transparent about an update to their cryptographic architecture.

March 20, 2020

Key Usage Detection in Cryptosense Analyzer

Cryptographic Key Usage

Identifying the cryptographic keys an application really uses, what they are used for, and how they are stored, is a critical step towards many transformation projects. For example: automating cryptography inventory, or preparing to migrate an application to the cloud. This information also allows us to check that all the right data is being protected, and find a cloud crypto service that can accommodate the keys the application needs.

Previously, this was a time-intensive manual job, which involved inspecting code or testing the application environment. Now, Cryptosense Analyzer can automate key usage detection.

How Analyzer Finds Key Usage Information

Unlike other tools on the market, Cryptosense Analyzer is able to see inside running applications, this gives it a unique insight into the real workings of the application.

Cryptosense Analyzer works by tracing all the calls an application makes to its crypto libraries in a IAST style. Once this information has been passed through our analysis engine, you get an output showing cryptography inventory information and vulnerability analysis on all the cryptographic operations the application carries out. Since February 2020, Analyzer also infers a list of cryptographic keys, and keeps track of what they are used for.

What the Key Lifecycle Report Looks Like

Here you can see the result we got when we ran Analyzer on the Jenkins application. The interface allows you to filter out certain keys, such as those that are unused (often public key certificates in TLS keystores), and ephemeral keys (like TLS session keys).

If you are planning a migration to cloud cryptography, you can also check which keys would be suitable for direct use as a bring-your-own key in cloud crypto services.

Usage of all application keys

For each key, you can click to drill down on all the operations carried out by that key.

And for each operation, you can see the exact lines of code that made the calls.

What’s next? More help with Cloud Migrations.

We have been testing the new Key Lifecycle detection feature with a group of early users. They have already found that having accurate information showing what keys are doing and how they are stored is a great help for speeding up migration work. It has also helped them to easily identify poorly protected keys and missing encryption.

Watch this teaser for a quick walkthrough on how to find out which of your keys are compatible with Google Cloud Platform.

We are working on making it even easier to transform key storage for the cloud. Sign up for our newsletter (box in the upper right) to keep up to date with new features as they’re released, or get in touch for a demo.

December 5, 2019

Cloud Encryption Part Two: Client Side Encryption for Azure Storage

Azure Storage is one of the most widely used services in the Microsoft Azure cloud, and is the Azure equivalent of the AWS S3 service. Most users of the service know that it is wise to encrypt sensitive data before storing it in the cloud. In this post, we will look at how that can be done using the Azure Java SDK, and will use the Cryptosense Analyzer Platform to gain insight into how the Azure SDK encrypts your data.

Continue reading →

November 12, 2019

The Capital One Breach and Cloud Encryption

On 29th July 2019 CapitalOne Financial Corp announced a data breach affecting 140 000 of their customer’s social security numbers and 80 000 bank account numbers. CapitalOne is a major user of AWS cloud, and in this case the stolen data was stored in AWS S3 buckets. Since the perpetrator was arrested and left quite a long trail on social media, much more detail about this breach has become public than usual, allowing in-depth analysis of what went wrong.
Continue reading →

August 26, 2019

What is Cryptographic Inventory?

Companies that handle sensitive data are frequently required to demonstrate to internal or external auditors that they use cryptography appropriately as part of their data protection strategy. This requires them to use a definition of acceptable cryptography (that often comes directly from a standards body like NIST/FIPS or PCI-DSS), and evidence that this policy is enforced throughout their infrastructure.

An automated, up-to-date Cryptographic Inventory provides this evidence. It can also be leveraged to develop “crypto agility” (the ability to change cryptographic libraries and algorithms rapidly when required). But what exactly should you put in a “crypto inventory”, and how do you make one efficiently?

Continue reading →