Crypto Cartography: Mapping the Crypto in Applications

Graham Steel
March 22, 2019

A first step of many cryptography projects, be it preparation for Cloud migration, crypto agility, or improving application security, is to map out the cryptography actually in use in an application.A naive approach would be to just review the source code and search for cryptographic calls. However, this is both time-consuming and error-prone: what will the parameters be when this function is actually called? Which provider will respond to the call? Are we sure this isn't dead code or an unused part of a library? On top of this, a lot of crypto in large applications is called by third party intermediate libraries and components of application frameworks for which source code might not even be available.Some applications will have documentation for their crypto operations, but often this is too imprecise, inaccurate or incomplete. For long-lived applications, the developers who worked on the cryptography or chose the third party libraries might have left the organisation.

Automated Cryptography Cartography

Our Analyzer software traces all the cryptographic operations an application makes while it runs. We've just added a feature that will let you visualise and explore these operations. The visualisation is interactive, so you can drill down and apply filters to take a tour by algorithm, mechanism, key-length, package or classname.

overview of crypto cartography
Cryptography summary

Drill down by package

Drill down by algorithm and padding

You can also observe the lifecycle of specific keys to see what they are used for. You can go right down to  individual crypto operations you can see the full parameters and stacktrace of where the call came from.

Single operation stacktrace

You can visualise many applications at once, to identify where across your estate you are using particular algorithms or keylengths. This information is boon for crypto agility projects, pre-migration preparations and crypto policy enforcement.

Get a demo

If you think the Cryptosense Crypto Cartography tool could be useful for your project, we can arrange a trial. The tool currently works on Java only but Microsoft .NET and PKCS#11 versions will soon be available. Find out more.