Cryptographic Vulnerabilities, News & Research

April 3, 2020

FIPS 140-3 Compliant Cryptography

Adjusting to the new world of NIST cryptographic module standards

We have had a number of queries recently at Cryptosense from people trying to figure out what FIPS 140-3 is, and how they can supply a FIPS 140-3 compliant solution to their customers.

To make sense of this question we first need to understand a little background. Maintained by NIST, the Federal Information Processing Standards (FIPS) gives guidance to external suppliers regarding the standards their products have to reach for use by the US Government. Over time, they have become de facto standards for other sectors and other countries.

Continue reading →

March 20, 2020

Key Usage Detection in Cryptosense Analyzer

Cryptographic Key Usage

Identifying the cryptographic keys an application really uses, what they are used for, and how they are stored, is a critical step towards many transformation projects. For example: automating cryptography inventory, or preparing to migrate an application to the cloud. This information also allows us to check that all the right data is being protected, and find a cloud crypto service that can accommodate the keys the application needs.

Previously, this was a time-intensive manual job, which involved inspecting code or testing the application environment. Now, Cryptosense Analyzer can automate key usage detection.

How Analyzer Finds Key Usage Information

Unlike other tools on the market, Cryptosense Analyzer is able to see inside running applications, this gives it a unique insight into the real workings of the application.

Cryptosense Analyzer works by tracing all the calls an application makes to its crypto libraries in a IAST style. Once this information has been passed through our analysis engine, you get an output showing cryptography inventory information and vulnerability analysis on all the cryptographic operations the application carries out. Since February 2020, Analyzer also infers a list of cryptographic keys, and keeps track of what they are used for.

What the Key Lifecycle Report Looks Like

Here you can see the result we got when we ran Analyzer on the Jenkins application. The interface allows you to filter out certain keys, such as those that are unused (often public key certificates in TLS keystores), and ephemeral keys (like TLS session keys).

If you are planning a migration to cloud cryptography, you can also check which keys would be suitable for direct use as a bring-your-own key in cloud crypto services.

Usage of all application keys

For each key, you can click to drill down on all the operations carried out by that key.

And for each operation, you can see the exact lines of code that made the calls.

What’s next? More help with Cloud Migrations.

We have been testing the new Key Lifecycle detection feature with a group of early users. They have already found that having accurate information showing what keys are doing and how they are stored is a great help for speeding up migration work. It has also helped them to easily identify poorly protected keys and missing encryption.

Watch this teaser for a quick walkthrough on how to find out which of your keys are compatible with Google Cloud Platform.

We are working on making it even easier to transform key storage for the cloud. Sign up for our newsletter (box in the upper right) to keep up to date with new features as they’re released, or get in touch for a demo.

March 6, 2020

Announcing Our Crypto Inventory Whitepaper

Cryptographic inventory has become a hot topic for enterprises over the last 12 months. Business drivers include reducing security risk, automating compliance, achieving crypto agility, and preparing for cloud crypto migration.

Our new whitepaper explains what we have learnt from working with our customers on crypto inventory projects: the why, what and how automated crypto management at scale. We reveal the secrets a successful project, and lessons learned about the kind of tools you need.

Download our free whitepaper here, and don’t hesitate to get in touch with your feedback.

December 5, 2019

Cloud Encryption Part Two: Client Side Encryption for Azure Storage

Azure Storage is one of the most widely used services in the Microsoft Azure cloud, and is the Azure equivalent of the AWS S3 service. Most users of the service know that it is wise to encrypt sensitive data before storing it in the cloud. In this post, we will look at how that can be done using the Azure Java SDK, and will use the Cryptosense Analyzer Platform to gain insight into how the Azure SDK encrypts your data.

Continue reading →

November 12, 2019

The Capital One Breach and Cloud Encryption

On 29th July 2019 CapitalOne Financial Corp announced a data breach affecting 140 000 of their customer’s social security numbers and 80 000 bank account numbers. CapitalOne is a major user of AWS cloud, and in this case the stolen data was stored in AWS S3 buckets. Since the perpetrator was arrested and left quite a long trail on social media, much more detail about this breach has become public than usual, allowing in-depth analysis of what went wrong.
Continue reading →

November 8, 2019

Automated Attack Trees for TLS Vulnerabilities: Improving Cryptosense Discovery

What’s new?

Cryptosense Discovery is our free tool to test a host’s usage of cryptography for common configuration mistakes and vulnerabilities. Discovery’s new version discovers more hosts and more vulnerabilities, and improves the visual representation of attacks. We achieve this by using a well-known visualization method called attack trees. Attack trees do not simply report scores: they explain why a host is vulnerable and what the user must fix first. This greatly eases the hard job of correctly configuring TLS servers — especially at scale, when prioritizing tasks is not always trivial.
Continue reading →

September 20, 2019

Using Cryptosense Analyzer in Containerized Applications

Containers are often designed to be stateless. That means all state changes made by the application happen in the database, or some external storage. They don’t happen on the container filesystem.

Previously, this made using Cryptosense Analyzer difficult. That’s because our IAST cryptography analysis tool works by tracing the calls an application makes to its cryptography libraries, and writing them to a trace file for later upload to Analyzer.
Continue reading →

August 26, 2019

What is Cryptographic Inventory?

Companies that handle sensitive data are frequently required to demonstrate to internal or external auditors that they use cryptography appropriately as part of their data protection strategy. This requires them to use a definition of acceptable cryptography (that often comes directly from a standards body like NIST/FIPS or PCI-DSS), and evidence that this policy is enforced throughout their infrastructure.

An automated, up-to-date Cryptographic Inventory provides this evidence. It can also be leveraged to develop “crypto agility” (the ability to change cryptographic libraries and algorithms rapidly when required). But what exactly should you put in a “crypto inventory”, and how do you make one efficiently?

Continue reading →

August 1, 2019

New cryptography in .NET Core 3.0

What’s the difference between cryptography in .NET Framework and .NET Core?

A large part of the .NET APIs are common to both .NET Core and .NET Framework. Microsoft even released the .NET Standard, a subset of .NET APIs provided by all .NET implementations, to simplify things for cross-implementation developers. However, there are still significant differences between Core and Framework, and cryptography is one of them.

Continue reading →