March 20, 2020

Key Usage Detection in Cryptosense Analyzer

Cryptographic Key Usage

Identifying the cryptographic keys an application really uses, what they are used for, and how they are stored, is a critical step towards many transformation projects. For example: automating cryptography inventory, or preparing to migrate an application to the cloud. This information also allows us to check that all the right data is being protected, and find a cloud crypto service that can accommodate the keys the application needs.

Previously, this was a time-intensive manual job, which involved inspecting code or testing the application environment. Now, Cryptosense Analyzer can automate key usage detection.

How Analyzer Finds Key Usage Information

Unlike other tools on the market, Cryptosense Analyzer is able to see inside running applications, this gives it a unique insight into the real workings of the application.

Cryptosense Analyzer works by tracing all the calls an application makes to its crypto libraries in a IAST style. Once this information has been passed through our analysis engine, you get an output showing cryptography inventory information and vulnerability analysis on all the cryptographic operations the application carries out. Since February 2020, Analyzer also infers a list of cryptographic keys, and keeps track of what they are used for.

What the Key Lifecycle Report Looks Like

Here you can see the result we got when we ran Analyzer on the Jenkins application. The interface allows you to filter out certain keys, such as those that are unused (often public key certificates in TLS keystores), and ephemeral keys (like TLS session keys).

If you are planning a migration to cloud cryptography, you can also check which keys would be suitable for direct use as a bring-your-own key in cloud crypto services.

Usage of all application keys

For each key, you can click to drill down on all the operations carried out by that key.

And for each operation, you can see the exact lines of code that made the calls.

What’s next? More help with Cloud Migrations.

We have been testing the new Key Lifecycle detection feature with a group of early users. They have already found that having accurate information showing what keys are doing and how they are stored is a great help for speeding up migration work. It has also helped them to easily identify poorly protected keys and missing encryption.

Watch this teaser for a quick walkthrough on how to find out which of your keys are compatible with Google Cloud Platform.

We are working on making it even easier to transform key storage for the cloud. Sign up for our newsletter (box in the upper right) to keep up to date with new features as they’re released, or get in touch for a demo.

December 5, 2019

Cloud Encryption Part Two: Client Side Encryption for Azure Storage

Azure Storage is one of the most widely used services in the Microsoft Azure cloud, and is the Azure equivalent of the AWS S3 service. Most users of the service know that it is wise to encrypt sensitive data before storing it in the cloud. In this post, we will look at how that can be done using the Azure Java SDK, and will use the Cryptosense Analyzer Platform to gain insight into how the Azure SDK encrypts your data.

Continue reading →

September 20, 2019

Using Cryptosense Analyzer in Containerized Applications

Containers are often designed to be stateless. That means all state changes made by the application happen in the database, or some external storage. They don’t happen on the container filesystem.

Previously, this made using Cryptosense Analyzer difficult. That’s because our IAST cryptography analysis tool works by tracing the calls an application makes to its cryptography libraries, and writing them to a trace file for later upload to Analyzer.
Continue reading →

June 20, 2019

Cryptosense Automates PCI-DSS Cryptography Audit for a World-Leading Financial Services Firm

A recent success story for Cryptosense is our roll-out with a large global player in the ATM (cash machine) network.

Since this firm is considered a Service Provider in the PCI regulations, they have regular audits to pass which contain a lot of requirements on cryptography: full cartography of applications, compliance with NIST standards etc.

This used to take our customer a lot of time and resources, but since our Analyzer platform doesn’t just report cryptographic issues but correct, compliant use of cryptography, it’s the ideal tool to take over this job and free up resources for more productive tasks. The reports produced by the Analyzer are produced automatically thanks to our integration with Maven in CI, and contain coverage information to validate the testing. We worked with 3key Company to deliver the install.

Read more about this case study here (1 page PDF).

January 21, 2019

Achieving Crypto Agility

A recent NIST paper recommending which steps to take to prepare for the advent of quantum computers proposes that users of cryptography look to achieve ‘crypto agility’ as soon as possible. The idea was further expanded by Gartner in a recent research note, and now crops up regularly. It’s sometimes described as ‘crypto-agnosticism’, but what does it mean, and how does one achieve it?

Designers of cryptographic protocols have talked for a long time about the idea of algorithm agility. The principle is simple: that a protocol will be designed in such a way that its function is, to some extent, independent of the choice of cryptographic algorithm used, therefore allowing you to switch algorithm. You might even have a set of recommended cipher suites that can be negotiated in each protocol exchange – this is how TLS works for example. There are now whole RFCs dedicated to the topic.

Crypto agility extends this idea from network protocols to all of the cryptography in use in an organisation. This means that an organisation can only become crypto-agile when the security team knows all of the algorithms, keylengths, crypto libraries and protocols in use in their applications and infrastructure, and has a plan that would allow them to change if necessary.

Continue reading →

November 15, 2017

New Java Keystore CVEs

As well as supplying Cryptosense Analyzer to our customers so they can test their applications, we frequently apply the tool ourselves to widely-used open source software including the Java JDK. The Oracle Critical Patch Update (CPU) of 17th October contained patches for two CVEs discovered at Cryptosense in collaboration with our partners at University of Venice Ca’ Foscari.

Continue reading →

November 15, 2016

Exporting Selected Results from Cryptosense Analyzer

One task our users often want to perform with application crypto audit reports produced by Cryptosense Analyzer is to export certain results in detail for adding to an issue tracker. We’ve now made this easier by adding stars to instances of our analysis rules. Clicking on a star marks an instance for export. You can then export all the starred instances along with full stacktrace information indicating where in the code the issue comes from.

Starring an instance for inclusion in a later export as text, CSV or PDF.

Try Cryptosense Analyzer for Free

October 20, 2016

Weak Encryption Flaw in PrimeFaces

Our Java Crypto Analyzer tool works by tracing calls to the cryptographic library from all parts of the application under test, including libraries, framework components and dependencies.

We recently tested the Analyzer on a large web application which uses a whole host of different libraries including PrimeFaces, a popular open-source library for graphics and UI elements in web applications. One result in particular came from stacktraces leading to that library. It seemed that PrimeFaces was encrypting strings in URLs using a custom scheme based around a password that is set in the configuration file.

Detecting DES crypto

The Analyzer flagged up multiple problems:

Fixed salt in password-based key derivation
Low iteration count (19) in password-based key derivation
Weak key derivation algorithm: PBEWithMD5
Weak encryption algorithm: DES
Short symmetric key (56 bit)
Unauthenticated encryption with PKCS5 padding (possible padding oracle)

The upshot of this is an encryption scheme that could be attacked in multiple ways. The default password (“primefaces”) is likely unchanged in many installations. Even if changed, with the weak password-based key derivation function and fixed salt, a dictionary attack could be mounted. The padding oracle could reveal individual plaintexts. Finally, if all else fails, since the key is fixed for an individual server, it could even be worth brute-force guessing the 56 bit DES key (specialist FPGA hardware can do this in a few hours).

What would be the consequences of breaking this encryption in a graphics library? While following up on this issue, we discovered that it was partially fixed in February 2016 after being reported by Minded Security. They used the PadBuster tool from our friends at Gotham Digital Science to exploit the padding oracle and break the URL encryption. This allowed them to submit fake URLs which, it turns out, are interpreted as Expression Language by the server, leading potentially to remote code execution. PrimeFaces was patched to switch the encrypted URLs for pseudo-random IDs at the price of maintaining a little more state on the server.

However, our Analyzer results showed the weak encryption scheme was still being used. Its second usage is to protect the values of QR codes and barcodes encoded in URLs. We reported this to PrimeTek, and they promptly fixed it in version 6.0.6.

We would advise anyone using to PrimeFaces to ensure they have upgraded at least to version 5.2.21, 5.3.8 or 6.0 (which patches the remote code execution flaw), and preferably to version 6.0.6 (which fixes the QR code and barcode protection issue by removing the weak encryption completely).

Find crypto bugs

Free 14-day trail of Cryptosense Analyzer

October 3, 2016

Cryptosense Java Analyzer – Case Study with Primekey

PrimeKey Solutions develops and supports the most downloaded open source enterprise public-key infrastructure (PKI) software available, EJBCA. You can find out why they use Cryptosense Analyzer for Java in a case study we’re releasing today.

We already use a variety of tools to ensure software quality, but we see security as an area of continuous improvement, and Cryptosense tools give us a cryptography-focused view that other tools can’t provide. A strong statement in itself, given the fact that PrimeKey’s teams of engineers work day in and day out with cryptography.

Tomas Gustavsson, CTO PrimeKey

PrimeKey Case Study

Try Cryptosense Analyzer for Free