What is Cryptosense Analyzer for?
Cryptosense Analyzer detects and shows how to fix security flaws related to the use of cryptography in applications. This includes core cryptographic functions like encrypting and signing files as well as peripheral operations such as key management and key storage, secure use of randomness, analyzing credentials used as passwords, etc. Analyzer also detects flaws in the implementation of primitives inside cryptographic libraries.
How does it work?
Cryptosense Analyzer works by tracing calls from an application to its cryptographic libraries at run-time. This trace is then uploaded to our Analyzer platform where we apply a series of algorithms to detect flaws. The results are then presented on a web application on the same platform. Read more about traces.
What do I need to use it?
- An executable application using a cryptographic library for which there is a Cryptosense Tracer agent. Currently we support Java (JCE/JCA); OpenSSL (libssl and libcrypto); and PKCS#11. An agent for .NET is under development.
- An account on our analysis platform (to use the SaaS version) or an installed in-house Analyzer VM (the on-premise version).
How do I know if it’s worth running Cryptosense Analyzer on my applications?
Cryptosense produces a simple Static Scanner tool that examines Java bytecode for calls to crypto functions. It can be used to evaluate the degree to which a trace recorded by our agents covers all the crypto in an application, but it can also be used to find out how much crypto is called in an application.
Does it need access to source code?
Cryptosense Tracer Agent sees 100% of calls to crypto libraries in a running application, without needing access to source code. To test libraries, we replace the application with our proprietary fuzzing engine: Cryptosense Library Fuzzer.
Which APIs do you support?
– Java (JCE/JCA and Bouncycastle low level interface)
– OpenSSL (libssl and libcrypto)
– .NET is in development, contact us for a release date.
What types of flaws can Cryptosense Analyzer find?
– Incorrect choice of parameters to crypto functions
– Inappropriate combinations of crypto operations
– Incorrect use of randomness
– Weak cryptographic keys
– Weak passwords
– Weak password-based key deriviation
– Key management vulnerabilities
– Inappropriate key-lengths and group parameters
– Weak cryptographic algorithms
– Implementation vulnerabilities in cryptographic libraries
See more detailed information on vulnerabilities found.