Sensitive data exposure, also known as data exposure or data leakage, is a cybersecurity issue where sensitive or confidential information is inadvertently or maliciously disclosed to unauthorized individuals or systems. This exposure can happen through various means, like Inadequate security controls, Cryptographic failures, Insider threats, etc. In this blog we are going through Cryptographic failures.
To start from scratch!
What is Cryptographic failure?
Cryptographic failure refers to situation where encryption system or algorithm has been incorrectly implemented or configured, leading to vulnerabilities that can be exploited by hackers to cause damage intentionally. This can involve weaknesses in encryption, decryption, key management, or other cryptographic processes.
Example of Cryptographic failure:
SHA-1 collision attack, which was announced in 2017. This attack showed that it is now possible to create two different files with the same SHA-1 hash. This means that attackers could use SHA-1 to create digital signatures that are indistinguishable from real signatures. Cryptographic failures of this nature are grave and carry substantial consequences for the security of information.
Let's see some ways of cryptographic failures exploitation!
Cracking Unsalted Password Hashes Using Rainbow Tables:
Just encoding passwords is not enough in this era. With powerful tools and techniques, unsalted hashes are not very difficult to crack. Password salting makes it difficult for any password cracking technique as the salt adds additional length to the password. The longer the salt, the more difficult it gets. However, If you’re storing unsalted passwords, an attacker can use
a rainbow table to crack these passwords.Repeating XOR:
In this technique, a base64-encoded value or any other form of ciphertext is encrypted using a repeating key. The key is repeatedly applied to the plaintext in a cyclic manner. Each character of the key is used to encrypt the corresponding character of the plaintext, and the key is reused as many times as
necessary to encrypt the entire message.Wireless Network Penetration Testing:
After capturing network packet of a network using Wi-Fi Protected Access with the help of tools like Wireshark. We try to crack the WPA key by using tools like Aircrack-ng. This typically involves a dictionary attack or a brute-force attack to guess the network's passphrase.
Mitigation techniques used for cryptographic failures:
Encryption keys:
It is recommended that all the encryption keys should be created cryptographically. They should be stored in the form of byte arrays. Plain text passwords should always be converted into cipher text or encrypt them using these keys. It should only be done using a strong encryption method or algorithm. Using lengthy
salts for sensitive data additionally increases security.Secure coding:
Secure coding is a set of guidelines that developers follow to integrate security within the application’s code. These practices ensure the use of strong cryptography practices in various parts of the application rather than only on the perimeter of the application’s components. Therefore reducing the chances of
cryptographic failures.Penetration Testing:
Cryptography is one such aspect of security that’s difficult to get perfectly right. That’s why to ensure that you haven’t missed out on anything, you need to conduct regular penetration testing. Penetration testing lets you understand an attacker’s perspective of your application. Therefore, thinking like an attacker helps in identifying any cryptographic and other weaknesses and helps prioritize fixes.
I request you to look out this video of John Wagner the founder of "F5 DevCentral" youtube channel, to gain strong insight on cryptographic failures.
Don't hesitate to try out these things!
https://github.com/bkimminich/it-security-lecture/blob/master/slides/02-06-cryptographic_failures.md
inc0gnito.Medium
To Conclude, the consequences of cryptographic failures are not limited to data breaches but also encompass legal and regulatory implications, damage to reputation, and trust erosion. To mitigate these risks, a proactive and informed approach to data protection, encryption, and security measures is imperative. The described things are just the basics and I highly encourage you to try out this things and beyond to obtain practical knowledge.
Thank you for your support meet you guys in next blog.
Until then, Happy learning!
Top comments (0)