• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

Codemotion Magazine

We code the future. Together

  • Discover
    • Events
    • Community
    • Partners
    • Become a partner
    • Hackathons
  • Watch
    • Talks
    • Playlists
    • Edu Paths
  • Magazine
    • Backend
    • Frontend
    • AI/ML
    • DevOps
    • Dev Life
    • Soft Skills
    • Infographics
  • Talent
    • Discover Talent
    • Jobs
    • Manifesto
  • Companies
  • For Business
  • IT
  • ES
Home » Encryption and why keeping secrets is hard, even for computers

Encryption and why keeping secrets is hard, even for computers

Codemotion and Facebook organized the Tech Leadership Training boot camp, heres a personal reportage from one of our attendees.

January 24, 2019 by Sergio Monteleone

Encryption algorithms are widely used in the IT industry to provide confidentiality, authentication, intellectual property protection and more. The attention on privacy and cybersecurity in general is rapidly increasing, forcing vendors and developers to adopt state-of-the-art technologies to provide secure software solutions to their users.

The common approach to implement new modules in a software project is to use libraries, building blocks developed by other developers which address a particular problem.

The general rule of thumb is to avoid reinventing the wheel if there are existing implementations that may suit our case. When a library is well-designed and maintained, it rapidly becomes the de-facto standard for the particular problem it aims at, and many developers use the same library instead of writing their own solution.
As an example, to implement data compression in an application, the developer will surely evaluate existing libraries designed just for that rather than trying to implement a compression algorithm from scratch. Mastering compression algorithms, understanding how and why they work, requires skills and knowledge that not every programmer may have. Therefore, it is safer to just reuse the hard work of the experts.

Cryptography is another narrow field that requires specific knowledge to be mastered, so using proven and well-tested algorithms and libraries is mandatory.
However, while using a compression library does not necessarily require to understand how compression algorithms work, encryption does.

Encryption is not some sort of obscure magic and encryption libraries cannot magically make an application secure if the developers do not understand what they are doing.
To prove this, Lazar, Chen, Wang, and Zeldovich published a paper in 2014 (“Why does cryptographic software fail? A case study and open problems”), showing that 223 security vulnerabilities out of 269 reported for several software applications were due to misuse of the cryptographic libraries. That is about 83% of the case studies.
You can buy the strongest and safest door in the world. But if you keep a spare key under your doormat, someone will eventually break into your house very easily.

This is an example of bad key management. In the software world, this would translate into storing hardcoded plaintext encryption keys somewhere in the source code. No matter how strong the encryption algorithm is, it will be cracked if the encryption key can be recovered easily.
In a nutshell, encryption is hard, but understanding the basic principles to be able to use it correctly is mandatory.
This is the message spread by Anastasiia Voitova at Codemotion Milan 2018, who shared her view on the topic, along with some cool tips and tricks.

Software applications exchange, manipulate and store data. Nowadays, most modern applications are implemented as distributed services spread all over the world. Therefore, sensitive data may be spread too. Each node in the system may be vulnerable and as for chains, the overall strength of the system is given by its weakest link. Reducing the attack surface is mandatory to keep users data secure.
Cryptography is essentially a method to reduce the attack surface of our application, by adopting architectural patterns that minimise the risk of data breaches.

As an example, let’s consider Zero Knowledge Architectures (ZKA). In ZKA the system does not need to access plaintext data in order to work. Each service, component and data store in the system works on encrypted data, and only the end users can decrypt it. In other words, the system has no (zero) knowledge on the data it is working on.
This reduces the attack surface to the client side only.

However, clients are usually more vulnerable; users do not update their OS regularly, sometimes they don’t even detect the presence of malware software on their machines.
Therefore, depending on the use case, ZKA may be used only with trusted clients. In other scenarios, ZKA works just fine, providing an acceptable level of security. As an example, End-to-End Encryption (E2EE) is a widely adopted scheme to implement confidentiality in messaging applications.

Moreover, a system which is considered secure today may be vulnerable tomorrow, as new vulnerabilities are discovered. In a world where vulnerabilities affect every layer of a computer system, from CPUs (does the name Spectre ring any bells?) to OS, libraries, and applications, it is just a matter of time. Therefore, logging and auditing everything the system does is mandatory to identify data breaches immediately. GDPR regulation goes along this line by forcing companies to minimize the risk of data breaches.

Keeping secrets is just hard, but not impossible.

facebooktwitterlinkedinreddit
Share on:facebooktwitterlinkedinreddit

Tagged as:Security Manager

Paul Adams: Adopting Open Source Best Practice for the Enterprise
Previous Post
Pills of good team management: Alfredo Morresi tips & tricks for leaders
Next Post

Related articles

  • .NET 8 – New Features, Optimizations, and Benefits
  • Container Images: Technical Refresher and Security Best Practices
  • 10 Useful and Affordable IT Certifications Under $200

Primary Sidebar

Free Whitepaper: The Ultimate Azure Cybersecurity Handbook.

Codemotion Talent · Remote Jobs

Flutter Developer

3Bee
Full remote · Android · Flutter · Dart

Python Back-end Developer

h-trips.com
Full remote · Django · Pandas · PostgreSQL · Python

AWS Cloud Architect

Kirey Group
Full remote · Amazon-Web-Services · Ansible · Hibernate · Kubernetes · Linux

AWS SysOps Administrator

S2E | Solutions2Enterprises
Full remote · Amazon-Web-Services · Terraform · Linux · Windows · SQL · Docker · Kubernetes

Latest Articles

An article about Image Containers and security best practices.

Container Images: Technical Refresher and Security Best Practices

Cybersecurity Uncategorized

10 Useful and Affordable IT Certifications Under $200

Dev Life

Anche le grandi idee falliscono, tech fails

Tech Fails: When Brilliant Ideas Go Bust

Stories

Javascript color library. Discover how to use it in this guide.

Unsupervised Learning in Python: A Gentle Introduction to Clustering Techniques for Discovering Patterns

Languages and frameworks Machine Learning

Footer

  • Magazine
  • Events
  • Community
  • Learning
  • Kids
  • How to use our platform
  • Contact us
  • Become a Contributor
  • About Codemotion Magazine
  • How to run a meetup
  • Tools for virtual conferences

Follow us

  • Facebook
  • Twitter
  • LinkedIn
  • Instagram
  • YouTube
  • RSS

© Copyright Codemotion srl Via Marsala, 29/H, 00185 Roma P.IVA 12392791005 | Privacy policy | Terms and conditions

Follow us

  • Facebook
  • Twitter
  • LinkedIn
  • Instagram
  • RSS