Encryption algorithms are widely used in the IT industry to provide confidentiality, authentication, intellectual property protection and more. The attention on privacy and cybersecurity in general is rapidly increasing, forcing vendors and developers to adopt state-of-the-art technologies to provide secure software solutions to their users.
The common approach to implement new modules in a software project is to use libraries, building blocks developed by other developers which address a particular problem.
The general rule of thumb is to avoid reinventing the wheel if there are existing implementations that may suit our case. When a library is well-designed and maintained, it rapidly becomes the de-facto standard for the particular problem it aims at, and many developers use the same library instead of writing their own solution.
As an example, to implement data compression in an application, the developer will surely evaluate existing libraries designed just for that rather than trying to implement a compression algorithm from scratch. Mastering compression algorithms, understanding how and why they work, requires skills and knowledge that not every programmer may have. Therefore, it is safer to just reuse the hard work of the experts.
Cryptography is another narrow field that requires specific knowledge to be mastered, so using proven and well-tested algorithms and libraries is mandatory.
However, while using a compression library does not necessarily require to understand how compression algorithms work, encryption does.
Encryption is not some sort of obscure magic and encryption libraries cannot magically make an application secure if the developers do not understand what they are doing.
To prove this, Lazar, Chen, Wang, and Zeldovich published a paper in 2014 (“Why does cryptographic software fail? A case study and open problems”), showing that 223 security vulnerabilities out of 269 reported for several software applications were due to misuse of the cryptographic libraries. That is about 83% of the case studies.
You can buy the strongest and safest door in the world. But if you keep a spare key under your doormat, someone will eventually break into your house very easily.
This is an example of bad key management. In the software world, this would translate into storing hardcoded plaintext encryption keys somewhere in the source code. No matter how strong the encryption algorithm is, it will be cracked if the encryption key can be recovered easily.
In a nutshell, encryption is hard, but understanding the basic principles to be able to use it correctly is mandatory.
This is the message spread by Anastasiia Voitova at Codemotion Milan 2018, who shared her view on the topic, along with some cool tips and tricks.
Software applications exchange, manipulate and store data. Nowadays, most modern applications are implemented as distributed services spread all over the world. Therefore, sensitive data may be spread too. Each node in the system may be vulnerable and as for chains, the overall strength of the system is given by its weakest link. Reducing the attack surface is mandatory to keep users data secure.
Cryptography is essentially a method to reduce the attack surface of our application, by adopting architectural patterns that minimise the risk of data breaches.
As an example, let’s consider Zero Knowledge Architectures (ZKA). In ZKA the system does not need to access plaintext data in order to work. Each service, component and data store in the system works on encrypted data, and only the end users can decrypt it. In other words, the system has no (zero) knowledge on the data it is working on.
This reduces the attack surface to the client side only.
However, clients are usually more vulnerable; users do not update their OS regularly, sometimes they don’t even detect the presence of malware software on their machines.
Therefore, depending on the use case, ZKA may be used only with trusted clients. In other scenarios, ZKA works just fine, providing an acceptable level of security. As an example, End-to-End Encryption (E2EE) is a widely adopted scheme to implement confidentiality in messaging applications.
Moreover, a system which is considered secure today may be vulnerable tomorrow, as new vulnerabilities are discovered. In a world where vulnerabilities affect every layer of a computer system, from CPUs (does the name Spectre ring any bells?) to OS, libraries, and applications, it is just a matter of time. Therefore, logging and auditing everything the system does is mandatory to identify data breaches immediately. GDPR regulation goes along this line by forcing companies to minimize the risk of data breaches.
Keeping secrets is just hard, but not impossible.