The most interesting lessons I learned from my Applied Cryptography course at the University of San Diego are not uncommon ones, but they are complicated in nature. For example, I have used encryption and cryptography technologies for over two decades. I have also actively administered web sites and Microsoft and Unix/Linux servers which utilized various forms of cryptography to communicate with one another in a client/server environment and to secure websites and email. I have also studied various forms of cryptography over the decades when preparing for my CISSP and CCSP. This seems to imply that I know exactly how to properly use and implement encryption.
But the truth of the matter is, that using encryption and implementing a cryptographic system are two separate skill sets. Consider a recent data breach of the Under Armor company. System administrators utilized an encryption system called bcrypt for some systems but "some proportion of the exposed passwords were only hashed using a notoriously weak function called SHA-1" (Newman, 2018). In this case, a strong cryptographic system was available but it was poorly implemented allowing some passwords to use a fairly easy to crack SHA-1 hash. These types of scenarios drive cryptographic system failures instilling fear into the public.
Additionally, the complexities of developing ones own cryptographic system and using it in an application require significant experience and expertise. Attempting to "roll your own" cryptographic system, as our textbook authors wrote, often creates a weak implementation of a cryptographic system using strong cryptographic mechanisms. For example, the number of malware authors creating ransomware malware in an attempt to extort money have often failed to implement a strong cryptographic system using AES, a proven cryptographically secure algorithm. For example, the LockCrypto ransomware was cracked because of poorly implemented cryptographic systems (Cimpanu, 2018). This is far from the only failed implementation by malware authors, as one common anti-malware company, Kaspersky, even has a website dedicated to "decrypters" often created by the failed cryptographic implementations of the malware authors (Kaspersky Inc., n.d.).
So, while the cryptographic algorithms we have are fairly mature, it seems that system administrators and application developers will continue to fail to implement these cryptographic systems properly and thus securely. Which, in the case of malware is a good thing, however, in the case of National Security or when attempting to protect corporate intellectual property this is a very bad thing. I know now that I must make sure to verify my work and the work performed by application developers and system administrators, or anyone else implementing a cryptographic system, to ensure we follow procedures and best-practices to avoid breaking the system.
References
But the truth of the matter is, that using encryption and implementing a cryptographic system are two separate skill sets. Consider a recent data breach of the Under Armor company. System administrators utilized an encryption system called bcrypt for some systems but "some proportion of the exposed passwords were only hashed using a notoriously weak function called SHA-1" (Newman, 2018). In this case, a strong cryptographic system was available but it was poorly implemented allowing some passwords to use a fairly easy to crack SHA-1 hash. These types of scenarios drive cryptographic system failures instilling fear into the public.
Additionally, the complexities of developing ones own cryptographic system and using it in an application require significant experience and expertise. Attempting to "roll your own" cryptographic system, as our textbook authors wrote, often creates a weak implementation of a cryptographic system using strong cryptographic mechanisms. For example, the number of malware authors creating ransomware malware in an attempt to extort money have often failed to implement a strong cryptographic system using AES, a proven cryptographically secure algorithm. For example, the LockCrypto ransomware was cracked because of poorly implemented cryptographic systems (Cimpanu, 2018). This is far from the only failed implementation by malware authors, as one common anti-malware company, Kaspersky, even has a website dedicated to "decrypters" often created by the failed cryptographic implementations of the malware authors (Kaspersky Inc., n.d.).
So, while the cryptographic algorithms we have are fairly mature, it seems that system administrators and application developers will continue to fail to implement these cryptographic systems properly and thus securely. Which, in the case of malware is a good thing, however, in the case of National Security or when attempting to protect corporate intellectual property this is a very bad thing. I know now that I must make sure to verify my work and the work performed by application developers and system administrators, or anyone else implementing a cryptographic system, to ensure we follow procedures and best-practices to avoid breaking the system.
References
- Cimpanu, C. (2018, May 01). LockCrypt Ransomware Cracked Due to Bad Crypto. Retrieved June 29, 2019, from https://www.bleepingcomputer.com/news/security/lockcrypt-ransomware-cracked-due-to-bad-crypto/
- Kaspersky Inc. (n.d.). Free Ransomware Decryptors. Retrieved June 28, 2019, from https://noransom.kaspersky.com/
- Newman, L. H. (2018, December 10). The Under Armour Hack Was Even Worse Than It Had To Be. Retrieved June 29, 2019, from https://www.wired.com/story/under-armour-myfitnesspal-hack-password-hashing/