2021 OWASP Top Ten: Cryptographic Failures
Cryptographic Failures: Understanding the 2021 OWASP Top 10
Overview of Cryptographic Failures
- John Wagner introduces the topic of cryptographic failures, which is ranked as the number two security risk in the 2021 OWASP Top 10. This category has shifted from "sensitive data exposure" to focus more on root causes related to cryptography.
Importance of Data Protection
- The discussion emphasizes understanding the protection needs for different types of data, such as data in transit and at rest. Sensitive information like passwords, credit card numbers, and personal health information must be adequately protected.
Assessing Application Security
- Key questions are posed regarding application security:
- Are outdated or weak cryptographic algorithms being used?
- Is encryption enforced across all communications (e.g., using HTTPS)?
Key Management Considerations
- Effective key management is crucial; server certificates and trust chains must be properly validated. The complexity of managing keys is acknowledged as a significant challenge.
Avoiding Custom Cryptography
- Developers are advised against creating their own cryptographic solutions. Instead, they should utilize trusted libraries like Google Tink or LibSodium to ensure robust security practices.
Examples of Cryptographic Failures
Scenario One: SQL Injection Risk
- An example illustrates how an application might automatically decrypt sensitive data when queried from a database. If an attacker executes a SQL injection attack during this process, they could access decrypted credit card numbers.
Scenario Two: HTTP vs HTTPS Vulnerabilities
- Another scenario highlights the risks associated with not enforcing HTTPS across all pages in an application. Attackers can intercept unencrypted traffic on HTTP pages, exposing sensitive user data.
Downgrade Attacks Explained
Cryptographic Failures and Their Implications
Understanding Cryptographic Vulnerabilities
- An attacker can exploit vulnerabilities by forcing users to downgrade encryption protocols, such as TLS, to weaker versions. This allows the attacker to use known exploits against the compromised cryptography.
- If successful, attackers could steal session cookies from legitimate users and replay them to access sensitive data within applications.
Best Practices for Data Protection
- It is crucial to classify data processed or stored by applications. Identifying sensitive versus non-sensitive data helps determine the level of protection required for different types of information.
- Avoid storing sensitive data unnecessarily; discard it as soon as possible. Implement compliant tokenization or truncation methods when handling sensitive information, especially under PCI DSS guidelines.
- Encrypt all sensitive data at rest and ensure that automatic decryption does not occur. This protects stored information from unauthorized access.
Key Management and Protocol Updates
- Utilize up-to-date algorithms, protocols, and keys in your cryptographic practices. Establish a robust key management process to safeguard encryption keys effectively.