Insecure Cryptographic Storage
Tweet
Photo: fpsurgeon
This is part of a ten-part-series on the OWASP Top 10.
What is Insecure Cryptographic Storage
Insecure cryptographic storage occurs when an application doesn’t securely encrypt it’s sensitive data when it is stored into a database. This definition is similar to the picture above, recursive.
Simply stated, insecure cryptographic storage occurs when one of following happens:
- The developers don’t encrypt the data that is being stored in the database.
- The developers do encrypt the data being stored in the database, but they rely on encryption methods they have developed. (Also known as home-grown cryptography)
After reading these two points you may say, “only an idiot wouldn’t encrypt sensitive data being stored in the database.” I refer you to number two in the list above.
If you think you are smart enough to write your own cryptographic algorithms, you my friend, are the idiot.
The main business concern with not encrypting sensitive data is that it can lead to confidentiality loss. All companies are concerned with unauthorized individuals viewing their sensitive data. In addition, encrypting sensitive data is be a regulatory compliance. PCI-DSS requirement 3.
An Example of Insecure Cryptographic Storage
Here is a simplified example. Selecting the users table from a database we are returned the following:
> select * from users;| id | username | password |
|---|---|---|
| 1 | Brett | 5f4dcc3b5aa765d61d8327deb882cf99 |
| 2 | Dan | 3c3662bcb661d6de679c636744c66b62 |
The passwords in these table are 32 characters long. Could these passwords be MD5 hashes?
As with all hashing algorithms, MD5 hashes can’t be reversed. However, they can be pre-computed. Using a hash table lookup we can identify what the password is before it was ran through the MD5 hashing algorithm.
After inserting 5f4dcc3b5aa765d61d8327deb882cf99 into the hash table lookup the resulting password is returned. In this example, the password is “password.”
How Do You Prevent Insecure Cryptographic Storage From Occurring
If the data is sensitive and stored it NEEDS to be encrypted. Examples of items that are considered to be sensitive can include:
- Credit Cards
- Usernames
- Passwords
- User Data
There are other things to keep in mind when making sure you securely store information. This includes not creating your own cryptographic algorithms. No matter how smart you or your peers think you are DO NOT attempt to invent a new encryption algorithm. Leave this work to the experts.
Ensure that the data stored is not easy to decrypt. This can usually be averted by not using known weak algorithms such as RC3, RC4, MD5 and SHA-1.
If you are using asymmetric key encryption make sure to store your private keys carefully. If an attacker gets hold of the private key, you might as well not encrypt the data in the first place.
Hi, I'm Brett. I hope you enjoyed this post. I'm the Founder of SourceNinja, an open source management tool. I love learning from people. If you found this article helpful or annoying, I'd love to start a dialogue.