If the last few years’ barrage of data breaches has taught us anything, it’s that protecting information with strong encryption is mandatory for any good security team. But what kind of encryption should you use?
There are plenty of challenges facing people that want to store sensitive information safely in 2020. One of the biggest is a simple lack of awareness, warns Mansi Sheth, security researcher at Veracode.
“There is insufficient insight into how fast offline attacks are getting, especially with the advent of modern computer hardware like GPUs, FPGAs and ASICs,” she says, adding that people are also blind to the protection measures available. “There’s a lack of awareness of the cryptographic tools arsenal available to make this offline password cracking very expensive and unfeasible.”
Sheth will sound the alarm at her talk during SecTor’s virtual conference this week. She spends her time diving into the security implications of different languages and frameworks, finding anti-patterns in customer’s binaries. She is also a cryptography enthusiast with deep insights into different cryptographic building blocks and the role they play in the broader cryptographic system.
We should no longer have to worry about people storing information in plain text in applications (although unfortunately, it still happens). Long ago, people began passing this information through irreversible ‘trap door’ cryptographic hash functions.
However, cryptography has always been a battle between those wanting to protect information with new techniques, and those wanting to uncover it by breaking them. Before long, people developed large collections of rainbow and lookup tables that made specialised attacks possible. They’d take long lists of regular dictionary words, along with misspellings and common lists of passwords. Then they’d compute the hash values in advance so that they could quickly compare the password hash that they wanted to break against this list.
In response, cryptographers got creative to make those rainbow table attacks more time consuming. “We started randomising computed hashes by appending or/and prepending a random string. This is called salting.” Attackers relied on the sheer power of rapidly-evolving computer architectures to brute force the salted hashes, removing the cryptographers’ advantage once again.
The cryptographers’ next move was a more computationally intensive mechanism called key stretching. It made weak keys more complex by increasing the resources that it takes to calculate each possible key.
One tool in a key stretcher’s arsenal is a key derivation function (KDF). This repeatedly hashes a piece of data using the same cryptographic function. It slows down the hashing process, making it more computationally expensive for someone to crack via a brute force attack.
“Making it resource expensive has proven to be a step in the right direction as a mitigation against brute forcing offline breached sensitive information,” Sheth explains.
In her talk, she’ll be discussing a range of KDFs such as pbkdf2, bcrypt, scrypt, and Argon2. She’ll talk about which one is right for your needs, along with how to configure them using secure input parameters.
Making encryption keys more secure is a never-ending task, Sheth warns. “The affordability of cheaper and faster computer hardware will continue to make offline information cracking more prevalent,” she says. “Putting more effort into defence in depth mechanisms in storing secure information is important. We need more password storage-centred cryptographic algorithms, more attention to cryptanalysis, along with improvements in programming language and library implementation support.”
Sheth will be discussing these issues in her talk, How To Store Sensitive Information In 2020, which takes place on October 22 at 2pm Eastern. If you haven’t registered yet, there’s still time. Visit here to secure your place at SecTor’s first ever virtual conference.