Java Reference
In-Depth Information
considered while implementing cryptography for a Web application. Some common crypto-
graphic laws, which render data nonsecure due to the wrong implementation of cryptography,
are as follows:
Homegrown crypto
: In several cases, developers write their own encryption algorithms,
which are based on poor encryption logic and can be easily broken by an attacker.
Industry-standard encryption algorithms like AES (advanced encryption standard)
*
are
recommended for adoption, as they have been proven after several years of testing and
continuous use.
Use of known weak encryption and hashing schemes
: Weak encryption algorithms are those that
have been broken in a certain time frame, allowing an attacker to guess or obtain the infor-
mation in clear text format. It is unfortunate to note that developers, even today, persist
with known weak encryption and hashing algorithms like MD5, SHA-1, RC3, and RC4 for
encrypting the sensitive information.
Nonsecure key management practices
: When using encryption for protection of sensitive data, it
is imperative that key management practices and processes be borne in mind. Key manage-
ment includes the following:
Generation of strong keys
−
−
Data encryption key and master key
−
Storage of keys
−
Revocation of keys
−
Deletion of encryption keys
−
Key custodianship
here are several other instances where cryptographic implementation in Web applications is seri-
ously lawed. In several cases, encryption keys are hard-coded into the Web application, thereby
making it easy for attackers to gain access to the key and, from there, gain access to the data. Keys
are seldom generated and the encryption keys usually tend to be of a short length, making them
easily guessable. Such nonsecure practices while implementing encryption and cryptography are
very detrimental to the data stored by the application and for data in transit.
5.4.2.6 Flawed Error Handling and Information Disclosure
Attackers don't penetrate Web applications in a single go. Attacking and exploiting Web applica-
tions are detailed and cognitive eforts that involve several elements of trial and error and edu-
cated guesses and hunches on the part of an attacker, which leads to eventual exploitation of the
application. As we can glean from the above,
information
is the greatest asset for the attacker. he
attacker would always look to gain as much information as possible about the application, so its
weak points could be exploited when required. he attacker's reconnaissance measures include
gaining information about the Web server, application server, database, and their versions. Apart
from these measures, an attacker can also enter arbitrary input into the Web application to induce
error conditions, and if improperly handled, these error messages are publicly displayed to the
attacker and the attacker can gain a great deal of insight into the Web application's code, which
could lead to an exploit.
*
We have dealt with application cryptography extensively in Chapter 8.
Search WWH ::
Custom Search