ASP.NET 2.0 Security Inspection Questions - Cryptography

From Guidance Share

Jump to: navigation, search

- J.D. Meier, Alex Mackman, Blaine Wastell, Prashant Bansode, Jason Taylor, Rudolph Araujo


Cryptography Vulnerabilities and Implications



Using custom cryptography

This is less secure than the tried and tested platform-provided cryptography.

Using the wrong algorithm or too small a key size

Newer algorithms increase security. Larger key sizes increase security.

Failing to protect encryption keys

Encrypted data is only as secure as the encryption key.

Using the same key for a prolonged period of time

A static key is more likely to be discovered over time.

Review the code to see whether it uses cryptography to provide privacy, non-repudiation, tampering, or authentication.

The following questions help you to identify vulnerable areas:

  • Does the code use custom cryptographic algorithms?
  • Does the code use the right algorithm with an adequate key size?
  • How does the code manage and store encryption keys?
  • Does the code generate random numbers for cryptographic purposes?

Does the code use custom cryptographic algorithms?

Look for custom cryptographic routines. Make sure that the code uses the System.Security.Cryptography namespace. Cryptography is notoriously tricky to implement correctly. The Windows Crypto APIs are implementation of algorithms derived from years of academic research and study. Some think that a less well-known algorithm is more secure; however, this is not true. Cryptographic algorithms are mathematically proven, and those that have received more review are generally more effective. An obscure, untested algorithm does not protect your flawed implementation from a determined attacker.

Does the code use the correct algorithm and an adequate key size?

Review your code to see what algorithms and key sizes it uses. Review the following questions:

  • Does the code use symmetric encryption?

If so, check that it uses Rijndael (now referred to as Advanced Encryption Standard [AES]) or Triple Data Encryption Standard (3DES) when encrypted data needs to be persisted for long periods of time. Use the weaker (but quicker) RC2 and DES algorithms only to encrypt data that has a short lifespan, such as session data.

  • Does the code use the largest key sizes possible?

Use the largest key size possible for the algorithm you are using. Larger key sizes make attacks against the key much more difficult, but can degrade performance.

How does the code manage and store encryption keys?

Look for poor management of keys. Flag hard-coded key values: leaving these in the code will help to ensure that cryptography is broken. Make sure that key values are not passed from method to method by-value because this will leave many copies of the secret in memory to be discovered by an attacker.

Does the code generate random numbers for cryptographic purposes?

Look for poor random number generators. You should make sure that the code uses System.Security.Cryptography.RNGCryptoServiceProvider to generate cryptographically secure random numbers. The Random class does not generate truly random numbers that are not repeatable or predictable.

Personal tools