WhatsApp recently made global headlines with the news that all forms of communication sent through the app feature end-to-end encryption. This additional layer of security which meant that all messages and files would be secured from falling into the wrong hands, but what is needed to properly encrypt data and what happens when sensitive data is not properly encrypted?
Encryption, the process of encoding messages or information in order that only authorized parties are able to read them, is usually a concept that most people connect to the famous Enigma machine made famous by the Nazis during World War 2 who sought to keep their keep their diplomatic and military information out of the hands of their enemies. The first instances of early encryption, and cryptology, however, come nearly four thousand years earlier in the dusty caves of the Old Kingdom of Egypt where non-standard hieroglyphics were used on various monuments.
While most scholars see these confusing hieroglyphics as a means to intrigue, or amuse, the readers, early cryptography began around AD 800 with the scholar Al-Kindi, an Arab mathematician who wrote the book Manuscript for the Deciphering Cryptographic Messages which was the most fundamental cryptanalytic advance prior to World War 2. In his book, he covers frequency analysis, cryptanalysis techniques and cipher classification.
Modern cryptography began in the years following World War 2 as algorithms with keys were used to encrypt and decrypt information which would turn data into “digital gibberish” while in transit before returning them to normal via decryption.
While encryption does not prevent the interception of messages, or data, by unauthorized parties, it does ensure that the content of the transmission, known as plaintext, is unreadable to anyone without the necessary encryption key generated by the relevant algorithm. There are two types of encryption schemes, symmetric-key, also known as private-key encryption, and public-key.
Symmetric-key schemes use the same encryption and decryption keys while public-key encryption occurs when the encryption key is available for anyone to use to encrypt their messages. In public-key schemes, only the receiving entity has the decryption key needed to access the information or messages. The cost, and exhausting effort needed to distribute the symmetric-key material to both the senders and recipients of the sensitive information led to the development of public-key encryption by both the British and American intelligence services in the 1970s which replaced symmetric-key schemes as the go-to encryption method for intelligence agencies and militaries. The German Enigma utilized a symmetric-key method of encryption.
The Data Encryption Standard (DES) was an influential algorithm for encrypting electronic data that was developed by IBM in the early 1970s and was released as the United States Federal Information Processing Standard (FIPS) in 1977. Since the Data Encryption Standard was backed by the National Security Agency (NSA) it spread quite fast and resulted in widespread international adoption. It did, however, come under intense academic scrutiny which led to the modern understanding of block ciphers and cryptanalysis whose study has made a significant impact on the way we communicate, store passwords and are able to trust that the applications that we use properly secure our most sensitive data.
The best flaws to read about are the ones that have already been patched and this is the case for a recent encryption flaw found in Apple’s iMessage system which is one of the most widely-deployed end-to-end encrypted messaging protocols in the world.
Known for standing out from the computer cyber security community for not making its encryption practices open source, Apple encryption practices, which feature end-to-end encryption for messages, videos and photos send via iMessage, have come under fire from critics who argue that since the code isn’t reviewable, security flaws could be more common than we think. While Apple goes to great lengths to keep their encryption schemes secret, Google and Facebook utilize the Signal encryption protocol which is open source and can be dissected by researchers and concerned parties, for security threats.
While Apple’s latest encryption flaw, which was recently discovered by researchers at John Hopkins university, would require state-sponsored advanced hacking skills to execute, it’s a serious cause for concern as Chinese cyber attacks are becoming more and more common, despite international efforts to tone down the cyber-hostility between the United States and China.
Gizmodo notes that cyber attacks against normal citizens, rather than just high-profile celebrities and politicians, are becoming more and more common by state-sponsored entities which would have the sophistications to exploit Apple’s recent encryption flaw. Possible motives could be widespread identity theft, or data collection, in preparation for future spear-phishing attacks.
What is the cost of a lack of strong encryption? That’s a question which LinkedIn has been grappling with ever since usernames and passwords for over 117 million LinkedIn accounts from a 2012 hack ended up for sale in mid-May 2016 on an illegal marketplace on the dark web. For a malicious party seeking access to this ill-gotten login info, the price for access to these millions of accounts, was 5 bitcoin, or $2,200 USD, which was what all the information was selling for on the dark web.
While these passwords were hashed (a rapid encoding technique where an algorithm is applied to a string of text so that the string becomes the “hash value”) using a strong SHA-1 cryptographic algorithm, they were not “salted.” OWASP advises against using the SHA-1 technique as it, “has been reduced in strength and we encourage a migration to SHA-256, which implements a larger key size.”
Leaked Source, a search engine for hacked data and information, notes that by not “salting” the hashed passwords, LinkedIn went against the standards of internet encryption. “Salting” refers to the addition of random data as an additional input to a one-way function that “hashes” a password or passphrase. Salting was designed to protect against “dictionary attacks” against a list of password hashes as well as pre-computed rainbow table attacks in which a precomputed table is used for reversing cryptographic hash functions.
With almost every interaction with web and mobile applications, instant messaging and services that involved passwords, we encounter some level of encryption. For most people, encryption is a synonym of security. It’s another layer of protection that we can consistently rely on to protect our sensitive data from malicious, and unauthorized parties, right?
For a growing trend of politicians and UN experts, however, encrypted messaging not only aids terrorists seeking to wreak havoc in Europe and beyond, but also keeps security services from properly investigating them as agencies are unable to crack the dark webs of sophisticated encryption used by Islamic State, or Al-Qaeda terrorists that are returning back to their home countries in the West order to carry out devastating terror attacks.
France and Germany are leading a global effort against the use of encryption within popular messaging application as Telegram, WhatsApp and others are being used to recruit terrorists and plan brutal attacks. While this is just the beginning, there is a global mobilization among countries that have found themselves at the center of terrorist attacks to get technology companies to create backdoors within their messaging applications for governmental use.
Technology companies are pushing back against the pressure to create a “backdoor” or “golden key” for authorized state use as this could create vulnerabilities that threaten user data within their applications and user trust in the company itself.
Microsoft, unfortunately, made a strong case against the creation of backdoors when the “golden keys” that unlock Windows-powered tablets, phones and other devices sealed by Secure Boot were leaked in early 2016. It took until late summer for Microsoft to add a sufficient patch to remedy this leak. With such an embarrassing precedence for “golden keys” set by one of the biggest names in technology, it’s hard to imagine other companies following suit, even under the intense pressure that Apple faced during the FBI’s quest to crack the San-Bernardino shooter’s cellphone.
Properly Securing your Application’s Encryption
One of the most important things to take into consideration when working on encrypting your application is ensuring that the algorithm and key size are properly taken into account when choosing your specific encryption algorithm. It’s important to avoid proprietary encryption algorithms as they usually use “security through obscurity” rather than sound mathematics.
OWASP recommends avoiding the following encryption algorithms:
Other encryption security tips from OWASP include ensuring that the symmetric algorithm key sizes are at least 168 or 256 bits for financial transactions and that application hash sizes should be at least 128 bits. Additionally, all cryptographic keys should be protected with file system permissions, all changes to the keys should be properly logged and for interactive applications, a passphrase, or password, should be used to encrypt the key when it’s stored on a disk.
To read more about state-sponsored hacks and breaches, click here.
Sign up today & never miss an update from the Checkmarx blog
Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.
Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.