H M < >
CMU540

WEB-CRYPTO-01 - Cryptographic Failures

Session 3

James Williams

jwilliams@staff.newman.ac.uk

Learning Objectives

  • Understand OWASP A02: Cryptographic Failures
  • Identify common cryptographic vulnerabilities
  • Learn secure encryption practices
  • Practice vulnerability discovery using OS³ Studio
  • Implement secure cryptographic solutions
  • Explore career opportunities in cryptography

OWASP A02: Cryptographic Failures

Definition: Cryptographic failures occur when sensitive data is exposed due to weak or missing cryptographic controls.

Key Areas:

  • Weak encryption algorithms
  • Poor key management
  • Insecure data transmission
  • Inadequate data protection at rest

Real-World Impact

Notable Breaches:

  • Equifax (2017): 147 million records exposed due to weak encryption
  • Marriott (2018): 500 million records compromised
  • Facebook (2019): 540 million records stored in plaintext

Average Cost: $4.45 million per breach (IBM 2023)

Common Cryptographic Vulnerabilities

1. Weak Encryption Algorithms

<!-- VULNERABLE: Using weak algorithms -->
MD5(password)  // Easily cracked
DES(data)       // 56-bit key, broken
RC4(data)       // Vulnerable to attacks

2. Hardcoded Keys

<!-- VULNERABLE: Hardcoded encryption key -->
const ENCRYPTION_KEY = "mysecretkey123";

Insecure Data Transmission

HTTP vs HTTPS

<!-- VULNERABLE: HTTP transmission -->
http://example.com/login
POST /login
username=admin&password=secret123
// SECURE: HTTPS transmission
https://example.com/login
POST /login (encrypted)

Risk: Data intercepted in transit, credentials stolen

Poor Key Management

Common Mistakes:

  • Using default keys
  • Reusing keys across applications
  • Storing keys in source code
  • Not rotating keys regularly
  • Weak key generation

Example: Many IoT devices use default encryption keys, making them easily compromised.

Inadequate Data Protection at Rest

Database Encryption Issues:

<!-- VULNERABLE: Storing sensitive data unencrypted -->
CREATE TABLE users (
  id INT,
  username VARCHAR(50),
  password VARCHAR(50),  -- Should be hashed
  ssn VARCHAR(20),       -- Should be encrypted
  credit_card VARCHAR(20) -- Should be encrypted
);

Risk: Database breaches expose all sensitive data

Hash Function Vulnerabilities

Weak Hash Functions:

<!-- VULNERABLE: Weak hash functions -->
MD5(password)     // Collision attacks possible
SHA1(password)    // Vulnerable to attacks
CRC32(data)       // Not cryptographically secure
// SECURE: Strong hash functions
bcrypt(password, 12)  // Adaptive hashing
Argon2(password)     // Memory-hard function
scrypt(password)      // Memory-hard function

Certificate and SSL/TLS Issues

Common Problems:

  • Self-signed certificates
  • Expired certificates
  • Weak cipher suites
  • SSL/TLS misconfiguration
  • Certificate validation bypass

Test Your Site: SSL Labs SSL Test

Career Opportunities in Cryptography

Cryptographic Roles:

  • Cryptographic Engineer: £45,000 - £80,000
  • Security Architect: £60,000 - £120,000
  • Penetration Tester: £35,000 - £70,000
  • Security Consultant: £50,000 - £100,000
  • Cryptographic Researcher: £40,000 - £90,000

Skills Needed: Mathematics, Programming, Security protocols, Risk assessment

Industry Certifications

Cryptographic Certifications:

  • CISSP: Certified Information Systems Security Professional
  • CISM: Certified Information Security Manager
  • CISA: Certified Information Systems Auditor
  • CEH: Certified Ethical Hacker
  • OSCP: Offensive Security Certified Professional

Resources: ISC² | EC-Council

OS³ Newman Cyber Security Lab

WEB-CRYPTO-01 Lab Environment

Our OS³ Studio provides hands-on experience with:

  • Vulnerable web applications with cryptographic flaws
  • Real-world attack scenarios
  • Secure implementation challenges
  • Code analysis and remediation

Access: Available through university portal

Practical Examples

Watch: Cryptographic Failures Explained

See Moodle for supporting materials.

Understanding real-world cryptographic vulnerabilities and their impact

Web Demos and Tools

Cryptographic Testing Tools:

Case Study: Heartbleed Vulnerability

OpenSSL Heartbleed (CVE-2014-0160)

  • Impact: Exposed private keys and sensitive data
  • Affected: 500,000+ websites
  • Cause: Buffer over-read in TLS heartbeat extension
  • Fix: Proper bounds checking

Lesson: Even cryptographic libraries can have implementation flaws

Secure Implementation Principles

1. Use Strong Algorithms

<!-- SECURE: Use approved algorithms -->
AES-256-GCM for encryption
SHA-256 or SHA-3 for hashing
RSA-2048+ or ECDSA for signatures

2. Proper Key Management

  • Use hardware security modules (HSMs)
  • Implement key rotation
  • Store keys securely

Summary: Common Cryptographic Failures

Key Vulnerabilities to Look For:

  1. Weak encryption algorithms (MD5, DES, RC4)
  2. Hardcoded encryption keys
  3. HTTP instead of HTTPS
  4. Unencrypted sensitive data storage
  5. Weak password hashing
  6. SSL/TLS misconfiguration
  7. Certificate validation issues

Task 1: Cryptographic Vulnerability Discovery

Objective:

Use OS³ Studio to identify cryptographic vulnerabilities in the WEB-CRYPTO-01 lab environment.

Instructions:

  1. Access the OS³ Studio vulnerable application
  2. Analyze the application for cryptographic weaknesses
  3. Test for weak encryption algorithms
  4. Check for insecure data transmission
  5. Identify poor key management practices
  6. Test password hashing vulnerabilities
  7. Document all findings with evidence
  8. Prepare a vulnerability assessment report

Time: 45 minutes

Focus on systematic testing and thorough documentation

Break Time

15 Minutes

Take a break, ask questions, or catch up on the previous task.

Next: Secure implementation and Task 2

Secure Encryption Implementation

1. Strong Password Hashing

<!-- SECURE: Use bcrypt with appropriate cost -->
const bcrypt = require('bcrypt');
const saltRounds = 12;
const hashPassword = async (password) => {
  return await bcrypt.hash(password, saltRounds);
};
const verifyPassword = async (password, hash) => {
  return await bcrypt.compare(password, hash);
};

2. Data Encryption at Rest

<!-- SECURE: AES-256-GCM encryption -->
const crypto = require('crypto');
const encrypt = (text, key) => {
  const iv = crypto.randomBytes(16);
  const cipher = crypto.createCipher('aes-256-gcm', key);
  let encrypted = cipher.update(text, 'utf8', 'hex');
  encrypted += cipher.final('hex');
  return { encrypted, iv: iv.toString('hex') };
};

Secure Key Management

1. Environment Variables

<!-- SECURE: Store keys in environment variables -->
const ENCRYPTION_KEY = process.env.ENCRYPTION_KEY;
const JWT_SECRET = process.env.JWT_SECRET;
// Use .env file for development
ENCRYPTION_KEY=your-256-bit-key-here
JWT_SECRET=your-jwt-secret-here

2. Key Rotation Strategy

  • Implement automatic key rotation
  • Use key versioning
  • Monitor key usage
  • Have key recovery procedures

HTTPS Implementation

1. SSL/TLS Configuration

<!-- SECURE: Express.js HTTPS setup -->
const https = require('https');
const fs = require('fs');
const options = {
  key: fs.readFileSync('private-key.pem'),
  cert: fs.readFileSync('certificate.pem'),
  ciphers: [
    'ECDHE-RSA-AES256-GCM-SHA384',
    'ECDHE-RSA-AES128-GCM-SHA256'
  ].join(':'),
  honorCipherOrder: true
};
https.createServer(options, app).listen(443);

2. Security Headers

<!-- SECURE: Security headers -->
app.use((req, res, next) => {
  res.setHeader('Strict-Transport-Security', 'max-age=31536000');
  res.setHeader('X-Content-Type-Options', 'nosniff');
  res.setHeader('X-Frame-Options', 'DENY');
  next();
});

Database Security

1. Encrypted Database Fields

<!-- SECURE: Encrypt sensitive fields -->
CREATE TABLE users (
  id INT PRIMARY KEY,
  username VARCHAR(50),
  password_hash VARCHAR(255),  -- bcrypt hash
  email_encrypted BLOB,        -- AES encrypted
  ssn_encrypted BLOB,         -- AES encrypted
  created_at TIMESTAMP
);

2. Database Connection Security

  • Use SSL/TLS for database connections
  • Implement connection pooling
  • Use least privilege database users
  • Enable database audit logging

API Security

1. JWT Token Security

<!-- SECURE: JWT implementation -->
const jwt = require('jsonwebtoken');
const generateToken = (user) => {
  return jwt.sign(
    { userId: user.id, role: user.role },
    process.env.JWT_SECRET,
    { expiresIn: '1h', algorithm: 'HS256' }
  );
};
const verifyToken = (token) => {
  return jwt.verify(token, process.env.JWT_SECRET);
};

2. API Rate Limiting

<!-- SECURE: Rate limiting -->
const rateLimit = require('express-rate-limit');
const limiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 100, // limit each IP to 100 requests per windowMs
  message: 'Too many requests from this IP'
});
app.use('/api/', limiter);

Security Testing

1. Automated Security Scanning

<!-- Security testing tools -->
npm install --save-dev eslint-plugin-security
npm install --save-dev snyk
// Run security audit
npm audit
snyk test

2. Manual Testing Checklist

  • Test all encryption/decryption functions
  • Verify HTTPS implementation
  • Check for hardcoded secrets
  • Test password policies
  • Validate certificate configuration

Compliance and Standards

1. Industry Standards

  • FIPS 140-2: Cryptographic module validation
  • Common Criteria: Security evaluation
  • PCI DSS: Payment card industry standards
  • GDPR: Data protection requirements

2. Best Practices

  • Use approved cryptographic algorithms only
  • Implement defense in depth
  • Regular security assessments
  • Incident response planning

Career Development in Cryptography

Next Steps:

  • Advanced Certifications: CISSP, CISM, CISA
  • Specialized Training: Cryptographic protocols, PKI
  • Hands-on Practice: CTF competitions, bug bounties
  • Industry Networking: Security conferences, meetups
  • Research: Academic papers, new algorithms

Resources: OWASP | NIST | Cryptopals

Task 2: Secure Cryptographic Implementation

Objective:

Use OS³ Studio to implement secure cryptographic solutions and fix the vulnerabilities found in Task 1.

Instructions:

  1. Access the OS³ Studio secure implementation environment
  2. Implement strong password hashing (bcrypt/Argon2)
  3. Add proper data encryption for sensitive fields
  4. Configure HTTPS with strong cipher suites
  5. Implement secure key management
  6. Add proper security headers
  7. Test the secure implementation
  8. Document the security improvements

Time: 45 minutes

Focus on implementing industry-standard security practices

Further Activity: Code Inspection

Advanced Students - Code Analysis:

For students with additional time, explore the source code to understand:

  • How cryptographic functions are implemented
  • Key generation and management processes
  • Error handling in cryptographic operations
  • Performance implications of security measures
  • Integration with other security controls

Deliverable: Code review report with recommendations

Session Summary

Key Takeaways:

  • Cryptographic failures are a major security risk
  • Weak algorithms and poor key management are common issues
  • HTTPS and proper encryption are essential
  • OS³ Studio provides hands-on vulnerability testing
  • Secure implementation requires multiple layers of protection
  • Career opportunities in cryptography are growing

Next Steps