Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Pitfalls of cryptographic code

Tags:

security

cryptography

prng

I'm modifying existing security code. The specifications are pretty clear, there is example code, but I'm no cryptographic expert. In fact, the example code has a disclaimer saying, in effect, "Don't use this code verbatim."

While auditing the code I'm to modify (which is supposedly feature complete) I ran across this little gem which is used in generating the challenge:

static uint16 randomSeed;

...

uint16 GetRandomValue(void)
{
  return randomSeed++;/* This is not a good example of very random generation :o) */
}

Of course, the first thing I immediately did was pass it around the office so we could all get a laugh.

The programmer who produced this code knew it wasn't a good algorithm (as indicated by the comment), but I don't think they understood the security implications. They didn't even bother to call it in the main loop so it would at least turn into a free running counter - still not ideal, but worlds beyond this.

However, I know that the code I produce is going to similarly cause a real security guru to chuckle or quake.

  • What are the most common security problems, specific to cryptography, that I need to understand?
  • What are some good resources that will give me suitable knowledge about what I should know beyond common mistakes?

-Adam

like image 435
Adam Davis Avatar asked Nov 27 '22 22:11

Adam Davis

2 Answers

Don't try to roll your own - use a standard library if at all possible. Subtle changes to security code can have a huge impact that aren't easy to spot, but can open security holes. For example, two modified lines to one library opened a hole that wasn't readily apparent for quite some time.

like image 132
Tai Squared Avatar answered Mar 28 '23 08:03

Tai Squared

Applied Cryptography is an excellent book to help you understand crypto and code. It goes over a lot of fundamentals, like how block ciphers work, and why choosing a poor cipher mode will make your code useless even if you're using a perfectly implemented version of AES.

Some things to watch out for:

  • Poor Sources of Randomness
  • Trying to design your own algorithm or protocol - don't do it, ever.
  • Not getting it code reviewed. Preferably by publishing it online.
  • Not using a well established library and trying to write it yourself.
  • Crypto as a panacea - encrypting data does not magically make it safe
  • Key Management. These days it's often easier to steal the key with a side-channel attack than to attack the crypto.
like image 21
Tom Ritter Avatar answered Mar 28 '23 07:03

Tom Ritter
Sign in to Comment

Related questions

What is the laravel way of storing API keys?
Portable database for storing secrets
Security: Brute-forcing GET-requests by URL?
Token based authentication in REST APIs
How to generate truly random numbers (NOT pseudo) in Linux
Fake a $_POST via PHP
How is this MySQL query vulnerable to SQL injection?
Is SHA512Managed considered the best one-way hash available in .NET 3.5 for security?
Is it possible to prevent decompilation of .NET MSIL DLL?
asp.net mvc and check for if a user is logged in
Is it worth making a CMS from scratch? [closed]
How should I create my DES key? Why is an 7-character string not enough?
How to become a security domain expert? [closed]
Is the function strcpy always dangerous?
How secure is iBeacon? [closed]
What is the difference between DoS and Brute Force attacks? [closed]
How to secure .env file in laravel 5.4?
How can I add one line into all php files' beginning?
include a website in php file
How does hashing and salting passwords make the application secure?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!