Cryptographic Vulnerabilities

---

Cryptographic vulnerabilities refer to weaknesses in cryptographic systems, protocols, or algorithms that can be exploited to compromise data.

• e.g.,
  • symmetric encryption
    • MD5 and SHA-1
      • allow for collision attacks
        • two different inputs produce the same hash output
    • Data Encryption Standard (DES)
      • vulnerable to brute force attack due to 56-bit key size
    • Triple DES (3DES)
      • applies DES algorithm 3 times
        • considered secure initially
      • Sweet32 birthday attack found in 2016
      • NIST deprecated in 2017
      • recommended discontinuation for all by 2023
  • asymmetric encryption
    • RSA
      • vulnerable if
        • small key size is used
        • RNG for key creation is weak
    • if same key pair is used for extended period, then increased likelihood of compromise

Cipher suite describes combinations of encryption algorithms used in protocols.

• e.g., SSL/TLS
• vulnerability examples
  • Browser exploit Against SSL/TLS (BEAST)
  • Padding Oracle On Downgraded Legacy Encryption (POODLE)

Protecting Cryptographic Keys

• cryptographic key protection requires implementing specialized security measures to safeguard keys from unauthorized access or disclosure
  • keys are typically nothing more than strings of alphanumeric characters stored in simple text files
• Common secure key storage practices:
  • secure key storage systems
    • e.g., hardware security modules (HSMs) or key management systems (KMS)
  • implementing proper access controls and authentication mechanisms
  • regularly monitoring and auditing key usage
  • periodically change cryptographic keys
    • referred to as key rotation
    • to strengthen the system and combat risks

Kerckhoffs's Principle

Kerckhoffs’s principle establishes that a cryptosystem should be secure, even if everything about the system except the key, is public knowledge.