Encryption code is something that is widely used for protecting data in the digital era. It is mostly used for data across a network (data in transit) and stored for example in web development, hard drives, smartphones or flash drives (data at rest). Many electronic devices also use encryption to encrypt sensitive data, such as modems, set-top boxes, smartcards and SIM Cards. This shows that the need for encryption these days is very important. However, in many encryption implementations, the cryptography and the key protection methods are woefully insufficient, since there are some significant mistakes that keep emerge when an inexperienced developer is put in charge of such a project. Here are some common mistakes which are usually done by developers.
- There is no protection for Keys
There are many bad ideas found in protecting the keys, for example, in some cases, the key is thrown into a separate properties file or the key is simply hard coded in the source code while a copy of the offending source code is all that is needed for someone to get hold of these keys and get around the whole encryption issue.
Moreover, make sure to separate the keys and the data, as another common mistake is to collocate the keys on the same server of the data itself. This lets the attacker gain both the keys and data, once the attacker has reached the server.
- There is no protection for Keystore
A keystore is specialized file where the keys are stored and it does not differentiate whether the key is asymmetric or symmetric. Both of them can be placed in a keystore. Using a keystore is a good idea for protecting your data as you can use strong passphrases to protect the keystore and put access controls against this file. This way you can ensure that the keystore file is not accessible to the attacker, as the attacker surely will download it and attempt to force the passphrase and steal the keys. For using a keystore, the use of HSMs (Hardware Security Modules) will be come in handy.
- Create Custom or Weak Crypto
There are two things that should be avoided in creating a crypto, first inventing your own crypto or use existing crypto in nonstandard ways, secondly, using old and previously hacked crypto, so it is better to go with key lengths that make sense for your use case.
Peer reviews are a good idea for any code, but they are a must for cryptography code. Do not forget to ask an expert and get them to do a close examination. Even if all you’re doing is standard encryption and decryption, additional sets of eyes are essential to make sure that you have taken the right steps.
- Old Libraries
In implementing crypto mostly a developer uses one library, such as OpenSSL, Bouncy Castle, libraries built into Java or C#, etc. This intended to use the version that’s built in. But this kind of strategy gets new attacks each year. So, keeping your library updated with newer versions assures you are more safe from any previously proven attacks.
- One Key for Everything
Having the same key to encrypt all the data is generally OK. But having different keys for each column of database will make hackers work harder in attacking your database. In fact, this way is intended to make your database more secure. Moreover, if you can also use different keys for different functions, you will attain a very secure and robust system.