A02:2021 – Cryptographic Failures

Cyber Security

Last Post by Rinki Singh 3 hours ago

1 Posts

1 Users

0 Reactions

7 Views

RSS

Rinki Singh

(@rinki)

Posts: 24

Eminent Member

Topic starter

Cryptographic Failures occur when sensitive data is not properly protected, either at rest or in transit.
This often results from weak encryption, no encryption, or incorrect implementation of cryptographic algorithms, allowing attackers to access or manipulate confidential data.

Sensitive data — such as passwords, credit card numbers, health records, or personal identifiers — must be protected so that unauthorized users can’t read or alter it.
If encryption is misused or missing, attackers can steal, modify, or impersonate users.

Common Examples of Cryptographic Failures

Example	Description
No encryption on sensitive data	Data transmitted over HTTP instead of HTTPS (e.g., credentials in clear text).
Weak or deprecated algorithms	Use of outdated ciphers (e.g., MD5, SHA1, RC4, DES).
Improper key management	Hardcoded, reused, or unrotated encryption keys.
Sensitive data in logs or URLs	Logging passwords or including tokens in GET parameters.
Missing or incorrect TLS configuration	Use of invalid certificates, weak protocols (e.g., TLS 1.0/1.1), or accepting self-signed certs.
Insecure password storage	Storing plaintext passwords instead of using a strong hash (bcrypt, Argon2, PBKDF2).

Potential Impact

Exposure of personally identifiable information (PII).
Credential theft and account takeover.
Fraud or financial loss.
Legal and regulatory penalties (GDPR, HIPAA, PCI DSS violations).

Mitigation Strategies

1. Encrypt Sensitive Data in Transit

Always use HTTPS (TLS 1.2 or higher).
Use HSTS headers to enforce HTTPS.
Never send sensitive data in URLs or query strings.

2. Encrypt Sensitive Data at Rest

Use strong, modern encryption algorithms (AES-256, RSA-4096, etc.).
Protect encryption keys with key management systems (KMS) and environment isolation.

3. Use Proper Password Handling

Never store plaintext passwords.
Use adaptive one-way hashing with salts:
- bcrypt, scrypt, Argon2, or PBKDF2.

4. Manage Keys and Secrets Securely

Do not hardcode secrets in code or repositories.
Rotate and revoke keys regularly.
Store secrets in a secure vault (AWS KMS, HashiCorp Vault, Azure Key Vault).

5. Remove Unnecessary Data

Don’t store sensitive data unless absolutely needed.
Minimize retention duration (data minimization principle).

6. Use Strong TLS Configuration

Disable weak ciphers and old protocols.
Use trusted certificate authorities (CAs).

7. Protect Against Side-Channel Leaks

Ensure sensitive information isn’t exposed through logs, error messages, or cache.

Testing & Tools

OWASP ZAP / Burp Suite – detect unencrypted transmissions.
SSL Labs Server Test – check TLS configuration.
TruffleHog / GitGuardian – detect exposed secrets in source code.
Static analysis tools (SAST) – detect insecure crypto use.

Example

Insecure (plaintext transmission):

POST /login HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded

username=john&password=123456

Secure (encrypted & hashed password):

POST /login HTTP/1.1
Host: example.com
Content-Type: application/json
Authorization: Bearer <token>

{
  "username": "john",
  "password_hash": "$2b$12$k5kW2GJzTtM..."
}

With HTTPS enforced and passwords hashed using bcrypt.

This topic was modified 3 hours ago by Rinki Singh

Posted : 05/11/2025 7:05 am

Forum Jump:

Previous Topic

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed