A02:2021 – Cryptographic Failures - Cyber Security https://www.hacktheforum.com/cyber-security/a022021-cryptographic-failures/ Hack The Forum Discussion Board en Sat, 18 Apr 2026 19:56:25 +0000 wpForo 60 A02:2021 – Cryptographic Failures https://www.hacktheforum.com/cyber-security/a022021-cryptographic-failures/#post-19913 Wed, 05 Nov 2025 01:35:48 +0000 Cryptographic Failures occur when sensitive data is not properly protected, either at rest or in transit.
This often results from weak encryption, no encryption, or incorrect implementation of cryptographic algorithms, allowing attackers to access or manipulate confidential data.

 

Sensitive data — such as passwords, credit card numbers, health records, or personal identifiers — must be protected so that unauthorized users can’t read or alter it.
If encryption is misused or missing, attackers can steal, modify, or impersonate users.

 

Common Examples of Cryptographic Failures

Example Description
No encryption on sensitive data Data transmitted over HTTP instead of HTTPS (e.g., credentials in clear text).
Weak or deprecated algorithms Use of outdated ciphers (e.g., MD5, SHA1, RC4, DES).
Improper key management Hardcoded, reused, or unrotated encryption keys.
Sensitive data in logs or URLs Logging passwords or including tokens in GET parameters.
Missing or incorrect TLS configuration Use of invalid certificates, weak protocols (e.g., TLS 1.0/1.1), or accepting self-signed certs.
Insecure password storage Storing plaintext passwords instead of using a strong hash (bcrypt, Argon2, PBKDF2).

Potential Impact

  • Exposure of personally identifiable information (PII).

  • Credential theft and account takeover.

  • Fraud or financial loss.

  • Legal and regulatory penalties (GDPR, HIPAA, PCI DSS violations).

Mitigation Strategies

1. Encrypt Sensitive Data in Transit

  • Always use HTTPS (TLS 1.2 or higher).

  • Use HSTS headers to enforce HTTPS.

  • Never send sensitive data in URLs or query strings.

2. Encrypt Sensitive Data at Rest

  • Use strong, modern encryption algorithms (AES-256, RSA-4096, etc.).

  • Protect encryption keys with key management systems (KMS) and environment isolation.

3. Use Proper Password Handling

  • Never store plaintext passwords.

  • Use adaptive one-way hashing with salts:

    • bcrypt, scrypt, Argon2, or PBKDF2.

4. Manage Keys and Secrets Securely

  • Do not hardcode secrets in code or repositories.

  • Rotate and revoke keys regularly.

  • Store secrets in a secure vault (AWS KMS, HashiCorp Vault, Azure Key Vault).

5. Remove Unnecessary Data

  • Don’t store sensitive data unless absolutely needed.

  • Minimize retention duration (data minimization principle).

6. Use Strong TLS Configuration

  • Disable weak ciphers and old protocols.

  • Use trusted certificate authorities (CAs).

7. Protect Against Side-Channel Leaks

  • Ensure sensitive information isn’t exposed through logs, error messages, or cache.

Testing & Tools

  • OWASP ZAP / Burp Suite – detect unencrypted transmissions.

  • SSL Labs Server Test – check TLS configuration.

  • TruffleHog / GitGuardian – detect exposed secrets in source code.

  • Static analysis tools (SAST) – detect insecure crypto use.

Example

Insecure (plaintext transmission):

POST /login HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded

username=john&password=123456

Secure (encrypted & hashed password):

POST /login HTTP/1.1
Host: example.com
Content-Type: application/json
Authorization: Bearer <token>

{
  "username": "john",
  "password_hash": "$2b$12$k5kW2GJzTtM..."
}

With HTTPS enforced and passwords hashed using bcrypt.

]]> Cyber Security Rinki Singh https://www.hacktheforum.com/cyber-security/a022021-cryptographic-failures/#post-19913