09 a7 insecure cryptographic storage.pptx
-
Upload
rap-payne -
Category
Technology
-
view
53 -
download
1
description
Transcript of 09 a7 insecure cryptographic storage.pptx
![Page 1: 09 a7 insecure cryptographic storage.pptx](https://reader033.fdocuments.in/reader033/viewer/2022051313/5492a1deb47959424d8b466a/html5/thumbnails/1.jpg)
A7 Insecure Cryptographic Storage
Problem and Protection
![Page 2: 09 a7 insecure cryptographic storage.pptx](https://reader033.fdocuments.in/reader033/viewer/2022051313/5492a1deb47959424d8b466a/html5/thumbnails/2.jpg)
Loads of files! LOL!
o In prep for this lecture, I wanted to prove a point o I connected to a network and, sticking to only
publicly shared folders, I found many files, including these:
![Page 3: 09 a7 insecure cryptographic storage.pptx](https://reader033.fdocuments.in/reader033/viewer/2022051313/5492a1deb47959424d8b466a/html5/thumbnails/3.jpg)
On another laptop ...
![Page 4: 09 a7 insecure cryptographic storage.pptx](https://reader033.fdocuments.in/reader033/viewer/2022051313/5492a1deb47959424d8b466a/html5/thumbnails/4.jpg)
Insecure Cryptographic Storage
o When anyone stores data that is not encrypted or is weakly encrypted
o If a breach occurs, all that data is compromised
![Page 5: 09 a7 insecure cryptographic storage.pptx](https://reader033.fdocuments.in/reader033/viewer/2022051313/5492a1deb47959424d8b466a/html5/thumbnails/5.jpg)
How attackers do it
o Explore a network o Put up a fake WAP o Physically steal computers and media o Phishing emails o Break in to machines using stolen passwords o Social engineering o Once data is found, they copy it and can take
their time decoding/decrypting it
![Page 6: 09 a7 insecure cryptographic storage.pptx](https://reader033.fdocuments.in/reader033/viewer/2022051313/5492a1deb47959424d8b466a/html5/thumbnails/6.jpg)
How we protect ourselves
o Avoid storing sensitive data o Encrypt all sensitive data o Use strong encryption properly o Protect the keys
![Page 7: 09 a7 insecure cryptographic storage.pptx](https://reader033.fdocuments.in/reader033/viewer/2022051313/5492a1deb47959424d8b466a/html5/thumbnails/7.jpg)
Avoid storing sensitive data
o PCI DSS – Against standards to store CVV
o Do you really need to store even the PAN?
o Don't use database backups as test data
![Page 8: 09 a7 insecure cryptographic storage.pptx](https://reader033.fdocuments.in/reader033/viewer/2022051313/5492a1deb47959424d8b466a/html5/thumbnails/8.jpg)
Lost Media
o June 3, 2013 – 14,000 student records with SSNs, on a thumb drive found in a library computer in Champlain College
o April 17, 2010 – Parking meter storage device containing credit card numbers was stolen from a Vancouver park
o Sept 4, 2008 - 11,000,000 records, including names, addresses, emails, and SSNs were found on a disk in the trash in Seoul
![Page 9: 09 a7 insecure cryptographic storage.pptx](https://reader033.fdocuments.in/reader033/viewer/2022051313/5492a1deb47959424d8b466a/html5/thumbnails/9.jpg)
Stolen computers
o July 15, 2013 – 4 million patient names, addresses, DOB, and SSNs in four computers stolen from an building in Chicago
o July 15, 2012 - 2.4 million voters names, addresses, genders, dates of birth and voting information compromised by disappearance of two USB memory drives in Ontario
o May 22, 2006 – 26.5 million names, addresses and SSNs were on a laptop stolen from a DoD analyst's home
![Page 10: 09 a7 insecure cryptographic storage.pptx](https://reader033.fdocuments.in/reader033/viewer/2022051313/5492a1deb47959424d8b466a/html5/thumbnails/10.jpg)
Encrypt sensitive data
o None of those problems would have happened if the data were strongly encrypted
o Encrypt all data in long-term storage o This includes database files (*.mdf)
![Page 11: 09 a7 insecure cryptographic storage.pptx](https://reader033.fdocuments.in/reader033/viewer/2022051313/5492a1deb47959424d8b466a/html5/thumbnails/11.jpg)
Encrypting web.config
o If you were to lose a copy of your web site, would the attacker know your database password?
o It's either in web.config (preferred) or inline in the code
o We should be encrypting sensitive sections of web.config
o use aspnet_regiis.exe found in: o Start – Visual Studio – Visual Studio Tools –
Visual Studio Command Prompt
![Page 12: 09 a7 insecure cryptographic storage.pptx](https://reader033.fdocuments.in/reader033/viewer/2022051313/5492a1deb47959424d8b466a/html5/thumbnails/12.jpg)
Encrypting web.config
o Before: <configuration>
<connectionStrings> <add name="MainConnectionString"
connectionString="data source=Ratbert;database=Sales;username=ASPNET;password=$Double_Rainbow2011"
providerName="System.Data.SqlClient"/>
</connectionStrings>
</configuration>
o Run this command: aspnet_regiis –pef connectionStrings c:\PathToWebSite
![Page 13: 09 a7 insecure cryptographic storage.pptx](https://reader033.fdocuments.in/reader033/viewer/2022051313/5492a1deb47959424d8b466a/html5/thumbnails/13.jpg)
Encrypting web.config o After: <connectionStrings configProtectionProvider="RsaProtectedConfigurationProvider"> <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns="http://www.w3.org/2001/04/xmlenc#"> <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" /> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#"> <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" /> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <KeyName>Rsa Key</KeyName> </KeyInfo> <CipherData> <CipherValue>Bf677iFrUFW ... +4n4ZZKXCTUAu2Y=</CipherValue> </CipherData> </EncryptedKey> </KeyInfo> <CipherData> <CipherValue>UDEZ ...QfXUmM5rQ==</CipherValue> </CipherData> </EncryptedData> </connectionStrings>
![Page 14: 09 a7 insecure cryptographic storage.pptx](https://reader033.fdocuments.in/reader033/viewer/2022051313/5492a1deb47959424d8b466a/html5/thumbnails/14.jpg)
Decrypting web.config
o Now that it is garbled, you can't edit it o Decrypt like this: aspnet_regiis –pdf connectionStrings c:\PathToWebSite
o And then change and re-encrypt
![Page 15: 09 a7 insecure cryptographic storage.pptx](https://reader033.fdocuments.in/reader033/viewer/2022051313/5492a1deb47959424d8b466a/html5/thumbnails/15.jpg)
Using a stored connectionString
o Use the ConfigurationManager static class string connStr = ConfigurationManager .Connectionstrings["MainConnectionString"] .ConnectionString.ToString(); var myConnection = new SqlConnection(connStr); myConnection.Open();
![Page 16: 09 a7 insecure cryptographic storage.pptx](https://reader033.fdocuments.in/reader033/viewer/2022051313/5492a1deb47959424d8b466a/html5/thumbnails/16.jpg)
Use stronger encryption ciphers
o Symmetric methods are best for data o Use:
• AES (Rijndael) • Blowfish • 3DES
o Avoid: • DES • Homegrown schemes
o Use strong keys
![Page 17: 09 a7 insecure cryptographic storage.pptx](https://reader033.fdocuments.in/reader033/viewer/2022051313/5492a1deb47959424d8b466a/html5/thumbnails/17.jpg)
Strong passwords
o Use SHA-2 or better for passwords o Scenario: your website stores passwords in
the user table. You lose a backup of the database
o Attacker sees this: username password
lilohan c75ffb145de06825f6dca5ed2efb5e6f
rap 2c1bc7d994c7d1172f73f2e99a1b147c
kkardashian 9c700e931fc38fb7ca747676608c8e86
![Page 18: 09 a7 insecure cryptographic storage.pptx](https://reader033.fdocuments.in/reader033/viewer/2022051313/5492a1deb47959424d8b466a/html5/thumbnails/18.jpg)
Protect the keys
o Encrypted data is wide open if the bad guys also have the decryption key
o Do not store the key on the same media as the data
o Choose two different transport mechanisms for the key and the data • Send the key by email and the data on external
USB disk • Store the key on a thumb drive and the data on
your laptop
![Page 19: 09 a7 insecure cryptographic storage.pptx](https://reader033.fdocuments.in/reader033/viewer/2022051313/5492a1deb47959424d8b466a/html5/thumbnails/19.jpg)
Summary
o Insecure cryptographic storage costs billions of dollars and is relatively simple to protect against
o We should encrypt all sensitive data that is in long-term storage • Using robust ciphers • Using longer keys salts
o Store and transport the keys separately from the data
![Page 20: 09 a7 insecure cryptographic storage.pptx](https://reader033.fdocuments.in/reader033/viewer/2022051313/5492a1deb47959424d8b466a/html5/thumbnails/20.jpg)
Further study
o OWASP's insecure cryptographic storage overview: • http://bit.ly/OWASPCrypto
o Lots of security tools: o http://sectools.org
o Database of Insecure Cryptographic Data Losses: o http://datalossdb.org
o Working with encrypted connectionStrings: o http://bit.ly/EncryptingConnectionStrings