200 million Yahoo accounts up on sale, AdultFriendFinder hacked (over 300 Million users exposed), hackers break into Anthem health insurance system affecting upto 80 million users, Linkedin’s Lynda.com hacked -9.5 million accounts affected. What is common in all of these? Lack of encryption. Yes, lack of encryption had a hand in some of the biggest breaches of last 2 years.
Hacks are inevitable, they are going to happen. The way to prepare yourself for these is to prepare for a secure leak. We have two friends here. Any guesses?
Yes, hashing and Encryption. In very simple words, hashing is converting a clear text input to fixed length non-clear text output. And it’s not reversible, while encryption can be reversed using the encryption keys.
They say, choose your friends wisely. Hashing or encryption – where to use what?
If you have a genuine need to reverse or to know the clear text value of something, then use encryption; otherwise use hashing. For example, in case of a forgotten password email, if you ever get your clear text password in email instead of a link to create a new password, then immediately stop using the services of that provider. Because, they are storing your password either in clear text, or using encryption while they should be using hashing for this because there is no need to reverse a stored password that can be created by sending a new link to the end user.
What are some secure hashing guidelines?
First is choosing an appropriate algorithm. Which one to choose MD5/SHA-1/SHA-2? There are available tools like MD5 Salted Hash Kracker to break the MD5 hashes, Hashcat in Kali Linux to break SHA-1 hashes making SHA-2 as your best bet.
The next one is to use Salting with hashing. Hackers use rainbow tables to break any hash (even SHA-2). There is free rainbow table based lookup tools available on the internet. Rainbow table is a dictionary of words. Without adding a salt, a fixed input will always result in a fixed output which is how a rainbow table helps a hacker to know clear text value from a hash output. Adding a salt changes the input and hence changes the resulting output. Taking the example of password storing of a user, it’s a best practice to use a different random salt as an input for each password while using hashing to store the passwords. Make salt random for each password.
Now, what are strong encryption guidelines?
Hacks are inevitable, they are going to happen. The way to prepare yourself for these is to prepare for a security leak.”
Dinesh Kumar Aggarwal
Again, first is choosing an appropriate algorithm. Which one to choose DES/3DES/AES-126/AES-256? AES 256 is most suitable for encrypting critical data. Your encryption is as secure as your encryption keys. In the real world no one keeps the keys of a treasure along with the lock. It’s always kept securely, however, this principle is easily forgotten in the virtual world while using encryption. Using the analogy of real and virtual world, there are 6 principles of secure encryption:
Principle 1: Always keep encryption keys separate. Use hashing wherever possible.
Where to store the keys? In the database? On the file system? In an application config file?
The best answer is not to use any of these. Use a hardware/software HSM or a separate secure server to store the encryption keys.
Principle 2: Lock should open with 3/multiple keys (This will be a very good security in physical world)
In the virtual world, the analogy is to use multiple administrator authentications (dual/multiple user) for all critical encryption key functions. Easily achievable in an HSM device.
Principle 3: Key destroys itself if someone tries to steal it (This will be awesome in physical world)
In the virtual world, use a key encryption box (HSM) with built-in physical security which erases the data if someone tries to fiddle with the box.
Principle 4: Even the treasure owner cannot see the key and take out the key with him, but still can use it.
In the virtual world, this is achieved by disabling key export. Technologies like HSM make it possible that keys are not visible with naked eyes.
Principle 5: Do you use the same key for your house, your car, and your office?
In the virtual world, don’t use the same encryption key for all of your sensitive data.
Principle 6: Is it a good idea to change the locks every once in a while?
In the virtual world, same is true for encryption. This is called key rotation. Rotate your encryption keys regularly.
Outcome? Secure Leak. Happy Encrypting and don’t let your king be nude.
The author is a Security Architect at the Missing Link Network Integration & Security.
Disclaimer: This article is published as part of the IDG Contributor Network. The views expressed in this article are solely those of the contributing authors and not of IDG Media and its editor(s).