Cryptographic Use and Weaknesses (Summary)

One of the challenges we have with today’s mobile devices is we are limited by the amount of
battery that we currently have available. There is a balance between providing security and being able to
have a mobile device that will stay available to us throughout the entire day. Most mobile devices, tend to
use cryptography that is going to use less power.

If we have an application that requires low latency, then we need a type of encryption that does
not use as many resources on the CPU. We need to be able to encrypt and decrypt this information very
quickly. In those cases, we must use symmetric encryption and use some smaller key sizes to keep the
process as efficient as possible. If we are concerned about the integrity of the data that we are sending
back and forth, then should use an encryption method that is strong, that is using relatively large keys,
and will probably include some type of hashing to make sure that we can check for data integrity once this
information is transmitted.

One of the biggest reasons we use encryption is for confidentiality. It is a secret and private
method of communicating that no one else other than our recipient would be able to see. It is common to
use file-level encryption, drive-level encryption, or even encryption over our email to maintain this
confidentiality.

Sometimes, we are sending information to someone else, and we want to be certain that the
information they received is exactly the information we originally sent. This is called integrity, and it
prevents somebody from modifying data as you are sending it between two points. It is common to use
hashes to provide this integrity. You would take a hash of the data as you are sending it, and then have
the person on the other end perform the same hashing function and compare the two hashes to verify that
nothing has changed during transmit.

This is usually used with file transfers to verify that a file transfer was successful. We also use this
to store passwords. So, we can store the password in a form that does not show what the original
password is, but we are still able to perform a check to make sure that everyone is authenticating
properly.

We can also use cryptography to hide data. We do this using obfuscation. Modern malware takes
advantage of obfuscation by encrypting data and transferring it onto your system. Since the data is
encrypted, it will hide itself from any anti-virus scanners that might be on your system. Once that malware
executes on your system, it decrypts itself and then begins infecting your computer.

Cryptography is commonly used with authentication. We often combine our passwords with a
random salt and create a hash of both the salt and the password. In this way, if someone gain access to
our hashed password list, they will see that all of the passwords look completely unique, even if
somebody was sharing the same password.
Another useful feature of cryptography is non-repudiation. That allows us to confirm that any
information we would have received from a third party really did come from that third party. By using
digital signatures, we can provide both integrity and non-repudiation of data that we might send to
someone else.

Common Cryptographic Weaknesses

1. Key Management
- Poor key management practices, such as weak key generation, inadequate storage, or insecure
distribution.

2. Algorithmic Weaknesses
- Flaws in the design or implementation of cryptographic algorithms can be exploited. It's essential to
use algorithms that have undergone thorough analysis and scrutiny.
 3. Brute Force Attacks
- Given enough time and resources, an attacker may attempt to break a cryptographic system by trying
all possible keys until the correct one is found. Longer key lengths can mitigate this vulnerability.

4. Cryptanalysis
- The study of cryptographic systems with the aim of finding weaknesses that may allow for the retrieval
of the original plaintext without the key. Advancements in cryptanalysis techniques can pose threats to
certain algorithms.

5. Side-Channel Attacks
- Attacks that exploit information leaked during the encryption/decryption process, such as timing
information, power consumption, or electromagnetic radiation.
. Quantum Computing
- Theoretical quantum computers have the potential to break commonly used public-key cryptography
algorithms (e.g., RSA and ECC). This has led to the exploration of post-quantum cryptography.

7. Random Number Generation

- Weak or predictable random number generation can compromise the security of cryptographic keys
and nonces.

8. Implementation Flaws
- Bugs or errors in the implementation of cryptographic systems can introduce vulnerabilities. Regular
code audits and reviews are essential.

9. Social Engineering
- Cryptography doesn't protect against human errors. Social engineering attacks, where individuals are
manipulated into revealing sensitive information, can bypass cryptographic measures.

10. Key Exchange

- The secure exchange of cryptographic keys between parties can be challenging. Man-in-the-middle
attacks during key exchange can lead to compromised security.
11. Key Escrow
- In systems where authorities hold a copy of users' cryptographic keys (key escrow), there is a risk of
unauthorized access if the escrow system is compromised.

12. Denial of Service (DoS) Attacks

- Cryptographic protocols may be susceptible to DoS attacks that overwhelm the system and prevent
legitimate users from accessing services.

13. Legacy Systems

- Continued use of outdated or deprecated cryptographic algorithms and protocols can expose systems
to known vulnerabilities.

14. Complexity
- Complex cryptographic systems may introduce more opportunities for implementation errors and
increase the likelihood of vulnerabilities.

15. Insider Threats

- Malicious actions or negligence by individuals with privileged access can undermine the security of
cryptographic systems.

References:
• https://www.professormesser.com/security-plus/sy0-501/cryptography-use-cases/
• https://www.youtube.com/watch?v=mmzg20M-dGY
• https://owasp.org/www-project-mobile-top-10/2023-risks/m10-insufficient-
cryptography#:~:text=Weak%20cryptography%20can%20enable%20attackers,the%20injection
%20of%20malicious%20content