Saturday, March 3, 2007

Those five mistakes over encryption

Anton Chuvakin liked that I called his article on encryption mistakes a "masterpiece". But it really is!

In fact, encryption mistakes are in focus now that PCI is getting stronger. Everybody is looking for ways to encrypt card data. And it's exactly at this time that they are more vulnerable to vendors pitches. I'm seeing some "PCI in a box" products being sold, and they are usually related to encryption.

Another problem with encryption is when you're talking with vendors of other IT products besides security. Try, for example, to ask a software salesman about how his software deals with user IDs and passwords. I'm almost certain that you'll hear "relax, they are encrypted". I know that salesman aren't the best people to answer those questions, but I feel a sadistic and hard to control desire to ask "How?" (in fact, I always do that). Their answers always contain one or more of those mistakes listed by Dr. Chuvakin. My favorite ones, until now, are:

"With a 256 BYTES key and 3DES" (even if it was bits... :-) )
"Using a known secure method called RSA" (are they really encrypting passwords with RSA???)
"I can't tell you, it's so secure it's secret" (men, it's so funny to hear that!)

Now, where are the security guys from these companies? Are they working only on their corporate policies? Even if some of these cases are just a salesman trying to lure you with a bad answer, there are some of those that are really bad encryption implementations. Some software houses still don't have nobody responsible for including security in their products and development processes. This makes the work of the security departments of companies that are buying their software much more harder, as sometimes they are struggling with business people to avoid that crappy software from entering into their business. And sometimes that crappy software is the best (or even the only) solution in terms of business functionality.

Another aspect that really annoys me when I hear those answers. If those guys are saying those things to me without thinking twice, it's because someone else asked that and BOUGHT that answer. How can a CSO or something similar be satisfied with an answer like that? Encryption tends to be seen as a too technical subject for CSOs to learn about. No, they (we) need to know at least the basics about it. It's not that hard to identify those five mistakes. If you believe that a vendor already throwed something like those answers into you and you bought it, go look for a basic encryption introduction. Even by reading some pages from wikipedia you'll be able to identify most of those cases.

The CISSP body of knowledge contains all the information needed by a CSO to know the encryption basics. If you already obtained your certification or are planning to get it, take your books and read that part again with a different look. Now you know when you'll need that information.

No comments:

Post a Comment