The internet and computers have changed how we live our lives in so many ways. The ability to communicate with people worldwide, work from home, shop for practically anything, watch our favorite shows and movies, learn new things, etc. These activities require a lot of information that has to be stored securely in a database somewhere. Most of the actions mentioned require us to fill in our data, and this data could be our phone number, credit card number, Social Security number, and so on.
In case of a cyber security attack, insecure cryptographic storage could have a devastating effect.
No cryptographic storage
As the name indicates, storing data in plain text without hashing or encryption. For instance, if our password to a website or a service we subscribe to is password123, let us see how it gets stored in the database.
It is not recommended to use a weak password in real situations.
Storing passwords in plain text might be less complex and faster to authenticate users, but it can expose sensitive data in case of data breaches. Data breaches can originate from an external attacker or within the organization.
We must take into consideration which data is sensitive and must be protected.
Weak hashing
As computer processing power increases, some hashing and encryption algorithms become inadequate to handle sensitive information. Hence, an attacker can guess the content of the data with some computing power and reasonable time. Trying every possible outcome with trial and error is called a brute force attack.
For example, MD5 and SHA1 are proven to be inadequate to hash sensitive information. They are already broken. If a weakness is found in a hash function that allows two files to have the same digest. Then it is considered to be broken.
Let's compare MD5, SHA1, SHA256, and Bcrypt. We will hash the message; hello.
From the comparison, we can observe that MD5 and SHA1 are shorter in size, 128-bit, and 160-bit, respectively. SHA256 and Bcrypt are relatively longer, 256-bit and 184-bit, respectively. You might be wondering, does it mean longer is always better? No. Technically algorithms also matter as MD5, SHA1, and SHA256 are fast hashes. They are designed to be very fast, and output is always the same since they are unsalted. Salting is the process of adding random strings to the data before it's hashed, and it is used to protect the data from a rainbow table attack. Rainbow tables contain a pre-computed hash of data that can identify the original content.
On the other hand, Bcrypt is salted; the hash varies every time it is computed because of the added salt, making it impractical to use a rainbow table attack. Bcrypt is also designed to be slow. The speed can be adjusted with the cost factor.
The first letters in Bcrypt give information about the algorithm and the cost.
$2a // means it's using bcrypt version 2a
$12 // means its cost-factor is 12 rounds = 2^12 = 4096 iterationsWeak encryption
When storing data that needs to be accessed in its original form, we use encryption. Hashing is not intended to retrieve the original data but rather to confirm the original data matches the stored data's hash. Encryption uses a key to change or encode the original content to seemingly random bits or ciphertext. Without the proper key, it's impossible to decode the original data. However, using a weak encryption algorithm may lead to unwanted parties accessing sensitive information.
One of the attributes that makes encryption algorithms weak is insufficient key size. For instance, the Data encryption standard or DES uses 54-bits, making it susceptible to brute force attack. Design flaws in the algorithm can also cause weak encryption. For instance, Wired Equivalent Privacy or WEP has multiple vulnerabilities that make it unsuitable for use.
Conclusion
In summary,
We should not store sensitive data in plaintext.
Weak hashing algorithms are not suited to protect sensitive data
Unsalted hashing algorithms are vulnerable to a rainbow table attack.
Fast hashing algorithms like MD5 and SHA1 are vulnerable to a brute force attack.
Short encryption keys are also susceptible to brute force attack.
Design flaws in an encryption algorithm can cause encryptions to become weak and vulnerable.