Security Pitfalls

7. Security Pitfalls

Most of the times, an attacker will not directly attack the cryptographic algorithms and instead attack the implementation. A system made of many secure inner blocks is not automatically a secure system.

7.1. Attack against Implementation

Implementation of cryptographic systems correctly is another difficult goal which is hard to achieve.

Some basic point-outs are:

  • Not destroying plaintext after use

  • Not dealing with decrypted data carefully. A system using temporary files to avoid data loss, might leave plaintext or decrypted data or both in the temporary files

  • System using more than 1 key, should take care of all keys equally, because a single key leak renders the complete system useless

  • Allowing recovery of old keys can also act as a weak point

  • And so on

7.2. Attack against Passwords

Attacks against passwords are very common. Many systems break because they rely on user-generated passwords.

People don't choose strong passwords, it is a fact that software architect should deal with.

If they're forced to use strong passwords, users can't remember them or just write them on a file in cleartext.

Dictionary attacks indeed work really well when dictionary is targeted to the environment, country, age, and language of the target.

Software sometimes makes the problem even worse: limiting the password length, converting everything to lower case, etc.

7.3. Attack against Trust Models

Sometimes attackers do not attack their target directly. They can instead exploit trust-systems or roles that the target assumes to be trusted.

Simple systems use simple trust models because more secure trust models might break usability.

Complex systems, like ecommerce instead employ more complex trust models (like signed certificates).

An email program might use secure crypto algorithms to encrypt messages, but unless the public keys are certifies by a trusted source (and unless that certification can be verified), the system is still vulnerable.

Cryptographic algorithm that rely on the security of the other network protocols make an assumption: that these protocols are secure.

Attacking network protocols to break a system that uses an unbreakable cryptography algorithm is what happens everyday on the internet.

7.4. Attack on the Users

Users can be attacked through social engineering, keylogging, or using a malware.

PreviousCryptographic AttackNextWindows 2000/XP/2k3/Vista/7/8 Passwords

Last updated