Crypto Done Right
Published 09/09/2022
Written by Debra Baker
Ever wonder what cryptographic algorithms to use? What is better for symmetric encryption, AES-CTR or AES-CBC? For that matter what is symmetric encryption. Is ECDSA or RSA better for encryption? It can quickly get confusing. In fact, there was a study done on the Usability of Deploying HTTPS and the results were not good. The study was from a few years back, but is still accurate for today. The study found that configuring TLS securely is a daunting task and even experienced information security professional have trouble with implementing the most secure TLS configurations. From the study "Our results suggest that the deployment process is far too complex even for people with proficient knowledge in the field, and that server configurations should have stronger security by default."
Most people even in the cybersecurity space struggle with cryptography and what is considered good or is recommended. Having worked with cryptography as a practitioner since the late 1990’s, I typically become the go to person. I was fortunate to get hired by Entrust back in the day and was provided a 90-day boot camp of sorts in cryptography and PKI. I was able to work alongside the likes of Carlisle Adams who was one of the designers of the CAST symmetric algorithm.
I had no idea how badly needed practical cryptographic information was until I presented at a local conference a few years back. My topic was on the need for Standardization of Vulnerability Analysis. I still think this is needed, but not my topic of discussion today. In my presentation, I also had a practical cryptographic best practices section. To my surprise, this became the most sought-after information. One person asked, "Is there one place to get this information?" I politely said “No”. Yes there are academic sites such as cryptology archive where you can search the latest cryptography related papers, but most people don’t want to read a doctorate paper on cryptography to figure out how to securely configure their firewall. You have StackOverflow again where you can find both good and bad guidance when it comes to cryptography.
After I presented, literally a line of people came up asking me all sorts of information regarding cryptography. One person took the information to set the cryptographic best practices baseline at his company. Another lady came up asking would I help her co-found an organization to teach women cybersecurity and how to transition int cybersecurity. She said she was asking me because of my knowledge in cryptography. We did start an organization to train women in cybersecurity. A graduate student from Johns Hopkins, Ren Hao, came up to tell me to discuss his Senior project. I ended up collaborating with Ren and a professor, Seth Nielson at Johns Hopkins to create a cryptographic knowledge base for practitioners created. Cisco funded the knowledge base, so that graduate students at Johns Hopkins could be hired to help build out the knowledge base. We were able to get top cryptographers in the industry and at Johns Hopkins, you know the likes of Matthew Green involved. Now CryptoDoneRight has become a Non-Profit and we’ve found a home at Cloud Security Alliance. We want to start a working group, continue to update the website, write articles, and do research studies. Now we need you!
Learn more at CryptoDoneRight.org.
Related Articles:
How Cloud-Native Architectures Reshape Security: SOC2 and Secrets Management
Published: 11/22/2024
The Lost Art of Visibility, in the World of Clouds
Published: 11/20/2024
Group-Based Permissions and IGA Shortcomings in the Cloud
Published: 11/18/2024
9 Tips to Simplify and Improve Unstructured Data Security
Published: 11/18/2024