A7 Insecure Cryptographic Storage
Problem and Protection
Loads of files! LOL!
o In prep for this lecture, I wanted to prove a point o I connected to a network and, sticking to only
publicly shared folders, I found many files, including these:
On another laptop ...
Insecure Cryptographic Storage
o When anyone stores data that is not encrypted or is weakly encrypted
o If a breach occurs, all that data is compromised
How attackers do it
o Explore a network o Put up a fake WAP o Physically steal computers and media o Phishing emails o Break in to machines using stolen passwords o Social engineering o Once data is found, they copy it and can take
their time decoding/decrypting it
How we protect ourselves
o Avoid storing sensitive data o Encrypt all sensitive data o Use strong encryption properly o Protect the keys
Avoid storing sensitive data
o PCI DSS – Against standards to store CVV
o Do you really need to store even the PAN?
o Don't use database backups as test data
Lost Media
o June 3, 2013 – 14,000 student records with SSNs, on a thumb drive found in a library computer in Champlain College
o April 17, 2010 – Parking meter storage device containing credit card numbers was stolen from a Vancouver park
o Sept 4, 2008 - 11,000,000 records, including names, addresses, emails, and SSNs were found on a disk in the trash in Seoul
Stolen computers
o July 15, 2013 – 4 million patient names, addresses, DOB, and SSNs in four computers stolen from an building in Chicago
o July 15, 2012 - 2.4 million voters names, addresses, genders, dates of birth and voting information compromised by disappearance of two USB memory drives in Ontario
o May 22, 2006 – 26.5 million names, addresses and SSNs were on a laptop stolen from a DoD analyst's home
Encrypt sensitive data
o None of those problems would have happened if the data were strongly encrypted
o Encrypt all data in long-term storage o This includes database files (*.mdf)
Encrypting web.config
o If you were to lose a copy of your web site, would the attacker know your database password?
o It's either in web.config (preferred) or inline in the code
o We should be encrypting sensitive sections of web.config
o use aspnet_regiis.exe found in: o Start – Visual Studio – Visual Studio Tools –
Visual Studio Command Prompt
Encrypting web.config
o Before: <configuration>
<connectionStrings> <add name="MainConnectionString"
connectionString="data source=Ratbert;database=Sales;username=ASPNET;password=$Double_Rainbow2011"
providerName="System.Data.SqlClient"/>
</connectionStrings>
</configuration>
o Run this command: aspnet_regiis –pef connectionStrings c:\PathToWebSite
Encrypting web.config o After: <connectionStrings configProtectionProvider="RsaProtectedConfigurationProvider"> <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns="http://www.w3.org/2001/04/xmlenc#"> <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" /> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#"> <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" /> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <KeyName>Rsa Key</KeyName> </KeyInfo> <CipherData> <CipherValue>Bf677iFrUFW ... +4n4ZZKXCTUAu2Y=</CipherValue> </CipherData> </EncryptedKey> </KeyInfo> <CipherData> <CipherValue>UDEZ ...QfXUmM5rQ==</CipherValue> </CipherData> </EncryptedData> </connectionStrings>
Decrypting web.config
o Now that it is garbled, you can't edit it o Decrypt like this: aspnet_regiis –pdf connectionStrings c:\PathToWebSite
o And then change and re-encrypt
Using a stored connectionString
o Use the ConfigurationManager static class string connStr = ConfigurationManager .Connectionstrings["MainConnectionString"] .ConnectionString.ToString(); var myConnection = new SqlConnection(connStr); myConnection.Open();
Use stronger encryption ciphers
o Symmetric methods are best for data o Use:
• AES (Rijndael) • Blowfish • 3DES
o Avoid: • DES • Homegrown schemes
o Use strong keys
Strong passwords
o Use SHA-2 or better for passwords o Scenario: your website stores passwords in
the user table. You lose a backup of the database
o Attacker sees this: username password
lilohan c75ffb145de06825f6dca5ed2efb5e6f
rap 2c1bc7d994c7d1172f73f2e99a1b147c
kkardashian 9c700e931fc38fb7ca747676608c8e86
Protect the keys
o Encrypted data is wide open if the bad guys also have the decryption key
o Do not store the key on the same media as the data
o Choose two different transport mechanisms for the key and the data • Send the key by email and the data on external
USB disk • Store the key on a thumb drive and the data on
your laptop
Summary
o Insecure cryptographic storage costs billions of dollars and is relatively simple to protect against
o We should encrypt all sensitive data that is in long-term storage • Using robust ciphers • Using longer keys salts
o Store and transport the keys separately from the data
Further study
o OWASP's insecure cryptographic storage overview: • http://bit.ly/OWASPCrypto
o Lots of security tools: o http://sectools.org
o Database of Insecure Cryptographic Data Losses: o http://datalossdb.org
o Working with encrypted connectionStrings: o http://bit.ly/EncryptingConnectionStrings