Cryptographic failures (Sensitive Data Exposure)

Cryptographic Failures

Cryptographic failures refer to weaknesses, vulnerabilities, or mistakes in the implementation, configuration, or use of cryptographic systems that compromise the security and confidentiality of sensitive data. These failures can result in unauthorized access, data breaches, or a loss of trust in the system. Cryptographic failures often occur when cryptography is not applied correctly, is outdated, or when the methods used are inherently weak.

Here’s a list of common cryptographic failures (previously known as “Sensitive Data Exposure” in the OWASP Top 10 and currently at #2 position) and how to prevent them:

  1. Use of Weak or Outdated Cryptographic Algorithms
    Failure: Using algorithms like MD5, SHA-1, or outdated protocols such as SSL/TLS 1.0 and 1.1.
    Prevention:
    Use strong and modern algorithms (e.g., AES-256, RSA-2048, SHA-256).
    Enforce TLS 1.2 or higher for secure communications.
    Regularly update cryptographic libraries and protocols.
  2. Hardcoding Cryptographic Keys
    Failure: Embedding cryptographic keys in source code or configuration files.
    Prevention:
    Use secure key management systems (e.g., AWS KMS, Azure Key Vault).
    Store keys in a secure hardware security module (HSM).
    Ensure keys are dynamically retrieved and not exposed in code repositories.
  3. Insecure Key Generation or Storage
    Failure: Using predictable or weak keys, or storing keys in insecure locations such as plaintext files or environment variables.
    Prevention:
    Use a cryptographically secure random number generator (CSPRNG) for key generation.
    Securely store keys using encrypted storage or dedicated key management tools.
    Rotate keys periodically and after a breach.
  4. Missing or Incorrect Encryption of Sensitive Data
    Failure: Failing to encrypt sensitive data in transit or at rest, or using incorrect implementation methods.
    Prevention:
    Encrypt sensitive data at rest using strong encryption (e.g., AES-256).
    Use TLS for data in transit to prevent eavesdropping.
    Validate encryption configurations during code reviews.
  5. Improper Certificate Validation
    Failure: Not validating SSL/TLS certificates properly, allowing man-in-the-middle (MITM) attacks.
    Prevention:
    Always validate certificates against trusted certificate authorities (CAs).
    Implement strict certificate pinning in critical applications.
    Monitor for expired or revoked certificates using automated tools.
  6. Weak or Misconfigured Password-Based Encryption
    Failure: Using weak passwords or insecure password hashing mechanisms like unsalted MD5 or SHA-1.
    Prevention:
    Use password hashing algorithms like bcrypt, Argon2, or PBKDF2 with strong salting.
    Enforce secure password policies (minimum length, complexity, and expiration).
    Avoid storing plaintext passwords; hash and salt them securely.
  7. Lack of Random Initialization Vectors (IVs)
    Failure: Reusing or using predictable IVs with block cipher modes (e.g., CBC or GCM), which can lead to pattern exposure.
    Prevention:
    Ensure IVs are unique and randomly generated for every encryption operation.
    Avoid static or hardcoded IVs in the code.
  8. Vulnerable Cryptographic Modes
    Failure: Using insecure cipher modes like ECB (Electronic Codebook), which leaks patterns in encrypted data.
    Prevention:
    Use secure cipher modes like GCM (Galois/Counter Mode) or CBC (Cipher Block Chaining) with padding.
    For authenticated encryption, prefer AEAD (Authenticated Encryption with Associated Data) modes.
  9. Failure to Update Cryptographic Libraries
    Failure: Using outdated or vulnerable cryptographic libraries.
    Prevention:
    Regularly update cryptographic libraries and frameworks.
    Subscribe to vulnerability announcements (e.g., CVEs) for libraries like OpenSSL, Bouncy Castle, or Libsodium.
    Test the compatibility of applications with updated libraries.
  10. Weak Random Number Generators
    Failure: Using weak or predictable random number generators (e.g., Math.random()) for cryptographic operations.
    Prevention:
    Use cryptographically secure random number generators (e.g., SecureRandom in Java or /dev/urandom in Linux).
    Ensure proper seeding of random number generators.
  11. Insufficient Cryptographic Error Handling
    Failure: Ignoring or improperly handling cryptographic errors (e.g., catching exceptions but not addressing the root cause).
    Prevention:
    Log cryptographic errors securely for later analysis.
    Handle exceptions properly to ensure the integrity of operations and data.
    Terminate operations on severe cryptographic failures instead of continuing insecurely.
  12. Insecure Data Storage
    Failure: Storing encrypted data alongside keys or failing to encrypt backups and logs containing sensitive information.
    Prevention:
    Separate encrypted data and keys physically or logically.
    Encrypt backups, logs, and any exported sensitive data.
    Limit access to storage locations using robust access controls.
  13. Failure to Implement Perfect Forward Secrecy (PFS)
    Failure: Using encryption methods that allow past communications to be decrypted if a private key is compromised.
    Prevention:
    Enable PFS in TLS configurations (e.g., by using ECDHE or DHE key exchange protocols).
    Periodically rotate session keys.
  14. Misuse of Cryptographic APIs
    Failure: Using cryptographic APIs incorrectly due to complexity or lack of understanding (e.g., not initializing libraries properly).
    Prevention:
    Use high-level cryptographic libraries with proper documentation (e.g., Libsodium or Google Tink).
    Validate cryptographic implementations with third-party security audits.
    Provide developer training on secure use of cryptographic APIs.
    By proactively addressing these issues and following best practices, individuals and organizations can significantly reduce cryptographic failures and enhance data security.

Get more details at the official OWASP page on this topic https://owasp.org/Top10/A02_2021-Cryptographic_Failures/