Encryption implementation issues are, in my experience, some of the most commonly reported findings during penetration tests. Whilst they may not always be quite as scary as seeing "SQL Injection" or "Stored Cross-Site Scripting" in a report, their ubiquity merits some discussion.
We broadly find the most often encountered issues fall under three categories:
- Outdated Encryption Protocol Support
- Certificate Issues
- Weak Cipher Suites
How are these three categories linked and what do they do to keep my data safe?
The aim of encryption can be boiled down to providing privacy and data integrity between communicating parties. I want to make sure what I’m communicating is getting through, without any alteration, to my intended recipient and to no-one else. The encryption protocol we use determines the method we employ to achieve that goal. It utilises cipher suites to keep other parties from eavesdropping on our communications or altering what we’re trying to communicate. In addition to this, it can implement certificates to ensure that the parties communicating are who they allege to be.
So, by using cipher suites we can maintain the confidentiality and integrity of our data and by using certificates we can make sure the data we’re communicating is going to the right place. What determines how we use certificates and cipher suites is the protocol we implement, this allows us to obtain privacy and data integrity between communicating parties, which was our initial aim!
Outdated Encryption Support
At the time of writing, it is recommended to use TLS 1.3 wherever possible and TLS 1.2 when legacy support is required…but why?
Whilst it may be tempting to support older protocol versions, such as TLS 1.0 or even SSLv3, to maximise compatibility with legacy systems, this does not come without serious security compromises. Older protocol implementations can have inherent weaknesses that undermine the security they offer. They can lack support for modern encryption algorithms used in more secure cipher suites and may be missing features implemented in later versions, specifically designed to mitigate against the shortcomings of the older protocol. The use of outdated protocols can lead to a complete compromise of the confidentiality and integrity of data which ultimately negates the benefits of using encryption in the first place! Even if more modern protocols are used alongside older versions, attackers can perform downgrade attacks to try and force the server to utilise a weaker form of encryption and bypass the security afforded by the more modern protocol.
Certificate issues make the identification of genuine parties more difficult. TLS certificates are typically issued by a Certificate Authority (CA) who signs the certificate to confirm that it belongs to the owner of the domain name stated in the subject of the certificate. This allows a client’s browser to know it’s talking to the genuine server and not an impersonator (as is the case in man-in-the-middle attacks). The public key contained within the certificate is then used to encrypt the client’s session key and pass it back to the server who can use it for encrypted communications with the client. When certificates aren’t implemented correctly, they can compromise this process which means parties may be able to fraudulently claim who they are, or to whom the public key used to encrypt the session key belongs to, with the aim of eavesdropping on the encrypted communication.
Weak Cipher Suites
As cipher suites are what protocols use to encrypt data, the strength of the cryptography employed is paramount to ensure that the encryption is robust. If weak cipher suites are used, then the likelihood of the encryption being broken is greater which would eliminate the protections they afford. Resultantly, a suitably positioned attacker would be able to observe and edit any communication between two parties. As modern computing power has increased, and existing cipher suites have undergone greater scrutiny, new suites have been created to maintain the security of encrypted communications. However, if these are not used, or weaker ciphers are also supported and can be employed by attackers through downgrade attacks, then the confidentiality and integrity of such communication could be compromised.