Chapter 8: Cryptographic Foibles

Chapter 8

Cryptographic Foibles

Many times I've heard statements like, We're secure we use cryptography. The saying in cryptographic circles is, If you think crypto can solve the problem, you probably don't understand the problem. It's unfortunate that so many developers think crypto, as it's often abbreviated, is the panacea for all security issues. Well, I hate to say it, but it isn't! Crypto can help secure data from specific threats, but it does not secure the application from coding errors. Crypto can provide data privacy and integrity, facilitate strong authentication, and much more, but it will not mitigate programming errors such as buffer overruns in your code.

In this chapter, I'll focus on some of the common mistakes people make when using cryptography, including using poor random numbers, using passwords to derive cryptographic keys, using poor key management techniques, and creating their own cryptographic functions. I'll also look at using the same stream-cipher encryption key, bit-flipping attacks against stream ciphers, and reusing a buffer for plaintext and ciphertext. Note that this chapter and the next (Chapter 9, Protecting Secret Data ) are inextricably linked cryptography often relies on secret data, and the next chapter describes protecting secret data in detail.

Let's get started with a topic of great interest to me: using random numbers in secure applications.