Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Security threatsInsecure Cryptographic Storage<br />Master’s Studio in SDE<br />Assignment #4<br />Eva Rio<br />30.09.2011...
Cryptography<br />Crypto (hidden) + graphie(symbol): The art of writing or solving codes<br />Pictures: wikipedia<br />#1 ...
Encryption<br />Transform information (using an algorithm) to make it  unreadable without a key<br />Easy example:<br />KE...
Insecure Cryptography Storage<br />This threat ranks #7 in the OWASP Top 10 Application Security Risks 2010<br />Applies t...
Implications for businesses<br />Both users and companies may suffer<br />Data is one of the most valuable assets for a co...
Recommendations<br />Encrypt the data if it is sensitive!<br />Do not use:<br />your own algorithms<br />weak algorithms t...
Mindmap<br />
Mindmap2<br />
Upcoming SlideShare
Loading in …5
×

Security threats - Data Eencryption Storage

624 views

Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Security threats - Data Eencryption Storage

  1. 1. Security threatsInsecure Cryptographic Storage<br />Master’s Studio in SDE<br />Assignment #4<br />Eva Rio<br />30.09.2011<br />
  2. 2. Cryptography<br />Crypto (hidden) + graphie(symbol): The art of writing or solving codes<br />Pictures: wikipedia<br />#1 – Public domain<br />#2 – ©Hans Hillewaert<br />God<br />Soul<br />Red<br />…<br />
  3. 3. Encryption<br />Transform information (using an algorithm) to make it unreadable without a key<br />Easy example:<br />KEY<br />
  4. 4. Insecure Cryptography Storage<br />This threat ranks #7 in the OWASP Top 10 Application Security Risks 2010<br />Applies to sensitive data stored in a database:<br />Developers do not encrypt the data<br />Developers encrypt the data using weak encryption methods (e.g. home-grown algorithms, SHA-1, MD5)<br />It is usually combined with other types of attacks<br />Attackers can decipher the information if:<br />They have the key<br />Trial and error (attackers have the “hash values” and check against long lists of possible passwords for validity – eg: http://hashcrack.com/index.php, rainbow tables)<br />
  5. 5. Implications for businesses<br />Both users and companies may suffer<br />Data is one of the most valuable assets for a company<br />Main implications<br />Legal issues: companies are accountable for the data they store and the use (and misuse) of that data<br />Privacy violation<br />Identity theft<br />Fraud<br />Example: iTunes accounts in July 2010 and January 2011<br />“I will never use my debit card with Itunes again” –tofublock<br />Reputation: the image of the company can be seriously damaged<br />Confidential information: secrets, patents, research... can be stolen<br />
  6. 6. Recommendations<br />Encrypt the data if it is sensitive!<br />Do not use:<br />your own algorithms<br />weak algorithms that have been proved to be vulnerable (MD5, SHA-1)<br />Use:<br />Strong algorithms SHA-2, SHA-3 (2012)<br />Salt (generated random bits + info, e.g. f23r5jfaf+password)<br />Random keys<br />Asymmetric keys (one for ciphering, one for deciphering)<br />Restrain who has access to the data<br />Protect the key<br />
  7. 7. Mindmap<br />
  8. 8. Mindmap2<br />
  9. 9. References<br />“Insecure Cryptographic Storage”, OWASP, 2010<br />B. Hardin, “Insecure Cryptographic Storage”, Miscellaneous security [online] http://misc-security.com/blog/2009/09/insecure-cryptographic-storage/<br />Cryptography, Wikipedia<br />

×