Related Reads
Software developers and security experts all over the world are trying to design robust applications, which contain beautiful and intuitive interfaces. They also prioritize making extended and stable functionalities. But, most of all, they try to make the most secure communication between the applications and services, because the information that is transmitted in the internet is usually exposed to attacks that can affect the security of the users, services and data globally.
In this short discussion, I’d like to share my cryptography advice for all developers or security testers, so they can build more secure applications on any platform.
As a user, you should be careful what kind of applications are installed on your device, and what these applications really do. Sometimes you might spot some suspicious activity. If you do, please advise an IT person about your situation. You must also be careful what you visit on the internet, and what data you input.
BUT…
As a developer or security tester, your obligation is to:
Never explain how your application is developed, because if the hacker knows how to think like you, he can pretty much guess your steps.
In the above list, we’ve seen the most important things that every developer/IT should consider, but from our security aspect, we must give the priority to our most powerful tool called – cryptography – where all magic happens.
Many technologies can be predicted these days with more effort and time eventually, because they usually depend on something that can be exploited, or reverse-engineered. The real power of IT security comes from the strong encryption of data in which the data can’t be predicted or understood. It’s somewhat true that people that are good with math are good cryptographers, but I believe that the best cryptographers are better because they are just not following the same path of thinking.
If you want to encrypt something on a really special way, you must think in a non-human way. (How?)
The cryptography is closely related with psychology, where some people can predict how a human would think in some situation. Humans are usually guided by logic and that’s why they’re somewhat predictable in this area. But if you want to think of a key that can’t be reverse-engineered, you must think of something that’s not logical, but functional. Also, you must think of a way in which you’ll hide the basic algorithm and have some loss of random data in the encryption. The simplest form of example would be like this:
1.You generate some random number (0156254563061560554890)
2. You erase all zeros in the number (156254563615655489)
3.You add one last number which counts how much zeroes are deleted (1562545636156554894).
Cryptography is not easy area and if you want to be productive, you must use your creativity and find your way of hiding things. Our minds are so powerful if we believe in our power. My favorite example is about one of my friends who was hiding his encryption keys in music compositions, where notes were his numbers.
I hope that this discussion was productive for you and thanks for reading,
I am Dragan Ilievski, Bachelor of Computer Science and IT freelancer in many IT areas.
Did You Know?
Cybrary training is FREE
Just create an account now for lifetime access. Members login here.
We recommend always using caution when following any link
Are you sure you want to continue?
I believe cryptography is a method of protecting your data in case of a successful data grab,that is even if your data lands in the hands of an unauthorized user it will be useless. so having your own unique algorithm is certainly advised.
Major disagreement on …. “Never explain how your application is developed, because if the hacker knows how to think like you, he can pretty much guess your steps.” and “you must think of a way in which you will hide the basic algorithm and have some loss of random data in the encryption”
Hiding the algorithm is not the basis for encryption, its the basis of obfuscation.
If the encryption algorithm can withstand multiple peer reviews, if it is open for investigation, then the encryption technique is valid.
I can create an encryption technique to produce something that I can’t decrypt. I’m not that smart. So it is not something secure that can survive analysis.
Thank you Kelly for joining on this discussion. In my defense I would like to explain why my methodologies are something different from the “standard way”. I have worked on many security consults like a freelancer and I want to help to the other security experts with my discussion. First, when I say “Never explain how your application is developed..” – I really mean it, because when you give your code like open source, many developers learn your way of thinking and then they are able to reproduce your work and predict your general setup because as a developer you don’t have so much time to think of new ways and you reuse your code..
About the second quote that you selected, I would say this: In the cryptography, when you use obfuscation, you just experiment with a pattern that makes the message confusing or harder to understand, but with some more effort and good analyzing,the tester could find every pattern and decrypts your important data.
Another option is to use some worldwide-used protocol for encryption or use some digestion of the messages, but keep in mind that many security researchers are working on their reverse-engineering, and when they succeed, you will stay vulnerable. The last option is to use your own encryption which will be used only by you or your company, so you wont be predictable if nobody knows your source code and you won’t depend because your encryption is understandable by you. Thank you for your opinion, please feel free to share your opinions in this community! 🙂