Related Reads
Cryptography Mindset: Be Unpredictable
October 27, 2015 | Views: 1701
Software developers and security experts all over the world are trying to design robust applications, which contain beautiful and intuitive interfaces. They also prioritize making extended and stable functionalities. But, most of all, they try to make the most secure communication between the applications and services, because the information that is transmitted in the internet is usually exposed to attacks that can affect the security of the users, services and data globally.
In this short discussion, I’d like to share my cryptography advice for all developers or security testers, so they can build more secure applications on any platform.
As a user, you should be careful what kind of applications are installed on your device, and what these applications really do. Sometimes you might spot some suspicious activity. If you do, please advise an IT person about your situation. You must also be careful what you visit on the internet, and what data you input.
BUT…
As a developer or security tester, your obligation is to:
- Build robust and stable applications where you’ll handle every situation that user can face or predict.
- Use applications that you trust, but still use them with precaution.
- Make sure that your users/clients can trust you as an entity, proving that you consider their data isolation and security.
- Use independent algorithms that can’t be predicted (HOW? I’ll explain later).
- Use logic that logs how your application works in detail, and make sure that only you can understand the logs.
- Make sure that the integrity of the application can’t be changed without permission.
- Never share your source code and secrets to other entities.
Never explain how your application is developed, because if the hacker knows how to think like you, he can pretty much guess your steps.
In the above list, we’ve seen the most important things that every developer/IT should consider, but from our security aspect, we must give the priority to our most powerful tool called – cryptography – where all magic happens.
Many technologies can be predicted these days with more effort and time eventually, because they usually depend on something that can be exploited, or reverse-engineered. The real power of IT security comes from the strong encryption of data in which the data can’t be predicted or understood. It’s somewhat true that people that are good with math are good cryptographers, but I believe that the best cryptographers are better because they are just not following the same path of thinking.
If you want to encrypt something on a really special way, you must think in a non-human way. (How?)
The cryptography is closely related with psychology, where some people can predict how a human would think in some situation. Humans are usually guided by logic and that’s why they’re somewhat predictable in this area. But if you want to think of a key that can’t be reverse-engineered, you must think of something that’s not logical, but functional. Also, you must think of a way in which you’ll hide the basic algorithm and have some loss of random data in the encryption. The simplest form of example would be like this:
1.You generate some random number (0156254563061560554890)
2. You erase all zeros in the number (156254563615655489)
3.You add one last number which counts how much zeroes are deleted (1562545636156554894).
- As an IT expert, you must also think of your priorities between performance, security and integrity. But, if you choose the first priority to be the security, I’d suggest you to not waste your effort in hiding your sources, instead make something that wont be understood by anyone. I’ll give you a hint of how human usually thinks from different aspects. Let’s say that you’re working on your new license serial keys.
- Tester view: I would compare the data that I get and see if I can measure the differences between them. If I find some constant changes, I would find the way. I would analyze what happens on low-level programming and maybe I could imitate something and get the same result.
- Developer view: I would use some random number generator and I would add some extra data so it’s hard to be predicted. I would think of a verification method in which the encryption will be one-way.
- User view: I would browse online if I find a free serial key, so I can use it.
- Hacker view: I would try many combinations with brute-force techniques. I would reverse-engineer the logic of the application and try to figure out how the verification is made. I will write a virus and put it on the server so I can get the secret. I would call them and make social engineering moves… etc.
Cryptography is not easy area and if you want to be productive, you must use your creativity and find your way of hiding things. Our minds are so powerful if we believe in our power. My favorite example is about one of my friends who was hiding his encryption keys in music compositions, where notes were his numbers.
I hope that this discussion was productive for you and thanks for reading,
I am Dragan Ilievski, Bachelor of Computer Science and IT freelancer in many IT areas.
Share with Friends
Use Cybytes and
Tip the Author!
Tip the Author!
Join
Share with Friends
Ready to share your knowledge and expertise?
I believe cryptography is a method of protecting your data in case of a successful data grab,that is even if your data lands in the hands of an unauthorized user it will be useless. so having your own unique algorithm is certainly advised.
Major disagreement on …. “Never explain how your application is developed, because if the hacker knows how to think like you, he can pretty much guess your steps.” and “you must think of a way in which you will hide the basic algorithm and have some loss of random data in the encryption”
Hiding the algorithm is not the basis for encryption, its the basis of obfuscation.
If the encryption algorithm can withstand multiple peer reviews, if it is open for investigation, then the encryption technique is valid.
I can create an encryption technique to produce something that I can’t decrypt. I’m not that smart. So it is not something secure that can survive analysis.
Thank you Kelly for joining on this discussion. In my defense I would like to explain why my methodologies are something different from the “standard way”. I have worked on many security consults like a freelancer and I want to help to the other security experts with my discussion. First, when I say “Never explain how your application is developed..” – I really mean it, because when you give your code like open source, many developers learn your way of thinking and then they are able to reproduce your work and predict your general setup because as a developer you don’t have so much time to think of new ways and you reuse your code..
About the second quote that you selected, I would say this: In the cryptography, when you use obfuscation, you just experiment with a pattern that makes the message confusing or harder to understand, but with some more effort and good analyzing,the tester could find every pattern and decrypts your important data.
Another option is to use some worldwide-used protocol for encryption or use some digestion of the messages, but keep in mind that many security researchers are working on their reverse-engineering, and when they succeed, you will stay vulnerable. The last option is to use your own encryption which will be used only by you or your company, so you wont be predictable if nobody knows your source code and you won’t depend because your encryption is understandable by you. Thank you for your opinion, please feel free to share your opinions in this community! 🙂