Software developers and security experts all over the world are trying to design robust applications, which contain beautiful and intuitive interfaces. They also prioritize making extended and stable functionalities. But, most of all, they try to make the most secure communication between the applications and services, because the information that is transmitted in the internet is usually exposed to attacks that can affect the security of the users, services and data globally.In this short discussion, I'd like to share my cryptography advice for all developers or security testers, so they can build more secure applications on any platform.As a user, you should be careful what kind of applications are installed on your device, and what these applications really do. Sometimes you might spot some suspicious activity. If you do, please advise an IT person about your situation. You must also be careful what you visit on the internet, and what data you input.BUT...As a developer or security tester, your obligation is to:
- Build robust and stable applications where you'll handle every situation that user can face or predict.
- Use applications that you trust, but still use them with precaution.
- Make sure that your users/clients can trust you as an entity, proving that you consider their data isolation and security.
- Use independent algorithms that can't be predicted (HOW? I'll explain later).
- Use logic that logs how your application works in detail, and make sure that only you can understand the logs.
- Make sure that the integrity of the application can't be changed without permission.
- Never share your source code and secrets to other entities.
Never explain how your application is developed, because if the hacker knows how to think like you, he can pretty much guess your steps.In the above list, we've seen the most important things that every developer/IT should consider, but from our security aspect, we must give the priority to our most powerful tool called - cryptography - where all magic happens.Many technologies can be predicted these days with more effort and time eventually, because they usually depend on something that can be exploited, or reverse-engineered. The real power of IT security comes from the strong encryption of data in which the data can't be predicted or understood. It's somewhat true that people that are good with math are good cryptographers, but I believe that the best cryptographers are better because they are just not following the same path of thinking.If you want to encrypt something on a really special way, you must think in a non-human way. (How?)The cryptography is closely related with psychology, where some people can predict how a human would think in some situation. Humans are usually guided by logic and that's why they're somewhat predictable in this area. But if you want to think of a key that can't be reverse-engineered, you must think of something that's not logical, but functional. Also, you must think of a way in which you'll hide the basic algorithm and have some loss of random data in the encryption
. The simplest form of example would be like this:1.You generate some random number (0156254563061560554890)2. You erase all zeros in the number (156254563615655489)3.You add one last number which counts how much zeroes are deleted (1562545636156554894
- As an IT expert, you must also think of your priorities between performance, security and integrity. But, if you choose the first priority to be the security, I'd suggest you to not waste your effort in hiding your sources, instead make something that wont be understood by anyone. I'll give you a hint of how human usually thinks from different aspects. Let's say that you're working on your new license serial keys.
- Tester view: I would compare the data that I get and see if I can measure the differences between them. If I find some constant changes, I would find the way. I would analyze what happens on low-level programming and maybe I could imitate something and get the same result.
- Developer view: I would use some random number generator and I would add some extra data so it's hard to be predicted. I would think of a verification method in which the encryption will be one-way.
- User view: I would browse online if I find a free serial key, so I can use it.
- Hacker view: I would try many combinations with brute-force techniques. I would reverse-engineer the logic of the application and try to figure out how the verification is made. I will write a virus and put it on the server so I can get the secret. I would call them and make social engineering moves... etc.
Cryptography is not easy area and if you want to be productive, you must use your creativity and find your way of hiding things. Our minds are so powerful if we believe in our power. My favorite example is about one of my friends who was hiding his encryption keys in music compositions, where notes were his numbers. I hope that this discussion was productive for you and thanks for reading,I am Dragan Ilievski, Bachelor of Computer Science and IT freelancer in many IT areas.