Ready to Start Your Career?
October 27, 2015
Cryptography Mindset: Be Unpredictable
October 27, 2015
Software developers and security experts all over the world are trying to design robust applications, which contain beautiful and intuitive interfaces. They also prioritize making extended and stable functionalities. But, most of all, they try to make the most secure communication between the applications and services, because the information that is transmitted in the internet is usually exposed to attacks that can affect the security of the users, services and data globally.In this short discussion, I'd like to share my cryptography advice for all developers or security testers, so they can build more secure applications on any platform.As a user, you should be careful what kind of applications are installed on your device, and what these applications really do. Sometimes you might spot some suspicious activity. If you do, please advise an IT person about your situation. You must also be careful what you visit on the internet, and what data you input.BUT...As a developer or security tester, your obligation is to:
- Build robust and stable applications where you'll handle every situation that user can face or predict.
- Use applications that you trust, but still use them with precaution.
- Make sure that your users/clients can trust you as an entity, proving that you consider their data isolation and security.
- Use independent algorithms that can't be predicted (HOW? I'll explain later).
- Use logic that logs how your application works in detail, and make sure that only you can understand the logs.
- Make sure that the integrity of the application can't be changed without permission.
- Never share your source code and secrets to other entities.
- As an IT expert, you must also think of your priorities between performance, security and integrity. But, if you choose the first priority to be the security, I'd suggest you to not waste your effort in hiding your sources, instead make something that wont be understood by anyone. I'll give you a hint of how human usually thinks from different aspects. Let's say that you're working on your new license serial keys.
- Tester view: I would compare the data that I get and see if I can measure the differences between them. If I find some constant changes, I would find the way. I would analyze what happens on low-level programming and maybe I could imitate something and get the same result.
- Developer view: I would use some random number generator and I would add some extra data so it's hard to be predicted. I would think of a verification method in which the encryption will be one-way.
- User view: I would browse online if I find a free serial key, so I can use it.
- Hacker view: I would try many combinations with brute-force techniques. I would reverse-engineer the logic of the application and try to figure out how the verification is made. I will write a virus and put it on the server so I can get the secret. I would call them and make social engineering moves... etc.