Secure Coding Practices, Part 8: Cryptography

by Steven McElwee

Several volumes can be written on encryption. With the various protocols and and approaches to encryption, it can leave software developers uncertain about how it applies to them.

Sensitive data must be encrypted. This may be to support compliance requirements, such as PCI and HIPAA, or it may be because your own organization has standards that require certain data to be encrypted. At a minimum, user credentials, like passwords, must be encrypted.

Data can exist in three different states: 1) at rest, meaning it's stored in a file system, database, or archive media; 2) in transit, meaning it is moving from one system to another system or subsystem (usually over a network); and 3) in process, meaning it is being processed by an application and may be resident in memory or the CPU's registers. It is data at rest and data in transit that should be considered for encryption.

In some cases, the transport layer may be used to allow encryption over a network The applications that receive this data will not need to decrypt the message. This means that data that is being stored will not be encrypted, unless the application storing the data or the storage layer itself performs the encryption. Examples of transport layer encryption are SSL, TLS, and IPSec.

In other cases, encryption may be performed by the application, which means that the data can be sent across an unencrypted network, because it leaves the application encrypted. It also means that data can be stored directly on the file system or in a database, because the data is already encrypted.

When looking at encryption, make sure your encryption protocol is sufficiently strong. The increasing performance of computers makes decrypting much easier for attackers. Consider protocols such as AES, 3DES, and TLS for starters.

When writing or reviewing secure code, the following questions are important:

• What is the sensitivity of the data being processed by the application?
• Is encryption required for the data? If so, in transit, at rest, or both?
• Does the application comply with your organization's standards regarding encryption?
• Are standard, accepted encryption protocols being used, rather than home-grown algorithms?
• Are passwords encrypted in transit and at rest?
• Are keys used with encryption protocols managed securely in the application?

Encryption is essential for certain information, but performance is also important. Make sure your application encrypts only what is needed to ensure optimal performance.