This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Cryptographic Storage Cheat Sheet

From OWASP
Revision as of 22:42, 19 December 2009 by Jmanico (talk | contribs)

Jump to: navigation, search

WORK IN PROGRESS

Introduction

This article provides a simple model to follow when implementing transport layer protection for an application. Although the concept of SSL is known to many, the actual details and security specific decisions of implementation are often poorly understood and frequently result in insecure deployments. This article establishes clear rules which provide guidance on securely designing and configuring transport layer security for an application. This article is focused on the use of SSL/TLS between a web application and a web browser, but that we also encourage the use of SSL/TLS or other network encryption technologies, such as VPN, on back end and other non-browser based connections.

Architectural Decision

An architectural decision must be made to determine the appropriate method to protect data at rest. There are such wide variety of products, methods and mechanisms for cryptographic storage that this cheat sheet will only focus on low-level guidelines for developers and architects who are implementing cryptographic solutions. We will not address specific vendor solutions, nor will we address the design of cryptographic algorithms.

Providing Cryptographic Functionality

Benefits

Basic Requirements

Secure Cryptographic Storage Design

Rule - Verify that password hashes are salted on a per-user basis when they are created.

Rule - Verify that access to any master secret(s) is protected from unauthorized access

Ensure that infrastructure credentials such as database credentials or MQ queue access details are properly secured (via tight file system permissions and controls), or securely encrypted and not easily decrypted by local or remote users Ensure that encrypted data stored on disk is not easy to decrypt. For example, database encryption is worthless if the database connection pool provides unencrypted access.

Rule - Generate keys offline and store private keys with extreme care.

Rule - Never transmit private keys over insecure channels

Rule - Ensure that all random numbers, random file names, random GUIDs, and random strings are generated in a cryptographically strong fashion

Rule - Do not create cryptographic algorithms.

Only use approved public algorithms such as AES, RSA public key cryptography, and SHA-256 or better for hashing.

Rule - Do not use weak algorithms, such as MD5 / SHA1.

Favor safer alternatives, such as SHA-256 or better. "Good" cryptographic algorithms change over time.

Under PCI Data Security Standard requirement 3, you must protect cardholder data.

PCI DSS compliance is mandatory by 2008 for merchants and anyone else dealing with credit cards. Good practice is to never store unnecessary data,

Related Articles

OWASP - Testing for SSL-TLS, and OWASP Guide to Cryptography

OWASP – Application Security Verification Standard (ASVS) – Communication Security Verification Requirements (V10)

Other Articles in the OWASP Prevention Cheat Sheet Series

Authors and Primary Editors

Jim Manico - jim.manico[at]aspectsecurity.com

Dave Wichers - dave.wichers[at]aspectsecurity.com

Retrieved from "https://wiki.owasp.org/index.php?title=Cryptographic_Storage_Cheat_Sheet&oldid=75275"