Cryptography is a mathematical science and an engineering discipline devoted to private communications in non-private settings. Cryptography comes from the Greek word kryptos, meaning anything hidden, obscured, veiled, secret, or mysterious. While the Merriam-Webster dictionary defines cryptography as the process of writing or reading secret messages or codes, in information security, cryptography has more applications than simply “writing and reading secret messages.” Crypto is critically important in software applications but can also be intimidating… and easily misapplied.
Modern software development is all about speed, which means repurposing what others have built. Those things might be cloud services, pre-compiled libraries from Github, or guidance in a stack overflow knowledge base article. One common challenge with cryptographic code is that it might be insecure even if it seems to be working; therefore, it’s crucial for those defining and implementing crypto to understand the principles.
It’s paramount to get crypto right from the start of each project. If you don’t, it can be like trying to change all the plumbing and pipes in your house after it’s fully built. Take the time to learn about hashes, algorithms, keys, and secrets management; it will be well worth the effort.
A well-known early cipher (disguised method of communication) is the Caesar Cipher. It is a simple substitution system where letters of the alphabet are replaced with other letters - a specific number of characters earlier or later in the alphabet. Modern cryptography uses far more complex keys and ciphers, but the goal is the same: to communicate information privately, even in a hostile environment.
While cryptography provides software data protection, it is undoubtedly complex and can affect system performance. The speed of processing transactions, database performance, and network throughput are most commonly impacted. It also comes along with some other “costs”:
- Administrative costs related to access control and key management. This entails configuring the system to ensure that only the right users have valid keys and that those keys and tools are renewed when needed.
- Operational costs, for instance, systems may need access to keys at boot time, which may prevent automatic system recovery.
- Maintenance costs systems will need to be patched when vulnerabilities are found, algorithms may need to be replaced, and keys will need to be rotated depending on usage patterns and the sensitivity of the data being protected.
To help reduce some of the inherent costs of crypto, keep Kerckhoff’s principle in mind – only the key should be secret. This means that the software you build should be designed to be secure even if an attacker knows everything about your system - except the key. The key unlocks the secret.
Another important rule is not to create your own crypto algorithm. Available crypto algorithms have gone through a long and arduous testing process. These algorithms are literally reviewed for years and “attacked” (people try to crack the code without the key) to validate their robustness. Fortunately, these validated algorithms have been built into popular libraries, like OpenSSH, so that you can focus on implementation and key management.
There are two primary places where data needs to be secured: in motion/transit and while at rest. While both rely on cryptography (including ciphers and hashing), the implementation varies. The following two blogs in this series, Crypto Motion - Securing Data in Transit and Crypto Stasis - Securing Data at Rest, deal with each of these scenarios independently.
About Ed Adams, CEO
Ed Adams is a software quality and security expert with over 20 years of experience in the field. He served as a member of the Security Innovation Board of Directors since 2002 and as CEO since 2003. Ed has held senior management positions at Rational Software, Lionbridge, Ipswitch, and MathSoft. He was also an engineer for the US Army and Foster-Miller earlier in his career.
Ed is a Ponemon Institute Research Fellow, Privacy by Design Ambassador by the Information & Privacy Commissioner of Canada, Forbes Technology Council Member, and recipient of multiple SC Magazine’s Reboot Leadership Awards. He sits on the board of Cyversity, a non-profit committed to advancing minorities in the field of cyber security, and is a BoSTEM Advisory Committee member.