Cryptographic storage deals with the cryptography standards, methods, and mechanisms to be applied and implemented for sensitive data at rest.
This post highlights some of the important architectural best practices that developers and architects need to follow for efficient and secure cryptographic storage.
1. Only store sensitive data that you need
Store only the minimal data needed
2. Use strong approved Authenticated Encryption
E.g. ‘CCM’ and ‘GCM’ are approved Authenticated Encryption modes based on AES algorithm.
3. Use strong approved cryptographic algorithms
Only use widely accepted, tried and tested algorithms and implementations like AES, RSA, SHA-256. Do not try to implement one on your own – no matter how easy it may seem.
4. Use approved cryptographic modes
Avoid using AES, DES or other symmetric cipher primitives directly.
Use a NIST-approved cryptographic mode instead.
Use a NIST-approved cryptographic mode instead.
5. Use strong random numbers
- Ensure that all random numbers, especially those used for cryptographic parameters (keys, IV’s, MAC tags), random file names, random GUIDs, and random strings are generated in a cryptographically strong fashion.
- Ensure that random algorithms are seeded with sufficient entropy.
6. Use authenticated encryption of data
Authenticated Encryption (NIST-approved CCM and GCM) gives confidentiality, integrity, and authenticity.
Encryption alone provides only confidentiality.
Encryption must always be combined with message integrity and authenticity protection.
Else, the ciphertext may be vulnerable to manipulation causing changes to the underlying plaintext data, especially if it’s being passed over untrusted channels (e.g. in an URL or cookie).
Encryption alone provides only confidentiality.
Encryption must always be combined with message integrity and authenticity protection.
Else, the ciphertext may be vulnerable to manipulation causing changes to the underlying plaintext data, especially if it’s being passed over untrusted channels (e.g. in an URL or cookie).
7. Store a one-way and salted value of passwords
Use PBKDF2, bcrypt, or scrypt for password storage.
These guidelines is vendor-neutral and concept-oriented. Architects and developers working on cryptography projects should analyze the technology behind the commercial and open source solutions and implement those that align with these best practices.
Reference:
1. Cryptographic Storage Cheat Sheet. (n.d.). Retrieved from https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet