A recent Wall Street Journal article outlines that health insurer Anthem did not encrypt its data and that this was one of the major factors resulting in the very public theft of masses of personal identifiable information (PII).
There has been some discussion around the method of penetration with stolen credentials meaning that the value of encryption would have been nullified. Without knowing the details, I don’t feel qualified to reach a conclusion on that but it seems hard to fathom that a single user would have had access to the keys to decrypt everything.
It’s clear in talking with application development and security teams across various large enterprises that encryption is hard. Actually, let me correct that: encryption itself might not be so difficult, but standardizing encryption across multiple developers, in multiple teams, using multiple programming languages can be seriously error prone and introduce unnecessary risk.
A developer ultimately has to weigh the merits of various algorithms, select a particular algorithm, ensure its implementation is verifiably correct and pass the correct arguments for execution.
This, combined with the realization that the average developer is unlikely to be aware of exactly how cryptographic functions actually work, has resulted in secure information not being properly encrypted or data breaches exposing plain-text passwords.
In the words of Jamil Farshchi, CISO of Time Warner:
“…a key challenge to realizing the value of encryption is standardizing the implementation and use of cryptographic functions across the entire suite of business applications.”
Prevoty’s runtime monitoring and protection service makes extensive use of cryptography and we are announcing today that we will make our cryptography service available to developers everywhere for free.
The Prevoty Cryptography Service (PCS) provides applications a cloud interface with the ability to simply encrypt, decrypt, hash, and generate keys and random numbers in a manner that is both secure and verifiable.
Instead of becoming security experts, developers can trust that the supported cryptographic functions within PCS are always maintained and updated with the latest security guidance.
Applications developed in C#, Go, Java, node.js, PHP, Python and Ruby can take advantage of this service by including the appropriate Prevoty SDK and invoking the desired functions.
PCS allows developers to:
- Hash content via MD4, MD5, SHA1, SHA224, SHA256, SHA384, SHA512 and RIPEMD-160
- Encrypt and decrypt strings via AES and Triple DES with various modes (CBC, CFB, CTR, OFB, etc.)
- Generate a private key/public key pair using RSA and EC-DSA
- Sign and verify messages via the RSA-PSS, RSA-PKCS, EC-DSA algorithms
- Generate random numbers
To reduce complexity, PCS has pre-built aliases for developers to accurately hash passwords and encrypt content without having to specify an encryption key, cipherkey or initialization vector.
We sincerely hope that this initiative will improve the consistency and efficacy of cryptography in applications and lead to fewer opportunities for hackers to access unencrypted data.
If you are a developer and would like to get access to the Prevoty Cryptography Service for free, just sign up here.