Stronger Encryption: A Practical Guide

TL;DR

You’re likely using outdated or weak encryption. This guide shows you how to check and improve your cryptographic methods, focusing on common areas like passwords, data storage, and communication. It’s about making sensible upgrades for better cyber security.

1. Password Security: Stop Using Weak Methods

Passwords are the first line of defence. Here’s how to make them stronger:

• Stop storing passwords in plain text: Never, ever store passwords as they are entered.
• Use a strong hashing algorithm: Modern systems should use algorithms like Argon2id, bcrypt or scrypt. SHA-1 and MD5 are completely broken and must be avoided.
• Salting is essential: Add a unique random string (the ‘salt’) to each password before hashing. This prevents rainbow table attacks.
• Key Stretching: Argon2id, bcrypt and scrypt automatically include key stretching which makes brute-force attacks much slower.

Example of salting in Python:

import hashlib
import os

def hash_password(password):
    salt = os.urandom(16)
    salted_password = salt + password.encode('utf-8')
    hashed_password = hashlib.sha256(salted_password).hexdigest()
    return salt.hex() + ':' + hashed_password

2. Data at Rest Encryption: Protect Your Files

If you store sensitive data, encrypt it.

• Full Disk Encryption (FDE): Use tools like BitLocker (Windows), FileVault (macOS) or LUKS (Linux) to encrypt entire drives.
• File-level encryption: For specific files, use tools like GPG or VeraCrypt.
• Database Encryption: Most databases offer built-in encryption features. Enable them! Consider Transparent Data Encryption (TDE).

3. Communication Security: Secure Your Connections

Protect data in transit.

• HTTPS Everywhere: Always use HTTPS for websites. Ensure your web server is configured with a valid TLS certificate.
• TLS 1.3: Use the latest version of TLS (Transport Layer Security). Older versions have known vulnerabilities. Check your server configuration.
• Secure Email: Use S/MIME or PGP for email encryption, but be aware of key management complexities. Consider end-to-end encrypted messaging apps instead.

4. Key Management: The Weakest Link

Encryption is useless without proper key management.

• Secure Storage: Store encryption keys securely, separate from the data they protect. Hardware Security Modules (HSMs) are a good option for high security needs.
• Key Rotation: Regularly change your encryption keys.
• Access Control: Limit access to encryption keys to only those who need them.

5. Check Your Random Number Generators

Cryptography relies on strong random numbers.

• Use cryptographically secure PRNGs: Avoid using standard random() functions for security-sensitive purposes. Use libraries designed for cryptography (e.g., secrets module in Python).
• Entropy Sources: Ensure your system has sufficient entropy sources to generate truly random numbers.

Example of using a secure PRNG in Python:

import secrets
random_number = secrets.randbelow(100)
print(random_number)

6. Regularly Audit Your Systems

Cyber security is an ongoing process.

• Vulnerability Scanning: Use tools to identify weaknesses in your systems.
• Penetration Testing: Hire experts to simulate attacks and find vulnerabilities.
• Code Reviews: Have your code reviewed by security professionals.