Encryption keys and passwords are truly "keys to the kingdom." Acquiring them allows attacker to open all kinds of doors, and yet developers are often careless about how they handle them. We often see password and keys hardcoded in the application source, stored with minimal obfuscation in configuration files, and in plaintext in databases. As a result they fall victim to reverse engineering, and software vulnerabilities such as Path Traversal, XXE, Local File Inclusion, and others.
To help mitigate that we review right and wrong ways of storing credentials in an application, and discuss best practices for storing them, such as using keystores.
Once your secrets are properly secured, however, there is a big remaining issue - how do you secure the "key that secures other keys", the Key Encrypting Key (KEK)? Would it not be vulnerable to the same issues we just tried to solve with keys and passwords? In our presentation we discuss preferred ways for securely storing KEKs, from hardware to software, and their relative costs. We conclude by proposing several low cost ways for storing KEKs that any application can afford to implement and offer an open source library that helps achieve that.
Application Security
Encryption