S 3.33 Improper use of cryptomodules
Initiation responsibility: IT Security Officer, Head of Personnel
Implementation responsibility: Personnel Department, Supervisor
The improper use of encryption modules has often caused damages in practice. This improper use may have different effects:
- Data is transmitted unencrypted, because the clear text mode was accidentally enabled in the encryption module.
- Parts of the key are entered incorrectly while entering cryptographic keys. As a consequence, neither the sender (who did not notice the incorrect input) nor the recipient (who does not know the key actually used) is able to properly decrypt the encrypted data entered with the incorrectly input key.
During encryption, the power supply to the encryption module is switched off accidentally. As a consequence, only parts of the data are encrypted, other parts remain unencrypted. In such a case, it is possible that decryption is no longer possible, because the process was cancelled in an uncontrolled manner.
- When entering encryption parameters, improper parameters are input. As a consequence, insufficiently secure encryption algorithms or insecure cryptographic keys may be used.
- If the user is involved in generating the key by being prompted to enter random characters when the key is generated, improper use also entails not using random, but known and easy to guess character strings (words) at this point.
Such improper uses of an encryption module may cause the confidentiality, integrity, and availability of data to be affected adversely. Examples:
- Data is not or no longer encrypted although encryption would be necessary in order to maintain confidentiality.
- Encrypted data can no longer be decrypted, because the encryption module can no longer be used properly due to improper use.
- Data is encrypted accidentally or deliberately in such a way that it cannot be recovered, because the required cryptographic key is not known.
- Properly encrypted data is changed so that it can no longer be decrypted.
Review questions:
- Wird die Vertrauenswürdigkeit von neuen Mitarbeitern und externem Personal hinreichend durch geeignete Nachweise geprüft?
- Ist mit externen Dienstleistern die Überprüfung des eingesetzten Personals vertraglich vereinbart?