A cryptographic zone exists between two points, where a symmetric key or asymmetric public keys are shared in order to encrypt sensitive information. Once the key, or keys have been exchanged, data, and in some cases other keys, are encrypted within this zone.
Most of the security controls employed by web applications are dependent on cryptography, and therefore also dependent on secret keys. A key management system (KMS) should be designed to efficiently handle the secret keys during transfer of sensitive data.
This article introduces the classification of cryptographic zones in modern web applications.
Cryptographic zones can be classified into 3 parts:
Zone 1: External User and Web Application
When the user connects to the secure (HTTPS) websites such as Internet Banking application, the browser must establish a secure TLS session.
The web page should be rendered in the browser in encrypted form. Request and response between the browser and the server is encrypted using public key encryption.
Web applications uses public key cryptography to create a shared session key. It then communicates through symmetric key cryptography using this shared session key. Public key cryptography remains the most popular online protocol (over private key cryptography) because users never need to transmit or reveal their private keys to anyone, which lessens the chances of cyber criminals discovering an individual’s secret key during the transmission.
Zone 2: Web server and Application Server
Many web applications send this data in clear text, but if a hacker is able to compromise the web server, he would have similar rights to view credentials in the clear.
A few web applications do not use encryption during web server and application server communication. But it is always recommended to ensure that data is encrypted end-to-end, from web browser to application server or database server. Therefore, it is highly recommended to send the data through a new encrypted session by either establishing a new SSL session, or transferring data through an IPSec tunnel.
Zone 3: Application server and Database Server
On receipt of the sensitive data, the Web Application Server needs to send it to the database server for verification. The web application server and the database server are usually on the same trusted network, but it is recommended to use SSL to encrypt communication.
Ideally, these data elements are encrypted with a symmetric key which has been pre-negotiated with the mainframe system. Encryption is about ensuring confidentiality. Only an authorized recipient can read the data. The encryption techniques also rely on the strength and type of algorithms being used.
The encryption of data at rest should include strong encryption methods such as AES and RSA. With the increase in SSL security vulnerabilities such as POODLE, Heartbleed, or FREAK, it is highly recommended to use TLS 1.2 or above.
References and further reading
- What is Public Key Cryptography? (2015) by Nate Lord
- 10 Tips for a Cryptographic Key Management System in the Banking Industry - A Penetration Teting Perspective (2015)
- by Ashiq JA
- How to Document a Key Management System (2015) by Ashiq JA