Crypto-Health Scout: Patient, Heal Thyself?!
Health is not valued till sickness comes. It is particularly true for crypto-health.
In the article Crypto-Health of Your Device: Should You Care, I looked into the definition of crypto-health of a host. In Better Safe than Sorry: Cryptographic Algorithms and Digital Certificates, I presented cryptographic algorithm implementations and digital certificates, the two indispensable groups of cryptographic objects used in device protection. When they weaken and fail to provide enough security, they may become those target pain points.
In a perfect world, you would quickly detect those weak points and mitigate them. Crypto-health is, like every healthy lifestyle, about prevention: you should strengthen cryptography on devices well before newsfeeds declare any existing and potential cryptographic breaches and vulnerabilities.
Imagine that there is such a crypto-health monitoring tool named CryptoHealth Scout, and you can install it on your device or run it from a website if it is a software-as-a-service (SaaS) model. CryptoHealth Scout parses files and running programs (filesystem and processes) in your device in search of specific character strings (fingerprints or signatures) found in cryptographic objects. It discovers the unreliable and weakening cryptography on a host and advises you in advance of the existing and potential issues. One of the key success points of a crypto-health monitor is its expertise in the interpretation of the detected problems. As a result, you get a report on the discovered issues classified by their urgency and security levels.
In general, this process is similar to the way antivirus software performs signature-based virus detection by searching for specific virus-related patterns. A crypto-health monitor should have an up-to-date database of cryptographic markers, artifacts, and their fingerprints.
Unfortunately for our CryptoHealth Scout, it cannot delete the discovered problematic cryptographic algorithm implementations or digital certificates. Doing so can render your device inoperable because it cannot function without them. Picture this: you find out that the bricks of your fence are old and cracked. You kick them out and immediately observe the whole structure falling apart.
So, a crypto-health monitor will detect broken or weak cryptography, but it will be entirely up to you to fix the discovered issues. It is a complicated and time-consuming migration process that requires a high level of cryptographic security expertise. You will need to replace the weak cryptographic algorithms with safer ones, given that your software supports them. If you are lucky, there will be a software update that addresses the issue. Some software packages may require custom builds, while others might have hard-coded solutions. In the latter case, you will need to choose between rewriting a software package or replacing it with something else. And what if the problematic application is one of its kind and does not have alternatives?
Remember, you will need that strong commitment as keeping your device crypto-healthy will require lifestyle changes, including resisting peer pressure. A lot of my friends use a messenger that has been scandalously famous for its security vulnerabilities. Yet, at least once a week, somebody wonders why I am not using it and insists that I should install it because everybody is on it.
You will have to make a hard choice between a healthy cryptographic lifestyle aimed to prevent some potential, currently intangible, intrusions that may never happen, and the comfort of your current existence. Does it feel like the everlasting Drugs vs. Lifestyle Change battle? Antivirus tools provide detection of known viruses and immediate cure of the discovered infected files. Crypto-health monitors provide detection of potential pain points and vulnerabilities. It’s a bit like taking a pain killer for your headache versus going to bed before 10 pm every evening and getting eight hours of sleep daily (I would be even fine with seven).
Our CryptoHealth Scout is definitely helpful for larger companies that have their in-house crypto-security experts or can afford to pay for the expertise, extensive customer support, and mentorship to the CryptoHealth Scout creators. For an individual user, you will feel as if you get your blood test results back accompanied by an extensive medical encyclopedia to figure out on your own what those results mean and what treatment you should self-prescribe.
Takeouts
- Crypto-health monitors provide cryptography threat awareness. They help users understand their exposure to cryptographic threats.
- Crypto-health monitors search hosts’ files and running programs to detect cryptographic artifacts, analyze and identify vulnerabilities, assign current security levels to cryptographic primitives and algorithms, and present the results with recommendations.
- You will have to replace the discovered vulnerable cryptography yourself. If you are lucky, there might be a software update addressing the issue. Otherwise, you may need a custom build or even a rewritten solution. If the software doesn’t have alternatives, you may face the hard reality of abandoning it and changing your workflows.
- Maintaining sound crypto-health of your devices will most likely require changing your lifestyle and resisting peer pressure.
- Crypto-health monitors require a much higher level of crypto-security expertise to fix the discovered issues than antivirus tools. Such expertise may be available to large companies but not readily accessible to individuals or small businesses.
Still, are there ways for our CryptoHealth Scout to help individuals like you and me? Stay tuned!
