Crypto Fails and How to Tackle Them in Go
Recent studies in academia and industry [1-3] reveal that the (vast) majority of applications using crypto struggle with a functional and secure solution. Because of these struggles, the application ends up with attackable components, e.g., passwords stored insecurely. Further, these issues can lead to messages like: “Our application is secure as it uses the standard AES-128.” However, it is easily attackable as the wrong parameters for the AES encryption were chosen.
In this talk, we will introduce and explain six very frequently discussed problems for insecure crypto usages and demonstrate secure solutions for common use cases. We will start by understanding why these six issues are a security problem without using any mathematical formula at all. After knowing why we should avoid these mistakes in our application, we take a look at the standard Go crypto library and inspect if we can repeat finding these issues in implementations using this library as well. A small spoiler: You can’t repeat all due to the design decisions of the Go API. However, you can find issues and discussions about why Go shouldn’t support these insecure solutions as well. We will end the talk with code examples of common tasks involving crypto and shortly demonstrate how static analyses can help you implement a secure solution.
Anna-Katharina Wickert loves to share things she is thrilled about. In her day-to-day job, she’s a Ph.D. student at Technische Universität Darmstadt. There she inspects (crypto) misuses and how one can ease adapting static analyses for different languages and APIs by deriving new rule sets for those. In her free time, she organizes the Frankfurt Rhein-Main chapters of the Go and Go Bridge user groups, loves healthy food especially vegetables, enjoys the silence of a Yin Yoga class, and solving problems at the boulder gym.