Ben & Ryan Show - Cryptography with Justin Scott

Ben and Ryan Show Episode 2 - Cryptography with Justin Scott
In this episode, your hosts Ben Nadel and Ryan Brown are joined by long time Adobe ColdFusion developer and security expert, Justin Scott, to discuss his recent presentation at the Adobe ColdFusion Summit.


Who is Justin Scott
• CISO with Smart Communications
• (ISC)² Certified
• Long time ColdFusion developer

Justin’s Summit Presentation - https://www.darktech.org/advanced-cry...

Key Takeaways from Summit Presentation
• Hashing = Integrity, specifically for passwords
If available, use the SCrypt (preferred) or BCrypt algorithms for password hashing and storage. Otherwise, use SHA-512 with 600,000 iterations or more and add a unique salt per password. Consider adding pepper before hashing for additional protection. Don’t use weak outdated defaults such as MD5, SHA1, etc.

• Symmetrical Encryption = Data protection at rest
Use AES unless you need compatibility with another application Use a 256 bit key unless a weaker key is needed for compatibility Use the correct block mode for your data Avoid ECB if possible; it exposes patterns in your data (default if “AES” is specified with no block mode) Use CBC mode for short data like PII or credit card numbers (most secure: “AES/CBC/PKCS5Padding”) Use CTR or GCM for larger data like documents (balance of speed and security: “AES/CTR/NoPadding”) Generate and specify your own IV when possible for better compatibility

• Key Management
Never store encryption keys with encrypted data unless they themselves are strongly encrypted with a KEK. Never store secrets in code; accidental leaks from GitHub are more common than you think Keys should be stored securely using an HSM if possible, otherwise a Cloud-Based Vault.

• Credit Card Numbers
Don’t store unless you really need to. Use strong encryption; AES-CBC w/256 bit key. Use KEK for card keys

Notes from Podcast
• Password4J Library – Ability to get access to Argon2id in ColdFusion - https://password4j.com/

Iterations for hashing
• Allows you to do more as computers get better.
• Tradeoff between performance and security.
• Goal is to keep hashing to 500ms.
• Create alerts if hashing starts to take less time so you can increase your iterations. This way you don’t have to go back and check your code.

SCrypt / BCrypt
• Adobe does not include version in string of Script
• Different implementations of SCrypt do their own variations
• Data is embedded in SCrypt and BCrypt so verify function does not need separate functions for each version or workload

Session Management
• Both Ben and Justin use their own session management
• Redis Session Blog - https://blog.xbytecloud.com/optimizin...

Should you roll your own auth?
• You can do your own authentication (“auth”)
• Businesses are often requesting to use existing single sign-on authentication (Microsoft/Google/Octa)
• Is single factor authentication ever allowed – yes, depends on application and security. If no personally identifiable information or credit card info stored

Should you roll your own credit card processing
• Almost always no
• PCI-DSS requirements a lot lower
• Even temporarily storing your info to pass to someone authenticating, your application is still in scope of PCI-DSS
• Never store credit card numbers, even encrypted

Changes to Adobe ColdFusion around encryption
• Blog post about changes: https://blog.xbytecloud.com/recent-ad...
• You shouldn’t follow the path of least resistance by overriding and using the old defaults
• Idea for secure by default – puts more control in the hands of CISO or Security Officer – need to check something to allow security

Passkeys
• Because everyone uses multiple devices, need methods to use passkeys other places
• Not all applications share passkeys between devices
• Many websites don’t allow multiple passkeys per account so you can only login on a single device – can be very confusing
• Designed to have proof of presence using biometric authentication
• Not everyone doing the biometrics, 1password has super long master ley to set up new device but it is still a password and not as good as biometric authentication
• No internal support in Adobe ColdFusion – Justin is working on library to allow it in CF

How do you migrate to new password hashing algorithm
• Implement code when setting password
• Validate the password using old authentication
• Store using new authentication
• Note that the password was converted
• After some set date, notify anyone that hasn’t updated that they need to update their password

Do companies hire people to test breaking out of a prison
• Justin is not aware of these companies
• But, he does recommend having outside firms test your cybersecurity

Links to Justin
• www.darktech.org
• www.linkedin.com/in/justinscott