BLACK HAT EUROPE 2023 – London – Researchers from Microsoft, its GitHub subsidiary, and Spain-based Banco Santander here today released a set of open source tools that identify and pinpoint weak cryptography in software, so organizations and developers can jumpstart locking down their security posture for a post-quantum computing reality.

The team — Daniel Cuthbert, global head of cybersecurity research at Banco Santander; Mark Carney, quantum hacker for Quantum Village; Niroshan Rajadurai, senior director at GitHub; and Benjamin Rodes, principal security engineer at Microsoft — over the past year and half scanned some 4,500 GitHub open source project repositories in a quest to understand the state of cryptography in open source software. The results were grim, with nearly half of the platforms they scanned still running the aging RSA algorithm and around a quarter of them relying on SHA-1. Both algorithms are considered insecure for today’s computing systems and are being replaced by stronger crypto.

Building a Cryptographic Bill of Materials

The stakes get exponentially higher with emerging and powerful quantum computing technology and systems, which will be able to crack many older encryption algorithms used in software and systems today and ultimately give threat actors a new tool for hacking systems.

Government agencies around the globe have sounded the alarm on shoring up cryptography, as some experts predict quantum’s arrival as early as spring of 2030, which will subsequently imperil older encryption technologies. In the US, for example, the Quantum Computing Cybersecurity Preparedness Act enforces the National Institute of Standards and Technology’s (NIST) recently published post-quantum encryption standards.

The researchers — who presented their project findings and tools at Black Hat Europe today — built their project and tools based on GitHub’s CodeQL static code analysis tool, which they used to scan the thousands of codebases on GitHub. They also created a so-called cryptographic bill of materials (aka CBOM) for each software project, which documents the cryptographic algorithms and their security status, flagging any insecure components.

According to Cuthbert, the tools provide security teams and code developers easy-to-use methods to discover just what cryptography is “under the rug” and “under the bed” in software, and to ensure that developers replace any aging or insecure encryption in their codebase with stronger crypto. With the CBOM, a practitioner can analyze what cryptography assets are used in an application, for example: “Is it using modern algorithms like SHA-2.6 or 3, or [the older] SHA-1” algorithm, Cuthbert told Dark Reading in an interview here. If the CBOM reveals that an application’s crypto is unsafe, “the developer of the project can say, ‘Oh, I need to fix that,'” he said.

The researchers used CodeQL’s variant analysis tool to build a CBOM for each open source project they studied, and practitioners and developers now can do the same with it.

Open Source Code Rife in Enterprise Apps

Github’s Rajadurai said understanding the supply chain of an application is key, especially given that more than 90% of software in any given enterprise-written application comes from open source code and tools. The researchers’ GitHub repository is open source and allows you to run a scan to ID the algorithms and their interdependencies in the code. It also includes the relevant actions needed to remedy weak cryptography.

“You can specify in the documentation how you want developers to address” the issues, for example, he said.

Cuthbert explained in his portion of the presentation that the project is also meant to support open source developers. “It tells them, ‘hey, we’ve got your back,'” in improving encryption in the code.

The goal is to scan all repositories on GitHub, Cuthbert told Dark Reading at the event. “We want to scan every single repository, which is ambitious, but it’s going to happen.”

Next for the project is to inspect post-quantum’s impact on the encryption used in embedded hardware and low-power devices, he said. “Nobody has ever done that study before.”

Source: www.darkreading.com