prada 發問時間: 社會與文化語言 · 7 年前







Youtube thumbnail

1 個解答

  • 7 年前

    Insecure Cryptographic Storage isn’t a single vulnerability, but a collection of vulnerabilities that all have to do with making sure that your most important data is encrypted when it needs to be. This includes, but isn’t limited to things like, making sure you are encrypting the correct data, making sure you have proper key storage and management, making sure that you are not using known bad algorithms, making sure you are not implementing your own cryptography which may or may not be secure.

    不安全加密儲存並非單一安全問題,是關乎到你是否有按照安全需求,將你最重要的資料加密的一系列安全問題。 這包括(但不僅限於)你加密的是正確資料、你妥當保存控管解密的開鎖碼、你使用的不是不良的加密規則、以及你不可使用自己發明的加密方式,

    The impact of these flaws, when exploited, is usually quite high due to the fact that the information that is usually encrypted are very very important things like personally identifiable information, trade secrets, health care records, personal information, credit card numbers...... things of that nature.


    Modern cryptographic algorithms are extremely resilient and can take a lot of time to crack. The issue, though, is not with the algorithms being used. The issue is with the way they are being implemented to keep your data safe. Most attackers will go after how you are using the cryptography, not the actual cryptography itself.


    The ways to detect and fix cryptographic storage issues fall into two camps. On one side, you have flaws like improper key management or not encrypting the correct data. The way to fix these is to actually sit down, look at what the scope of your application is, look at internal business processes, and review ways to make sure that you are in fact following what the best practices are. On the other hand, issues like implementing your own insecure cryptography or using known insecure algorithms can be fixed by using a whole variety of security scanning tools.


    2012-12-05 01:25:44 補充:


    2012-12-05 01:26:00 補充:

    解決這個問題必須坐下來,看看你要做什麼,看看公司內部作業方式,檢討並且確定你確實使用最有效的作法。 另一方面的問題在於使用你自己發明的加密規則或已知根本不安全的加密規則。這種問題可以用各種安全掃描工具來解決。