Skip to content

Operations fundamentalsπŸ”—

Cryptographic Operations are specific tasks or methods that use cryptographic keys and algorithms to secure or authenticate data. These operations encompass various cryptographic tasks such as encryption, decryption, hashing, signing, and key management.

Operation types include:

  • Key Generation
  • Encryption / Decryption
  • Signature Generation / Verification
  • Message Authentication (MAC)
  • Key Management
  • Security Protocols
  • Cloud Storage

Operations details pageπŸ”—

When operations are discovered in an analysis, details will be available in associated reports and instance views. To view Operations details:

  • In a Report, select the Operations tab, then select an ID to open its Operations details.
  • When a rule is related to an operation, select an Instance, then select an ID to open its Operations details.
  • When Operations details include wrapped keys, select the Wrapped key or Wrapped by key ID to view the associated key details.

    Tip

    The Operations tab is only available in reports or instances where operations are associated with the discovered cryptography.

Operations details headerπŸ”—

The Operations Details page header summarizes the operation:

  • Type - the cryptographic operation performed.
  • Context - TLS or Non-TLS. Monitoring TLS-related operations ensures data security in transit over networks.
  • Algorithms - the specific cryptographic algorithms employed, such as AES for encryption, RSA for signature generation, HMAC for MAC, etc. Monitoring algorithms ensures compliance with security standards, detects insecure configurations, and identifies potential vulnerabilities.
  • Timestamp - facilitates time-based analysis of cryptographic activities, allowing for the detection of anomalies, correlation with other security events, and forensic investigation of security incidents.

    Note

    If an operation involves multiple calls, the timestamp of the operation reflects the final call.

  • Call site - identifies the location or origin of the cryptographic operation within the system or network. Monitoring call sites aids in identifying legitimate and authorized cryptographic activities, detecting unauthorized access or misuse, and troubleshooting security issues.

Operation details tablesπŸ”—

Based on the analysis type and the cryptographic operations discovered, the tables below the header on the Operations details page can display relevant information for:

  • Keys
  • Instances
  • Calls
  • Handshakes (Network reports only)

The following sections provide a detailed exploration of each Operations details table.

KeysπŸ”—

Details for keys can include information such as:

  • Key role - how the key is used relative to the selected operation.
  • Cipher data - the data that was either encrypted or decrypted by the key in the operation, as indicated by its role (Encryption / Decryption).
  • First call - the initial invocation point in the codebase where the cryptographic operation is initiated.
  • Wrapped key - a cryptographic key secured by encrypting it with another key.
  • Wrapped by key - property of a wrapped key that specifies the key used to encrypt it.

InstancesπŸ”—

The Instances table on the Operations details page lists the instances of rules related to the operation.

CallsπŸ”—

Details for calls made to cryptographic functions are provided when they are available. To access call details, expand the dropdown next to the timestamp.

HandshakesπŸ”—

A network report may provide handshake details, such as:

  • Source IP / Destination IP - IP addresses of the devices initiating and receiving the connection.
  • Source Port / Destination Port - Port numbers used for communication by the source and destination devices.
  • Client Timestamp / Server Timestamp - Times when the client and server sent or received handshake messages.
  • Server - The server involved in the handshake process.
  • Ciphersuite - Encryption algorithms and methods used for secure communication.

Operations: A real-life exampleπŸ”—

While reviewing a Java application report, Maria identifies the high-severity issue: Diffie-Hellman group too small. Maria recognizes that this out-of-policy issue poses potentially serious audit and security risks.

She selects the instance 512-bit DH keypair generated once to investigate further. Next, she selects the related operation to open the Operation details page. She then:

  • Examines the details and the JSON snippet at the top, including the parameters for the operation.
  • Selects a key ID to see what else was done with the keys used in the operation.
  • Scrolls down to the Calls, and examines the call arguments, paying particular attention to the stack trace at the bottom of each call to see which part of the application the call originated from.

By reviewing this detailed information, Maria pinpoints the specific calls, arguments, algorithms, and cryptographic elements involved in the issue. She also identifies the exact location in the source code where the issue occurred and determines the module from which the call was made.

Because Maria’s organization configured Jira integration, she selects Export to create a ticket for the team responsible for remediating the instance. Guided by the file names and line numbers, they will update the source code to correct the cryptographic operations and address the vulnerability.