It’s not uncommon when building a threat model or reviewing the design of a system that the topic of cryptography comes up. I just looked at some notes from the last four weeks, and in that time I reviewed seven cryptographic designs.
I also remember that in each of those meetings, I said, “Fair warning, in this call I will be specific with my wording when it comes to crypto, so don’t be surprised when I ask you to be specific, too!”
Or something similar.
I am pedantic with my wording especially when it comes to crypto and you should too! Why? Because it’ll help everyone understand if the system is designed correctly or not and it removes ambiguity.
Here are some examples.
“We will encrypt the data with the key.” My response is “which key?”
“We encrypt the certificate.” My response is, “You encrypt the cert or the private key associated with the certificate? Because there’s no need to encrypt the certificate.”
Or, my favorite when there’s a hierarchy of keys, “We will rotate the key every two years.” My response is again, “Which key?” Rotating a key encryption key (KEK) is easy, but rotating the data encryption key(s) (DEK) is hard when you have millions of rows of data. But that’s a discussion for another day.
I could keep going, but these are some common comments I hear.
So please be specific when talking about cryptography, especially keys!