Skip to content

Analysing Applications And Its Impact On Cryptography


In my previous article, I have talked about all that you need to know about network security. In this article, I will be talking about applications and their impacts on cryptography. Where can PKI be used by an enterprise?

The following provides a shortlist of common uses of PKIs:

  • SSL/TLS certificate-based peer authentication
  • Secure network traffic using IPsec VPNs
  • HTTPS Web traffic
  • Control access to the network using 802.1x authentication
  • Secure email using the S/MIME protocol
  • Secure instant messaging
  • Approve and authorize applications with Code Signing
  • Protect user data with the Encryption File System (EFS)
  • Implement two-factor authentication with smart cards
  • Securing USB storage devices

Encrypted Network Transactions

A security analyst must be able to recognize and solve potential problems related to permitting PKI-related solutions on the enterprise network.
Consider how the increase of SSL/TLS traffic poses a major security risk to enterprises because the traffic is encrypted and cannot be intercepted and monitored by normal means. Users can introduce malware or leak confidential information over an SSL/TLS connection.
Threat actors can use SSL/TLS to introduce regulatory compliance violations, viruses, malware, data loss, and intrusion attempts in a network.
Other SSL/TLS-related issues may be associated with validating the certificate of a web server. When this occurs, web browsers will display a security warning. PKI-related issues that are associated with security warnings include:
  • Validity date range – The X.509v3 certificates specify “not before” and “not after” dates. If the current date is outside the range, the web browser displays a message. Expired certificates may simply be the result of administrator oversight, but they may also reflect more serious conditions.
  • Signature validation error – If a browser cannot validate the signature on the certificate, there is no assurance that the public key in the certificate is authentic. Signature validation will fail if the root certificate of the CA hierarchy is not available in the browser’s certificate store.


The figure shows an example of a signature validation error with the Cisco AnyConnect Mobility VPN Client.

Signature Validation Error

The figure shows the Cisco AnyConnect Secure Mobility Client message history tab with a highlighted message that says no valid certificates available for authentication and a popup window that says certificate validation failure.
Some of these issues can be avoided due to the fact that the SSL/TLS protocols are extensible and modular. This is known as a cypher suite. The key components of the cypher suite are the Message Authentication Code Algorithm (MAC), the encryption algorithm, the key exchange algorithm, and the authentication algorithm. These can be changed without replacing the entire protocol.
This is very helpful because the different algorithms continue to evolve. As cryptanalysis continues to reveal flaws in these algorithms, the cypher suite can be updated to patch these flaws. When the protocol versions within the cypher suite change, the version number of SSL/TLS changes as well.

Encryption and Security Monitoring

Network monitoring becomes more challenging when packets are encrypted. However, security analysts must be aware of those challenges and address them as best as possible.
For instance, when site-to-site VPNs are used, the IPS should be positioned so it can monitor unencrypted traffic.
However, the increased use of HTTPS in the enterprise network introduces new challenges. Since HTTPS introduces end-to-end encrypted HTTP traffic (via TLS/SSL), it is not as easy to peek into user traffic.

Security analysts must know how to circumvent and solve these issues. Here is a list of some of the things that a security analyst could do:

  • Configure rules to distinguish between SSL and non-SSL traffic, HTTPS and non-HTTPS SSL traffic.
  • Enhance security through server certificate validation using CRLs and OCSP.
  • Implement antimalware protection and URL filtering of HTTPS content.
  • Deploy a Cisco SSL Appliance to decrypt SSL traffic and send it to intrusion prevention system (IPS) appliances to identify risks normally hidden by SSL.

Cryptography is dynamic and always changing. A security analyst must maintain a good understanding of cryptographic algorithms and operations to be able to investigate cryptography-related security incidents.


There are two main ways in which cryptography impacts security investigations. First, attacks can be directed to specifically target the encryption algorithms themselves.

After the algorithm has been cracked and the attacker has obtained the keys, any encrypted data that has been captured can be decrypted by the attacker and read, thus exposing private data. Secondly, the security investigation is also affected because data can be hidden in plain sight by encrypting it.

For example, command and control traffic that is encrypted with TLS/SSL most likely cannot be seen by a firewall. The command and control traffic between a command and control server and an infected computer in a secure network cannot be stopped if it cannot be seen and understood.

The attacker would be able to continue using encrypted commands to infect more computers and possibly create a botnet. This type of traffic can be detected by decrypting the traffic and comparing it with known attack signatures, or by detecting anomalous TLS/SSL traffic. This is either very difficult and time-consuming or a hit-or-miss process.


Action Point
PS: If you would like to have an online course on any of the courses that you found on this blog, I will be glad to do that on an individual and corporate level, I will be very glad to do that I have trained several individuals and groups and they are doing well in their various fields of endeavour. Some of those that I have trained includes staffs of Dangote Refinery, FCMB, Zenith Bank, New Horizons Nigeria among others. Please come on Whatsapp and let’s talk about your training. You can reach me on Whatsapp HERE. Please note that I will be using Microsoft Team to facilitate the training. 

I know you might agree with some of the points that I have raised in this article. You might not agree with some of the issues raised. Let me know your views about the topic discussed. We will appreciate it if you can drop your comment. Thanks in anticipation.


Fact Check Policy

CRMNIGERIA is committed to fact-checking in a fair, transparent and non-partisan manner. Therefore, if you’ve found an error in any of our reports, be it factual, editorial, or an outdated post, please contact us to tell us about it.


Fact Check Policy

Leave a Reply

Your email address will not be published. Required fields are marked *