Zero knowledge. Digital signatures. Blockchain. Smart contracts. Anonymous credentials. Belenkiy consultants provides professional cryptographic services for small companies: whether you want to design a custom protocol, use cryptography correctly in your projects, or get a handle on the latest cryptographic technology.
Secure By Design
Security is not something you add on at the end of a project. It is an integral part of the design. Here are some questions that we’ve encountered.
Where do you verify user data sent to the server? Hint: it is not the browser!
This is a surprisingly common error. The user fills out a form on your website, or orders a book, or requests access to a resource, etc. We are used to the convenience of a web-form quickly telling us that some information we entered is missing or invalid. The response is instantaneous because the validation check happens on the browser. But this is a convenience for the user not an actual security measure. The actual security check must happen on the server where the resource is located.
Can you link two anonymous users without revealing their identity?
Authors use pseudonyms. Cryptographers use deterministic encryption, hashes, and other tricks to link data. Clever use of cryptography powers searchable encryption, pseudonymous users, e-cash, and many other privacy preserving applications. Security and privacy determines what data you store in your database and how you encrypt it.
Do I really need to comply with all security standards?
Two product teams were having difficulty complying with security standards. The devices on which their respective products ran did not support the required cryptographic functions. Team A produced a mobile banking application for developing world clients. They needed a cryptographer to design a custom authentication protocol that could run on lower-end cell-phones. Team B worked on a sewing machine; they needed the security compliance team to leave them alone.
Is all this security worth it?
Security is expensive. You need to spend time on design, development, and testing. Security slows down your software, increases network communication, and may even require more expensive hardware. So what exactly are you trying to protect? Is this PII (Personally Identifiable Information), authentication credentials, or your users’ secret cupcake recipes? A Risk Assessment helps you evaluate the cost-benefit trade-offs of each additional layer of security.
Is this cryptography/security library I found on the internet legit?
Probably not. Criminals, governments, and amateurs all publish security libraries on the web. Some of these libraries come with hidden malware, back-doors, and cryptographic vulnerabilities. Your best bet is to use the libraries that come as part of the operating system or the standard language library. There are several well-known open source libraries - these should be your second choice.