Justin Clarke - Practical Crypto Attacks Against Web Applications

my mic okay yeah yeah okay you're all responsive yeah uh excellent excellent welcome all uh practical crypto attacks against web applications so I had a slight concern just a little bit before as to whether I was going to be too basic so hopefully I'm going to strike the balance between just confusing the hell out of you for an hour and boring the hell out of you for now so uh you know let's let's see how how that goes um for those of you uh who don't know me if I talk too fast because I'm from New Zealand and therefore you can't understand what I'm saying let me know and I'll slow down you know kiwi you

know we can talk fast sometimes we just not naturally do um so excellent overview I am not a cryptographer and um actually is there any cry anybody who has uh you know crypto like you call yourself cryptographer in the in the audience good because what I'm going to talk about today is you know if you're not a cryptographer this stuff is practical stuff to look at so we're looking at um and there's three particular ones in particular that I'm looking at which are repeatable patterns of things that you can look for um which are indicative of um and how you can actually look at kind of breaking those systems as well um and cryptography is

wonderful but but if you use it badly often you end up in a situation where it doesn't give you anywhere near the protection that you um that you want so using crypto does not equal security equally crypto does not equal security um and the reason that I probably wanted to pitch this one in here uh and do this talk is because you know I think there's probably certain one certain people in here who do look for this kind of thing in fact I I ran into fors wiger death um just before and he said that the the latest version of um of of burp is it in burp s or burp Pro or both or okay um is going to have um some bit

flipping attacks especially against things like cookies as well which is exactly the kind of thing I'm going to talk about now so it's something that you you probably had to do manually up until this point um so we're going to look at the kind of kind of stuff that we can uh we can do there so I mean perhaps this isn't something which has been well pin tested uh if you've been around a long time youve probably have heard of or you may well be uh a lot more expert in some of these things than I am um but the Assumption here is that there's probably a few of you out here who are not probably figuring out that

it's it's quite as easy to look for these kinds of things as it actually is so the basics confidentiality integrity and authenticity so so what are we trying to achieve um I mean inevitably it's probably um the first one confidentiality that's what we think of you know we want it to be secret um but the other ones um and I've used auth the inent of availability in this particular case just to just to fudge with those of you who know what the CIA actually is um but it's often kind of the ident you know the actual Integrity of the data and things like that is pretty damn important but it's not something that um that we need to um this not something

that we often kind of consider and it's often something that when you're doing something when you're a say a web developer you're throwing something together you know you're encrypting it you know the way you do that um can have some impacts on the kind of stuff as well so what are we actually going to look at today so because we just have 50 minutes and because I am going to attt the Demons of fat and try and do live demos of this stuff which may or may not lead to massive demo fail or not um we're going to look at three main kind of ones so we're going to look at ECB mode um crypto which even though you

hear about the fact that it's bad people still use we're also going to look at um padding oracles uh and we're also going to have a brief kind of coverage on some of the random number Generation stuff here now all three of these scenarios are ones we find in pentests so you know the question is are you looking for them and let's have a look at the kinds of things you should be looking for so if we're talking about the crypto because we' got two different um kind of symmetric crypto ones um for those of you who um you know don't don't necessarily haven't you know dug into this too too much much detail uh we

basically have a number of different ways that these things could work the two ones that we're going to look at today are probably the two most common ones you come across ECB and CBC of those CBC is the one that you probably should be using um but the trick here is cryptography you know encryption doesn't equal Integrity can anyone tell me what happens if you take like you know uh you know crypto so you take Cipher text and you flip a bit and you decrypt it what happens yeah you'll get a slight change in the clear text now it's not predictable what that's going to be but you know equally you may as well sit there and flip them

just to see if you get anything interesting so I mean used in isolation these things don't provide any integrity and a lot of things that we're going to talk about Le especially for the first part of this talk are directly related uh to that so ECB is kind of like the the default mode we're looking at block encryption um so block encryption um who can tell me what kind of common block size would be what's a what kind of block sizes we're talking about 64 bit 128 bit so so those are probably the two most common ones we come across so 64bit um very common for things like triple D um AES usually 128 bit what

does that mean it means eight bytes or 16 bytes um so if we're not quite familiar with kind know like thinking of bits versus bites you know we are talking like discret blocks what happens ECB you take the first block you encrypt it get the next block you encrypt it next block you encrypt it why is that bad because oh actually it's not bad because it's using the same key what happens if the plain text is the same you get the same Cipher text yeah so I mean it's ECB mode has been known to be bad for as long as there has been ECB mode um why it's why it's not even there so here's an example take a

graphic and alerts hasn't turned out particularly well in this particular case encrypted with ECB mode what do you get well you don't hide the patents for a start it is encrypted but you know there's a lot of information um which is exposed there however we continue to see people using ECB mode because it is supported in all of the major uh Frameworks so it's almost as if they should probably really just take it out but um it does have some you know so people will continue to use it so what kind of scenarios are we talking about so you know take something like this cookie cookie value for example say we have an encrypted cookie

value um and it has various kind of things we have user IDs roles names you know the kind of thing that you know you might uh end up sticking in a cookie uh on a legacy system or something like that so let's assume that we've actually encrypted that so uh you know we've taken this we've done it on um using 64 bit one in this particular case we have eight bytes um and we've encrypted it so you know that's fine you know it looks secure it's hex it's secure isn't it yeah um what happens if we actually swap things around so I mean we're not talking about anything rocket science in this particular case but if if we have

an element of predictability about what is actually in these particular things and there is a direct correlation in ECB mode between what block is what bit of data um we can just you know have fun and play with things so in this particular case we swapped um kind of block seven into where block two is um and then when we have uh the decryption operation happens uh you know we have uh you something quite different so in this particular case you know this is a contrived example in this case um but we've gone from R three to R 39 what does that mean well in the context of the application who knows um but it's

interesting that this kind of thing um is is not something that we're generally kind of looking for so we have you know a bit of differentiation there so now we have we'll see if this works so um this particular example uh is based on a uh a live example that we did see add a client so let me introduce a few bits and pieces so first of all uh let me introduce you to the stock Trader application which hopefully is still working uh and it's probably also yeah off so as as you can see no license copy so uh let's let's go and have a look and see what we've got in here so let me just maximize this because this

is a relatively simple example so this is uh an example application it's going to use for a couple of things now there's an an interesting piece of functionality in this application which is uh basically it's a self-registration functionality uh and what happens in this particular uh functionality is we just register a user so let me just put test

is and what happens is uh see that at

the suffering from resolution a little bit here uh is we end up with basically a single sign off a single sign on pass off between two different systems so in this particular scenario we have um a system which does enrollment and it's basically doing a single sign of pass off to another system system uh which is authenticating so this this kind of scenario um does come when you've kind of rolled your own single sign on or if you have perhaps a legacy system where you're logging somebody in and then you're basically kicking them over to a new system probably as part of um kind of a rollover period uh in this particular case we have you know the

first thing is it's like it's like you know I'm always interested in anything which is hex but it's like one two three four 5 6 7 8 9 10 11 12 13 14 15 16 I'm especially interested in anything which is divisible into blocks of eight um because it's it's automatically a little bit suspicious now in this particular case we have a pure hex value um it could also be Bas 64 um it could be encoded in a number of different ways as well so um it's it's something which is of interest um I'm also also very interested in situations where we possibly have the ability to put something into something which is encrypted so if we have the ability to

force the application to encrypt something for us and The observed the outputs um and that's the particular example in this case so the example that we have in this case is this let me log

out now to skip several stages there is an account called

admin and strangely enough um you can't create another account called admin um because the way that the authentication for this particular application works uh you know it is it is a login Handover what kind of stuff could we do well let's have a look and see what happens if we do stuff like this so and I'm just going to do a few of these and we'll have a look and see what it looks like was going to call X headman

Edmond I'll do one more just we have a look and see what're

seeing where are we

too many windows okay so let's have a look and see what we're actually what we've been seeing so so there's the second one so 09 another one7 ah excellent okay interesting it's now got longer okay so what what's happened in this particular case is we actually started another block okay so this is interesting so generally speaking what we're going to do is we're going to continue adding Exes in this case I'm going to skip a few steps because we actually end up doing about n this particular case uh what's happened in this particular case well whatever's in there um by putting the ex as now spilled over into the next one so we have you know presumably you know XXX a

and then or maybe XS XXX a m n m i n and then the last the last block is actually the N so let's just skip a couple of steps and show you where we going with

this create three more so

that's how many one two three four five six seven

and we'll do one n as

well so let's going to have look and see what kind of results we get with that kind of thing so my point okay so it was the last one that one was when we just uh basically would made admin greater than eight byes was n byes long so if we go down and have a look at them so that was uh seven or maybe was it six X's I think it was seven X's uh eight X's so and nine X's okay so that's interesting now we have uh exactly the same thing so if we're doing this kind of thing up until now we probably don't know what that is other than the fact it seems to

be predictable or seems to be contain some stuff that we put in there but now it's kind of it's pretty clear that's what's what's in that first kind of 16 bites what is that 352 2 F2 whatever it is yeah it's it's 8 x's and that's it so because we still have eight eight x's on the front of it so likely is not um and and we see this because um the first block is exactly the same it's probably ECB mode so what [Music] is uh if we have a look at it 63 what is 45 A9 Etc what is that admin it's probably admin encrypted and you know just just because we've got to prove these

things this is when Justin hopes this this actually works because even though you test these things the previous night you're never 100% sure it do work on the day so that's the value that we extracted which logs Us in admin so this is a very simple example but this is based on a concrete example where we did exactly this the only difference in the example that we that we actually exploited was this was a cookie uh and the only uh other um you know kind of bit was instead of putting basically stuff on uh in that particular case instead of putting stuff on the front of the username we're actually putting stuff in the middle of the

username uh and that was largely because of how they did the the usernames and stuff like that but it's literally if you see pieces of data with that you have to play with them and see what happens um so this one particular one is is a nice easy example um but you okay occasionally will come across exactly that kind of thing so you know ECB mode it is generally bad so what about CBC mode so ECB mode came out and everyone said oh that's actually not particularly good idea um because we can do block swapping so what we're going to do is we're going to do Cipher block chaining so what we're going to do

is we're actually going to exor in uh effectively something to make the um the next block dependent on the previous one so the way it happens to be implemented in this particular case is first of all this is where you have an inial initialization Vector what's the initialization Vector used for Vladimir you've been answering lots of questions let's initialized vation Vector what's it used for it's well okay it's made to make the it's it's used to make the first block not predictable because we don't we're not mixing in anything previously with the first block so if the first block was always the same it would be always the same we' end up with you know having

some predicability about that so then ization Vector kind of mixes some stuff in to start with and effectively what we're doing is we're exing in the cipher text from the previous operation with the pl text and then encrypting that so effectively we're building a dependency so so this looks all really good and I like these like diagrams which have pretty boxes and exors and arrows and plain text goes here and Cipher text goes here but um and you know so we have exor operations this that's what the arrows are there for and and it does work what it's intended to do it does mix in and kind of break a lot of those patterns and

things like that but implementation is a um so decryption operation is effectively you know exactly the reverse so we end up with the initialization Vector Cipher text decrypt exor plain text um so we are doing the exor operations in Reverse in order to be able to do this what's what's important about this is we're actually exing in the cipher text uh from the previous one so it's just the implementation uh and block swapping will result in corruption so you can't you can't swap them around you'll end up with msons note this doesn't mean that you won't be able to decrypt it you can you'll be able to just arbitrarily stick whatever you like into an encryption algorithm

for the most part uh and force it to decrypt you'll just end up with nonsense you're not going to end up with what you start what you're looking for but the way people Implement systems based on these can um have problems this is where the padding Oracle is particularly good example of this what is a padding Oracle has nothing to do with Oracle so we're not going to talk anything about databases um this is um a a kind of crypto issue it's also a crypto issue which has been known about for a long time I think um the first kind of public paper on this was maybe 2002 um a lot of you may have heard

um April last year I think it was um that couple of chaps whose named Juliano and completely tie um presented a paper at black hat Europe last year I'm kind of looking at practical attacks on on JSF um September last year we this this really kind of burst onto the scene um because there was a major padding Oracle exploit in net so what are we actually talking about well we're talking about bit flipping of Cipher text so we have Cipher text and we have the relationships between blocks of cyer text so we can we can actually bit flip and just basically just start changing things to see what happens um but in this particular case we're looking at a

behavior of how the SYM system is implemented which based on this behavior um we can get more information and what it leads to is the ability to actually arbitrarily decrypt the data without knowing the key without even knowing the algorithm entirely based on the behavior of the system itself so the first thing we have to talk about when we talk about um padding oracles is what is padding so um when we're encrypting stuff because we're encrypting blocks of eight blocks of 16 data uh if you don't have a block of eight or block of 16 you need to pad it so you need to stick something on there in order to have something to encrypt and um this is pkcs5 padding

basically if you have you know three bits of data you need to pad it then with five more bits of data in this particular case you end up ping it with five lots of hex5 um if you have six you end up padding with two lots of two um if you end up seven you end up padding with one of one and uh interestingly if you have if you actually do have eight you'll end up padding it with eight lots of eight so this is a very standard um padding uh Behavior it's not the only one you come across um but it's probably the most common one that you'll come across and the reason you do this is

that so effectively so you can validate that you decrypt something correctly because if you decrypt something and it's correctly padded then it was probably successful in the decryption operations this is one of the useful ways you can tell whether you've actually managed to successfully decrypt something or not so pkcs5 and what are we talking about when we talk about um you know oracles well there is only eight possible padding sequences you could have uh in the situation of having an an eight block um algorithm so first of all that's interesting so we know for sure what at least one bite of this this data is going to be or it could only be eight things and depending

on what it was we could know more of them so that's that's interesting that's interesting and um so what happens if we do kind of bit flip in CBC mode so say for example in this particular case you know we do flip for example uh you know the six kind of bite uh in this kind of situation well we're going to end up with that kind of stuff affecting the plain text but interestingly it's also going to end up affecting the plain text of the next blog okay so that's interesting so this is all kind of like about how it works and based on how the decryption operation itself is works and this is especially how it commonly Works in uh

something like a web application is um we're probably going to end up with number of Errors if the description operation fails in some particular case even better if we know what those Zs are so the one that we're particularly interested in is you know um so inel keys well hopefully we're not going to get one of those um is it an even block multiple so those ones are only if you you're kind of like feeding in invalid dator the one we're particularly interested in is an invalid padding exception so how is that going to useful to us so so this one this one is interesting because part of this is we need to be able to determine whether we

have this error so what happens commonly in something like a web application if you try and do something with data and it fails get away application error maybe it even bubbles up um an error message an explicit error message if you're lucky but um more to the point you're likely to see a different Behavior you might get a a 500 era where previously you were expecting a 200 um so there's some observable Behavior if we manag to cause one of these things to happen so what are we talking about with a padding Oracle effect and and the or this is where the Oracle bit comes in because the Oracle means that we are effectively we have the application of

the system as it's implemented is telling us whether we have this one not so effectively the application as it's as it's um implemented is telling us uh that this this situation does exist so let's take the example so we're going to flip the last bite of this Ty text so first of all we're going to end up with rubbish Pain t we don't care but so we call that one by X so by X maps to by y so basically it is exord um with the the results of the next one so it does affect the next uh operation so what happens if the plain text doesn't is is Inc correctly had it well that this is this is the situation

where we have it so previous block we changed that or actually we just put it as one uh it is going to affect and it be exord and at the end of the day the plain text which comes out of the next block uh if it's not validly padded we're probably going to get an exception so here's an example we put in zero so you know okay so we put in zero we get an exception we put in one we get an exception we put in two we don't get an exception what does that tell us what it tells us is if we stick a two into the cipher text of the previous block what must that value be if it's

correctly padded what so sorry was that yes it must be a padding value so it must be a valid padding value of which there is is only eight and likely is not we know exactly what that is it must be one so we know what that value is so we know if we stick a two in here we get a one out here so equally we can we can continue that and because we're talking about exor this means that we know other stuff as well so more to the point this um it's basically the intermediate kind of value the one which comes out of the description uh and is then exor with the cipher text it means

we also know what that value was as well so it means that we know effectively three different bits of information so I mean effectively that gives us um the ability to kind of figure out what that unencrypted value is it also gives us the ability although we're not going to really talk too too much detail about this to actually be able to re-encrypt stuff with that block as well so not only can we use this particular exploit to decrypt stuff which is the simplest of the two examples but we can also use this exploit to reencrypt stuff and we don't know the key we don't even know what the algorithm is at this point um

we're entirely looking at the behavior of the system and how it's implemented so if our panning bite was one um the bite that we stuck in which is the two uh tells us effectively the intermediate bite um you know must be such and such having actually figured out what that is give be something else so in we're just going to call that the intermediate one because it's effectively a value that we don't normally look at U but it's just interesting that particular case so let's just have a look at a practical example of this who's who's come across pad Buster pad Buster few of you so um on the Gotham Digital Science website we have a free tour which I'm going to demo

um it is open source it's a reciprocal public license feel free to do whatever you want with it um toour which exploits exactly this stuff as well so let's have a look at doing that

so so um I'm going to do this against uh this particular application here so uh as I mentioned there was a there's a padding Oracle exploit or padding Oracle problem with uh net as of kind of September 2010 last year so it was patched so the version that I'm not going to the version I'm showing this particular case is not patched um but I'm just going to demo it in this particular case so there's a couple of bits and pieces in The NET Framework which are susceptible to pading oracles can anyone any got any audas can tell me what they are you guys are very communicative today okay view States so view states are a good one um

but the one I'm going to particularly look at at this at this case is resource handlers so resource handlers U Don 3.5 net4 ajx abs are particularly interesting so there's two of them by default that you would normally come across one's called the web resource Handler uh and the other one's called The Script resource Handler now uh if you have a look into more detail about the um the the padding Oracle tax you could actually use the script resource Handler to do handy things like download the web.config off the site which is kind of cool you kind of just you know pointing it at something decrypting it re-encrypting it and saying give me the web.config uh and it would now

unfortunately I couldn't get that working uh largely because the this application here is not an Ajax application even though it is a 3.51 so what I'm going to do is I'm just going to show you an example of uh decrypting something rather through um through the web resource Handler so what the hell am I talking about when I talk about we resource handlers so let me have a look at the Target thing we would have come across some of these I'll break this down we're talking about this thing so what the hell is that effective L what it is is it is a request um which returns a script effectively so this bit of data is a

script or it's appointed to a script in fact it actually is a file name uh in this particular case it's interesting um because with the web resource Handler you can actually download any JavaScript files which are inside a and assembly DL and net the script resource Handler is more interesting because you can actually pull down any file on the box um so unfortunately we can't demonstrate that one in this particular case so and let me Demo P Buster so hopefully this works so it's worth pointing out at this point that pad Buster is not a specific tool for this particular issue uh it's written by a colleague of mine Brian um in in New York um it is a general tool for all

types of padding oracles so it was actually originally written for uh exploiting um JSF server faces VI States um but it works quite handily with the net example as well so main things we're looking at we need to provide a URL we need to provide an encrypted sample of data uh and we need to specify block size so let's do that so grab one of these

help the

spell um and and when we're talking about um encrypted sample uh effectively it just needs you to tell it what the bid is that it needs to play with so it's going to be that one so 2 j8 uh in this particular case if I remember correctly uh it needs to be 16 the block size how's my PO gone um and there's a c couple other things we need to specify in this particular case um these are net specific ones which are effectively telling it uh what kind of format the data is in and so this particular case encoding is net URL token it's a particularly weird version of um of encoding that's it has its own

particular one and no IV means you know one of these you know the IV is not included in this block put on there so let's see if this works

okay so what has it done it has gone through and it has flipped effectively the the the the last block of that to all 256 values and it's just seen what happened now what happens in a web application is going to be is going to be different depending on the application you could see 200s 302s 500s but more important we have one which is grossly different to the other ones so effectively we're looking for the error condition at this at this point so we can then um effectively tell which ones are accurate which one's not so it's it's handly pointed this out that we should probably select two at this point and what it's going to do is it's

going to go through the process of decrypting that piece of

information now I'll warn you now that the output of this is not very exciting what's actually in here is not very interesting um but it is purely just to demonstrate um kind of the output of this kind of

thing y so the descripted value is that which is not very exciting um so effectively what it is is a reference to uh s so the way this particular piece of data works is It's s is a particular type of resource which in this particular case is an embedded assembly resource um and then you have piping which are um basically separators uh and the resource is webui validation. JS which is a standard kind of Ajax e kind of net thing um but more to the point you know um we still don't know what this key is uh and we've just decrypted it so um I'll point out this point that um we're just having a chat

with the guys from defensive security pad Buster probably will be on the next version of backtrack um but in the meantime um feel free to pull it down uh just off our website gdse security.com uh it's it's sitting there in the tools thing as well so that's nice little simple example also if you have a look on our blog there's some some good examples of pulling down web. configs if you're particularly interested in how that works unfortunately I couldn't get that demo working for this as noted so both of the things that we we've been talking about so far are purely uh because we have a situation where we have encryption things where we have the ability to change stuff so we

have the ability to change the cipher text for the most part um swap things around and it still works you know so in these particular cases uh largely because it hasn't been signed so you know it might be worth looking at options for signing um if you're trying to fix one of these things things so there's various types of ones H Max is one of them um but have a look into that interestingly the net issue that we just looked at is signed it's just signed the signature is not checked until after you've decrypted it so we're actually forcing the error before it actually checks the signature so in this particular case uh although you know at first part the design looked

good uh because of where they were actually checking the signature it was it after the decription operation as opposed to before um so we had that particular one as well so um other things which are vulnerable to this is the forms authentication cookie as well that's a good one um so if you have an asp app which asp.net app which has forms authentication um that's another one which is suscept to this too JSF VI States also service I don't think the JSF stuff's been fixed does anyone have any better I'm pretty sure the JSF is still vulnerable to this day uh although net has patched um Al I'm not 100% sure I think it was put as an important patch

which means in some cases it may not have been automatically picked up so it's worth it's worth checking to make sure you're not set this um and last but not least because um don't want to run over time G talk about just a and I don't have a demo for this particular one because unfortunately it's a little talking about Rand random number generators it's kind of like you need to you need to run it half a dozen times to like have any chance of it actually working but these kind of situations question are um good examples how random Is Random so you'd be surprised how often we come across situations um where people are using you know normal pseudo

random number generators and you know kind of how how do where do those numbers come from so typically um you know we may have problems with non-random seed values uh or we may have kind of deterministic ones where we can actually predict or or see what those things are as well uh and it's surprising how often you see situations like this so you know we have one one one series two series uh effectively what we're doing is we're just like creating a random no generator and just outputting stuff runs you know one after each other and you know unsurprisingly if it does it outputs the same thing why is that so in this particular case that was

net code um in this particular case we didn't we didn't even supplier seed possibly using crappy random number generator in the first place um and it seeds it off the clock okay so if you're running a random number generator and you seating it off the clock how predictable is is it to be able to figure out what the clock on your server is it's not that hard is it you can probably make an educated guess as to what the clock's going to be especially if it's a Unix box and it's probably running GMT you know you probably got a very limited um kind of kind of time frame as to as what we're looking at in those

cases and um you end up with like code like this and this is based off an example we actually did see where we have basically a random number generator for resetting a password so you've requested a password reset and it's doing it in a pretty crappy way from a security point of view and what's it doing is it's emailing you out your new password so that's fine but can anyone tell me what the big problem in this particular case is well there's no seed well yeah there's no seed and it's a random what happens if you hit this like at the same time or close enough what happens if I just send a lot of

requests yeah you're going to end up with the same password and unsurprisingly that's exactly what happens and whoopsy Daisy what the hell happened there ah okay um unsurprisingly um this does it is possible and is reproducible in practice now if you're doing something over the internet needless to say you're going to have to have an element of luck to get things turning up at pretty much the same time um but through a brew Force approach um you can import situations like this so um there was an experiment like I've lost the reference to the actual paper that they did um but they were actually looking at um a site which had password resets uh implemented in exactly the

same way that we were looking at and and they found out that um if they basically just sent lots and lots of password reset requests um pretty much pretty much at the same time they could end up with and they could force situations where they had the same password sent as well so in this particular case if you have the ability to kind of like arbitr reset people's passwords and you can reset yours at the same time you have an element of predictability as to what that person's password is going to be so it's it's something which is interesting um and something to have a look at and we were talking about net you know is is

Java any better that looks pretty random isn't it may if we do a two two dimensional plot you know look pretty random uh maybe not so so Java has exactly the same kind of problems um although its default random number generator is a little bit better um it has much of the same kind of problems so to summarize implementing cryptography is hard um and a lot of the situations that we just talked about our usage so none of the stuff we've just looked at has anything to do with how strong the crypto we're actually using is and the padding Oracle one we don't even know what the algorithm is let alone what options they're using we

don't care it's all based on usage um so when you are implementing things uh and more to the point when you're looking at other things that other people have implemented and you're looking at it that from from a security point of view as well you need to make sure that you give those things an element of riger around kind of how it's designed how it's implemented and things like that and um when in doubt ask an expert which by the way I'm not a crypto expert but hopefully you know within your organization uh or you know uh within one of people that you rely on or something like that you have somebody who can actually take that kind of look

at something you're designing because crypto is hard