Rules Use Case: Secure Your Encryption

Ensuring the security of encryption is crucial for protecting sensitive data from unauthorized access and tampering. This guide outlines best practices to enhance encryption security.

Best Practices for Secure Encryption

1. Use Strong Encryption Algorithms

Utilize well-established and cryptographically secure algorithms such as AES (Advanced Encryption Standard) with a 256-bit key.
Avoid deprecated or weak algorithms like DES or SHA-1.

2. Keep Encryption Keys Secure

Store encryption keys securely and restrict access to authorized personnel only.
Use Hardware Security Modules (HSMs) or key management services to protect keys from theft or unauthorized access.

3. Implement Key Management Best Practices

Regularly rotate encryption keys to minimize exposure risks.
Securely store backup keys in a separate, protected environment.
Use different keys for different purposes (e.g., data encryption keys vs. key encryption keys).

4. Encrypt Data at Rest and in Transit

Encrypt sensitive data when stored (at rest) and when transmitted over networks (in transit).
Use secure protocols such as TLS (Transport Layer Security) for encryption data in transit.
Implement disk encryption solutions for data at rest on storage devices.

5. Secure Key Exchange Mechanisms

Use asymmetric cryptography (e.g., RSA, Elliptic Curve Cryptography) or key establishment protocols (e.g., Diffie-Hellman) for secure key exchange.
Ensure that key exchange processes are authenticated and protected against man-in-the-middle attacks.

6. Implement Access Controls

Restrict access to encrypted data based on user roles, permissions, and least privilege principles.
Ensure only authorized users or applications can access decryption keys.

7. Regularly Update and Patch Encryption Systems

Keep encryption software, libraries, and systems up to date with security patches to address known vulnerabilities and weaknesses.
Regularly review and update encryption configurations to align with industry best practices.

8. Monitor and Audit Encryption Activities

Implement logging and monitoring to track key usage, encryption operations, and access attempts.
Conduct regular audits to ensure compliance with security policies and regulatory requirements.

9. Secure Hardware and Environments

Protect hardware and physical environments where encryption keys and sensitive data are stored.
Implement physical security measures such as access controls, surveillance, and environmental controls (e.g., temperature, humidity).

10. Educate Users on Encryption Security

Conduct training and awareness programs for employees.
Encourage compliance with security policies and reporting of suspicious activities.

PowerBuilder Encryption Rule: Use AES in a Secure Mode

The PowerBuilder code rule "Always use AES encryption algorithm in a secure mode" states that developers must use the AES (Advanced Encryption Standard) algorithm for all encryption operations. AES is a symmetric encryption algorithm - one of the strongest and most reliable encryption algorithms available.

When implementing AES encryption, always use a secure mode such as:

Cipher Block Chaining (CBC)
Galois/Counter Mode (GCM)

This ensures that the encrypted data is secure and not susceptible to attacks.

Key Benefits of AES Encryption

✔ Secure – Strong encryption that is difficult to break.
✔ Reliable – Suitable for long-term data protection.
✔ Flexible – Works with various data types.
✔ Efficient – Encrypts large datasets quickly.

Compliant vs. Non-Compliant Code

Non-Compliant Code

Code that does not adhere to established coding standards, guidelines, or best practices. It may involve:

Violations of coding conventions, architectural principles, security policies, or industry regulations.
Errors and inefficiencies that impact performance and reliability.
Security vulnerabilities that expose software to potential threats.
Compliance risks that may lead to regulatory issues.

Detecting and correcting non-compliant code is crucial to maintaining scalable, secure, and high-quality software while ensuring compliance with industry standards.

Example of non-compliant code

loo_Crypt = create oleobject
loo_Crypt.CryptAlgorithm = "aes"
loo_Crypt.CipherMode = "ecb" // ecb is not compliance

Blob lblb_data
Blob lblb_key
Blob lblb_iv
Blob lblb_encrypt

lblb_data = Blob("Test DES", EncodingANSI!)
lblb_key = Blob("Test Key12345678", EncodingANSI!)
lblb_iv = Blob("Test IV 12345678", EncodingANSI!)

CrypterObject lnv_CrypterObject
lnv_CrypterObject = Create CrypterObject

lblb_encrypt = lnv_CrypterObject.SymmetricEncrypt(AES!, lblb_data, lblb_key, &OperationModeECB!, lblb_iv, PKCSPadding!) // OperationModeECB! is not compliance

Compliant Code

Code that follows established coding standards, guidelines, and best practices. It ensures:

Adherence to coding conventions, architectural principles, security policies, and industry regulations.
Well-structured and readable code for easier understanding.
Maintainability and scalability for long-term software stability.
Security and reliability to minimize vulnerabilities.
Correct functionality that meets quality standards.

By writing compliant code, developers improve software quality, making it easier to maintain, extend, and debug in the future.

Example of compliant code

loo_Crypt = create oleobject
loo_Crypt.CryptAlgorithm = "aes"
loo_Crypt.CipherMode = "cbc" // cbc is compliant

loo_Crypt = create oleobject
loo_Crypt.CryptAlgorithm = "aes"
loo_Crypt.CipherMode = "ctr" // ctr is compliant

Blob lblb_data
Blob lblb_key
Blob lblb_iv
Blob lblb_encrypt

lblb_data = Blob("Test DES", EncodingANSI!)
lblb_key = Blob("Test Key12345678", EncodingANSI!)
lblb_iv = Blob("Test IV 12345678", EncodingANSI!)

CrypterObject lnv_CrypterObject
lnv_CrypterObject = Create CrypterObject

lblb_encrypt = lnv_CrypterObject.SymmetricEncrypt(AES!, lblb_data, lblb_key, &OperationModeCFB!, lblb_iv, PKCSPadding!) // OperationModeCFB! is compliant