Non-encrypted confidential information - Hexadecimal - Elixir

Non-encrypted confidential information - Hexadecimal - Elixir

Need

To ensure the confidentiality and integrity of sensitive information by using secure encryption methods.

Context

  • Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications
  • Usage of Elixir's built-in Base module for encoding and decoding data

Description

Non compliant code

        defmodule MyApp do
  def encode(data) do
    {:ok, hex_data} = data |> to_string() |> Base.encode16()
    hex_data
  end
end
        
        

In this insecure code example, sensitive data is being encoded to hexadecimal using Base.encode16(). Although this does obfuscate the data, it does not provide any security because it can easily be decoded back into its original form.

Steps

  • Use a secure encryption method such as AES (Advanced Encryption Standard).
  • Use secure random keys for each encryption process.
  • Use a secure method to store and manage encryption keys.

Compliant code

        defmodule MyApp do
  def encode(data) do
    # Here is an example key, but for real-world applications, you should use a secure way to store and access keys
    key = :crypto.strong_rand_bytes(32)
    iv = :crypto.strong_rand_bytes(16)
    {:ok, encrypted_data} = :crypto.block_encrypt(:aes_gcm, key, iv, to_string(data))
    encrypted_data
  end
end
        
        

In this secure code example, the AES encryption algorithm is used to encrypt the data. This provides both confidentiality and integrity for the data. It's important to manage the encryption keys securely, as the security of the encrypted data depends on the security of the key.

References