Cryptography in Application Security

Cryptography functions as a foundational control layer in application security, governing how data is protected in transit, at rest, and during processing. This page covers the operational structure of cryptographic systems as deployed in software applications, the regulatory frameworks that mandate specific algorithms and key management practices, the classification boundaries between cryptographic primitives and protocols, and the known tensions that emerge when cryptographic requirements conflict with performance and usability constraints. The scope spans symmetric and asymmetric encryption, hashing, digital signatures, key management lifecycle, and the regulatory standards that define acceptable implementations.

Definition and scope
Core mechanics or structure
Causal relationships or drivers
Classification boundaries
Tradeoffs and tensions
Common misconceptions
Checklist or steps
Reference table or matrix
References

Definition and scope

Cryptography in application security refers to the disciplined application of mathematical algorithms to protect the confidentiality, integrity, and authenticity of data processed, transmitted, or stored by software systems. The scope extends beyond selecting an algorithm: it encompasses key generation, storage, rotation, revocation, and destruction, as well as the protocol layers that carry cryptographic operations between endpoints.

The operational boundary is defined by three objectives, formalized across standards bodies including the National Institute of Standards and Technology (NIST): confidentiality (preventing unauthorized disclosure), integrity (detecting unauthorized modification), and authenticity (verifying identity of communicating parties). A fourth objective — non-repudiation — extends authenticity by providing binding proof of origin through digital signatures.

Regulatory scope is broad. The Payment Card Industry Data Security Standard (PCI DSS v4.0) Requirement 4.2.1 mandates strong cryptography for all cardholder data transmitted over open, public networks. NIST SP 800-53 Rev. 5 Control SC-28 requires protection of information at rest for federal information systems (NIST SP 800-53 Rev. 5). HIPAA's Security Rule at 45 CFR §164.312(a)(2)(iv) identifies encryption as an addressable implementation specification for electronic protected health information. These mandates collectively define the floor — not the ceiling — of cryptographic practice in regulated application environments.

Core mechanics or structure

Symmetric Encryption

Symmetric encryption uses a single key for both encryption and decryption. The Advanced Encryption Standard (AES), standardized by NIST in FIPS PUB 197, is the dominant symmetric cipher in application security. AES with 128-bit keys provides approximately 2^128 possible keys; 256-bit AES is required under NSA Suite B for protecting Top Secret information. Block cipher modes matter operationally: AES-CBC without authenticated encryption exposes applications to padding oracle attacks; AES-GCM provides both confidentiality and authentication in a single pass and is the preferred mode in TLS 1.3.

Asymmetric Encryption and Key Exchange

Asymmetric (public-key) cryptography uses mathematically linked key pairs. RSA, defined in NIST SP 800-56B, is widely used for key encapsulation and digital signatures. NIST recommends a minimum RSA key size of 2048 bits through 2030, with 3072 bits recommended beyond that horizon. Elliptic Curve Cryptography (ECC) achieves equivalent security at smaller key sizes: a 256-bit elliptic curve key provides roughly the same security as a 3072-bit RSA key (NIST SP 800-57 Part 1 Rev. 5).

Hashing and Message Authentication

Cryptographic hash functions produce fixed-length digests from arbitrary-length inputs. SHA-256 and SHA-3 (standardized in FIPS PUB 180-4 and FIPS PUB 202 respectively) are approved for use in federal systems. MD5 and SHA-1 are deprecated for cryptographic purposes by NIST due to demonstrated collision vulnerabilities. HMAC (Hash-based Message Authentication Code), defined in FIPS PUB 198-1, combines a hash function with a secret key to provide message authentication.

Protocols and Transport Security

TLS (Transport Layer Security) version 1.3, defined in RFC 8446, is the current standard for securing application-layer communications. TLS 1.0 and 1.1 are deprecated; PCI DSS v4.0 explicitly prohibits their use for protecting cardholder data. Certificate management — including certificate issuance, pinning, expiration monitoring, and revocation — is an operational extension of transport cryptography that directly affects application security providers across service sectors.

Causal relationships or drivers

Several distinct forces drive cryptographic requirements in application environments:

Regulatory mandates establish minimum algorithm and key-length floors. FIPS 140-3, administered by NIST's Cryptographic Module Validation Program (CMVP), defines requirements for cryptographic modules used in federal procurement. FedRAMP-authorized systems must use FIPS-validated modules, creating a cascade effect on any commercial SaaS product seeking government contracts.

Threat evolution forces algorithm retirement. The demonstrated feasibility of SHA-1 collision attacks (Google's SHAttered attack, published 2017) accelerated deprecation timelines across certificate authorities and code-signing infrastructures. The emergence of quantum computing capabilities is already reshaping algorithm selection: NIST finalized its first post-quantum cryptography standards in 2024, publishing FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA) to address the anticipated threat from Cryptographically Relevant Quantum Computers (CRQCs).

Supply chain dependencies drive cryptographic posture through third-party libraries. Applications consuming outdated versions of OpenSSL or Bouncy Castle inherit any unpatched cryptographic vulnerabilities present in those versions.

The page contextualizes how these drivers map to the broader service landscape navigated by security practitioners.

Classification boundaries

Cryptographic components in application security are organized into four distinct layers:

Primitives — the raw mathematical operations: block ciphers (AES), stream ciphers (ChaCha20), hash functions (SHA-256, SHA-3), and asymmetric algorithms (RSA, ECDH, ECDSA).

Constructions — combinations of primitives that achieve compound security properties: AEAD (Authenticated Encryption with Associated Data) schemes like AES-GCM; key derivation functions such as HKDF (RFC 5869) and Argon2 (winner of the Password Hashing Competition, 2015); digital signature schemes (ECDSA, Ed25519).

Protocols — defined interaction sequences that use constructions to secure communication channels: TLS 1.3, SSH, IPsec, Signal Protocol.

Key Management Infrastructure — the lifecycle governance layer: key generation (entropy sources, HSMs), distribution, storage (key vaults, secure enclaves), rotation schedules, and destruction. NIST SP 800-57 Part 1 Rev. 5 provides the authoritative taxonomy for cryptographic key types and their applicable usage periods.

The boundary between constructions and protocols is operationally significant: a correctly implemented primitive embedded in a flawed protocol (e.g., unauthenticated AES-CBC) produces insecure outcomes regardless of primitive correctness.

Tradeoffs and tensions

Performance vs. security margin — AES-256 provides a larger security margin than AES-128 at a computational cost roughly 40% higher per operation. For high-throughput applications, this differential drives engineering decisions that sometimes result in selecting 128-bit modes despite organizational policy preferences for 256-bit.

Interoperability vs. algorithm agility — Deprecating a weak algorithm requires coordinated migration across all endpoints. Systems supporting legacy clients may maintain TLS 1.2 cipher suites that include weaker options, broadening the attack surface to avoid breaking backward compatibility.

Entropy and key generation in constrained environments — IoT devices and containerized microservices frequently encounter entropy starvation during initialization, leading to weak key generation. NIST SP 800-90A Rev. 1 (csrc.nist.gov) defines approved Deterministic Random Bit Generator (DRBG) constructions, but implementation in resource-constrained environments remains a persistent operational challenge.

Post-quantum migration timelines — Organizations running long-lived systems must begin hybrid classical/post-quantum key exchange before CRQCs become operational, yet FIPS 203/204/205 are newly published and toolchain support is immature. This creates a documented tension between regulatory forward-guidance and operational feasibility.

These tensions are navigated differently depending on organizational risk tolerance and the how to use this application security resource framing adopted by security program owners.

Common misconceptions

Misconception: HTTPS guarantees application-layer data security. HTTPS protects data in transit between client and server. Data stored in databases, logs, caches, or third-party analytics pipelines is outside the TLS boundary and requires independent encryption controls.

Misconception: Hashing passwords with SHA-256 is sufficient. General-purpose hash functions are designed to be fast. SHA-256 can execute billions of operations per second on commodity GPU hardware. Password storage requires slow, memory-hard functions — Argon2id, bcrypt, or scrypt — specifically because computational cost impedes brute-force attacks. OWASP's Password Storage Cheat Sheet documents the distinction and recommended cost parameters.

Misconception: Encrypting data at rest with AES satisfies all compliance obligations. PCI DSS Requirement 3.5 addresses not only the encryption algorithm but also key management processes, including separation of key custodial roles and documented key rotation schedules. Encryption without auditable key management fails compliance requirements under both PCI DSS and NIST SP 800-53 SC-12.

Misconception: Longer keys always mean more security. Security is bounded by the weakest link in the cryptographic chain. A 4096-bit RSA key protecting a session that uses an MD5-based MAC provides no meaningful security improvement over a 2048-bit RSA key in the same configuration.

Misconception: Open-source cryptographic libraries are inherently less secure than commercial alternatives. FIPS 140-3 validation is the operative criterion for federal procurement; both open-source implementations (OpenSSL, Bouncy Castle) and commercial modules can achieve CMVP validation. The validation status, not the license model, determines regulatory acceptability.

Checklist or steps

The following represents the structural phases of cryptographic implementation review in an application security assessment context, as informed by NIST SP 800-115 and the OWASP Testing Guide (WSTG-CRYP):

Inventory cryptographic assets — Identify all locations where encryption, hashing, or signing operations occur: in-transit channels, at-rest data stores, authentication tokens, API keys, and certificate stores.
Verify algorithm compliance — Confirm all deployed algorithms appear on NIST's approved algorithm list (NIST FIPS) and are not on the deprecated list (MD5, SHA-1, DES, 3DES for new applications, RC4).
Assess key length adequacy — RSA ≥ 2048 bits, ECC ≥ 256 bits, AES ≥ 128 bits (256 for classified or high-assurance contexts).
Validate cipher mode selection — Confirm authenticated encryption modes (AES-GCM, ChaCha20-Poly1305) are used where confidentiality and integrity are both required.
Inspect key storage mechanisms — Verify keys are stored in hardware security modules (HSMs), key management services, or secure enclaves — not in source code, configuration files, or environment variables accessible to application processes.
Review key lifecycle controls — Document key generation entropy sources, rotation schedules, custodial separation, and destruction procedures against NIST SP 800-57 Part 1 Rev. 5 criteria.
Confirm protocol version enforcement — Validate that TLS 1.3 (or minimum TLS 1.2 with restricted cipher suites) is enforced and that deprecated versions are disabled.
Test certificate management — Verify certificate expiration monitoring, revocation checking (OCSP stapling or CRL), and the absence of self-signed certificates in production trust stores.
Validate random number generation — Confirm use of cryptographically secure pseudorandom number generators (CSPRNG); flag use of Math.random() or equivalent non-cryptographic PRNGs in security-sensitive contexts.
Document post-quantum readiness posture — Record whether the system has assessed hybrid key exchange adoption timelines relative to NIST FIPS 203/204/205 guidance.

Reference table or matrix

Cryptographic Function	Recommended Algorithm	Minimum Key/Digest Size	Deprecated Alternatives	Governing Standard
Symmetric encryption	AES-GCM	128-bit (256-bit for high assurance)	DES, 3DES, RC4	FIPS 197
Asymmetric encryption / KEM	RSA-OAEP, ML-KEM (post-quantum)	RSA: 2048-bit; ECC: 256-bit	RSA < 1024-bit, ElGamal (unapproved)	NIST SP 800-56B Rev. 2, FIPS 203
Digital signatures	ECDSA (P-256), Ed25519, ML-DSA (post-quantum)	P-256 / 256-bit	MD5withRSA, SHA1withRSA	FIPS 186-5, FIPS 204
Hashing (integrity)	SHA-256, SHA-384, SHA-3-256	256-bit output	MD5, SHA-1	FIPS 180-4, FIPS 202
Password hashing	Argon2id, bcrypt, scrypt	Argon2id: ≥19 MiB memory	MD5, SHA-1, SHA-256 (unsalted)	OWASP Password Storage Cheat Sheet