Secret key-finding tool launched
Secret key-finding tool launched

A security researcher has unveiled a tool that can be used to search for secret cryptographic keys in code.

Dubbed TruffleHog, the tool was developed by Dylan Ayrey and can discover keys containing high-entropy strings by sifting through commit history and branches.

He said that the tools abilities make it "effective at finding secrets accidentally committed that contain high entropy.”

"This module will go through the entire commit history of each branch, and check each diff from each commit, and evaluate the Shannon entropy for both the base64 character set and hexidecimal character set for every blob of text greater than 20 characters comprised of those character sets in each diff,” said Ayrey in a post on Github.

If a high-entropy string is identified, the string is displayed to the user. The only requirement for the tool to work is to have GitPython installed.

Shannon Entropy is an important mathematical concept to encryption as entropy can determine how difficult or easy an unknown key is to crack.

According to postings on Reddit, Amazon's AWS is already using such a tool to scan public repositories for AWS secret keys and blocking user accounts to prevent criminals from accessing user's instances and running up high cloud computing bills on the service.

"I have accidentally previously committed my secret AWS keys to a public repo. Amazon found them and closed my account until I created some new [keys]. " said Reddit user KingOtar.

Dan Panesar, vice president EMEA at Certes, told SC Magazine that when a developer is building an application, they may be tempted to cut corners when it comes to security. For example, using static keys hardcoded into the code base, instead of following the proper best practice that ensures the safety of their users.

“The race to market is often at odds with implementing truly effective security and there are those developers that are prepared to compromise,” he said. “TruffleHog allows the quality of code to be tested quickly and simply to see whether standards such as OWASP have been implemented and give users piece of mind that an application is not going to become the weak link in its cyber-security defences.”

He added that the tool should act to “shame” application developers that are not taking user security seriously enough, exposing those using fixed keys and secrets.

Panesar said that hackers may also be able to use the same tool for criminal purposes.

“Hackers can use TruffleHog to easily find applications that are in common use with static keys or pass phrases that they can access remotely. They can learn rapidly if an application has defaults they can exploit and rapidly write new tools to take advantage.”

But organisations can also use it to ensure that applications are not leaving them vulnerable.

“Using TruffleHog to identify weak code, they are able to ensure that security best practices are implemented, that all keys and secrets are stored outside of the codebase and are simple to set or change by the end user, maintaining the levels of security needed to operate as a modern enterprise that is under the constant threat of cyber-crime,” said Panesar.