Cryptographic Attacks

Previous page
Table of content
Next page

The ultimate objective of an attack on a cryptographic system is to either decipher the messages or disrupt the network. Cryptographic systems can be susceptible to DoS attacks, which were explained in Chapter 2, "Know Your Enemy."

Specific attacks on cryptographic systems can be divided into one of three types:

Attacking the Key Key attacks are typically launched to discover the value of a key by attacking the key directly. These keys can be passwords, encrypted messages, or other key-based encryption information. An attacker might try to apply a series of words, commonly used passwords, and other randomly selected combinations to crack a password. A key attack tries to crack a key by repeatedly guessing the key value. Most operating system manufacturers provide programming interfaces that allow access to password and encryption subsystems. An attacker can use this access and information to break a password. Remember that passwords are typically generated with one-way hashing function. The anticipated amount of time it takes to break a password depends on the length of the password and the characters used in the password. Making keys longer and more complicated tends to make key attacks more difficult.

Attacking the Algorithm The programming instructions and algorithms used to encrypt information are as much at risk as the keys. If an error is not discovered and corrected by a program's developers, an algorithm might not be able to secure the program. Many algorithms have well-publicized backdoors. If a weakness in the programming or model used to develop an algorithm is discovered, a significant security exposure may exist.

A paper was submitted to the Internet community that discussed a theoretical weakness in the algorithm that was used as the basis for the WEP security system. WEP supporters publicly discounted the weakness to the computer community. They indicated that the vulnerability was theoretical and could not happen in the real world. Within seven days of their brash statements, they received over a dozen different examples of how to break the WEP system.

Intercepting the Transmission The process of intercepting a transmission may, over time, allow attackers to inadvertently gain information about the encryption systems used by an organization. The more data attackers can gain, the more likely they are to be able to use frequency analysis to break an algorithm. Human error is also a problem in security situations, and it is likely that someone will unintentionally release information that can be used to undermine a security system.

The three types of attacks that you need to be aware of from a Security+ perspective are the birthday attack, the weak key attack, and the mathematical attack.

Birthday Attack Birthday attacks are built on a simple premise. If 25 people are in a room, the probability is that two of those people will have the same birthday. The probability increases as additional people enter the room. What is important to remember is that probability does not mean that something will occur, only that it is more likely to occur.

While this may not be the case in every gathering, the likelihood that it will be true is fairly high. A birthday attack works on the same premise. If your key is hashed, the possibility is that given enough time, another value can be created that will give the same hash value. This is not an attack on the algorithm itself, just on the results.

A birthday attack is an example of an attack targeted at the key.

Weak Key Attack Weak key attacks are based on the premise that many common passwords are used by lots of people. If the key length is short, the resulting hash value will be easier to guess. Make sure your users use passwords and encryption keys that are hard to guess. You may even want to consider a random password-generating system. The longer and more complicated a password is the more difficult it is to successfully launch a weak key attack against it.

Note 

A security audit performed by the U.S. Air Force uncovered a startling problem with passwords. They discovered that one of the most popular passwords used in several locations was WWJD. Upon investigation they discovered that this was an abbreviation for "What Would Jesus Do." Although the Air Force was not trying to suppress religious expression, they sent out a list of unacceptable passwords and, not surprisingly, this was one of them.

Mathematical Attack Mathematical attacks can be focused on the encryption algorithm itself, the key mechanism, or any potential area of weakness in the algorithm. These attacks use mathematical modeling and statistical analysis to determine how the system operates. These types of attacks depend on intercepting large amounts of data and methodically attempting to decrypt the messages.

Mathematical attacks rely on intercepting the encrypted data and using one of the two methods previously described to exploit weaknesses in either the key or the key-generation algorithm.


Previous page
Table of content
Next page
CompTIA Security+ Study Guide. Exam SY0-101
Security+ Study Guide
ISBN: 078214098X
EAN: 2147483647
Year: 2006
Pages: 167
Authors: Michael A. Pastore
BUY ON AMAZON
Certified Ethical Hacker Exam Prep
C++ How to Program (5th Edition)
Cisco CallManager Fundamentals (2nd Edition)
PMP Practice Questions Exam Cram 2
Visual Studio Tools for Office(c) Using C# with Excel, Word, Outlook, and InfoPath
Comparing, Designing, and Deploying VPNs
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy