Chapter 2 - 08 - Understand Cryptographic Attacks - 02_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Brute-Force Attack Attack Scheme Defeating a cryptographic scheme by trying a large number of possible keys until the correct encryption key is discovered Brute-Force Attack Brute-force attack is a high-resource and time intensive process, but it is more guaranteed to achieve results Success Factors Success of brute-force attack depends on the length of the key, time constraint, and system security mechanisms Estimated Time for Successful Brute-force Attack $ 2K (1 PC; can be achieved by an individual) $ 100K (can be achieved by a company) $ 1M (can be achieved by a huge organization or a state) 40 bits (5 char) 56 bits (7 char) 64 bits (8 char) 128 bits (16 char) 1.4 min 73 days 50 years 1020 years 2 sec 35 hours 1 year 10719 years 0.2 sec 3.5 hours 37 days A 10718 years Copyright © by E | cil Al Rights Reserved. Reproduction is Strictly Prohibited Brute-Force Attack It is extremely difficult to crack cryptographic systems, as they have no practical weaknesses to exploit; however, it is not impossible. Cryptographic systems use cryptographic algorithms to encrypt a message. These cryptographic algorithms use a key to encrypt or decrypt messages. In cryptography, this key is the important parameter that specifies the transformation of plaintext to ciphertext and vice versa. If you are able to guess or find the key used for decryption, then you can decrypt the messages and read them in clear text. 128-bit keys are common and considered strong. From a security perspective, to avoid guessing the key, cryptographic systems use randomly generated keys. This makes you devote considerable effort toward guessing the key. However, you still have a choice to determine the key used for encryption or decryption. You can attempt to decrypt a message using all possible keys until you discover the key used for encryption. This method of discovering a key is called a brute-force attack. However, doing so requires a massive amount of processing power. It is a resource-intensive and time-intensive process. For any non-flawed protocol, the average time needed to find the key in a brute-force attack depends on the length of the key. If the key length is short, then it will take less time to find the key; if it is long, it will take more time. A brute-force attack will be successful if and only if the attacker has enough time to discover the key. However, the time required is relative to the length of the key. The difficulty of a brute-force attack depends on various factors, such as = The length of the key = The number of possible values each component of the key can have = The time it takes to attempt each key Module 02 Page 390 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks = Exam 212-82 |f there is any mechanism that locks the attacker out after a certain number of failed attempts For example, if a system could brute-force a DES 56-bit key in one second, then for an AES 128bit key, it takes approximately 149 trillion years. To perform a brute-force attack, the attacker needs double the time for every additional bit of key length; the reason is that the number of keys doubles with an increase of one bit. However, a brute-force attack is more likely to achieve results. Power/Cost $ 2K (1 PC. Can be achieved 40 bits 56 bits 64 bits 128 bits (5 char) (7 char) (8 char) (16 char) i " by an individual) 1.4 min 73 days 50 years 10720 years 3 100K (this can be achieved by a company) 2 sec 35 hours 1year 10719 years ? 1M U{‘Ch',e vedby a huge organization or a state) 0.2 sec 3.5 hours 37 days 10718 years Table 2.8: Estimate time for a successful brute-force attack Module 02 Page 391 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Birthday Attack O Abirthday attack is the name used to refer to a class of brute-force attacks against cryptographic hashes that makes the brute forcing easier %+ Birthday paradox: The probability that two or more people in a group of 23 share the same birthday is greater than 0.5 Birthday Paradox The basic idea is as follows: How many people would you need to have in a room to have _ a strong likelihood How many people do you need to have a high likelihood that two share the same birth day (i.e., same day and month but not necessarily the same year)? that two would have the same birthday? 'i' The paradox is not asking how many people you need to guarantee a match, just how many you need to have a strong There are 365 days in a year, so you might think at least half of that, or 182 people, but it is actually only 23! Obviously, if you put 367 people in a room, at least 2 of them must have the same birthday because there are only 365 days in a year, plus one more in a leap year probability L Even with 23 people in the room, you have a 50 percent chance ‘ that 2 will have the same birthday Birthday Attack A birthday attack refers to a class of brute-force attacks against cryptographic hashes that renders brute-forcing easier to performs. This attack depends on the birthday paradox, which is the probability of two or more people in a group of 23 sharing the same birthday is greater than 0.5. Birthday Paradox For example, how many people are needed to have a high likelihood that two will share the same birthday (i.e., same day and month, not year). There are 365 days a year, and therefore, you might think that at least half or 182 people share the same birthday, when it is actually only 23! The basic idea is as follows: How many people would you need to have in a room to have a strong likelihood that two amongst them would have the same birthday (same day and month, but not year). Obviously, if you put 367 people in a room, at least two of them must have their birthdays on the same day and month since there are only 365 days in a year, and an additional day in the case of a leap year. The paradox is not the number of people you need to guarantee a match, but the number of people you need to have a strong probability. Even with 23 people in a room, there is a 50% chance that two them will have their birthdays on the same day and month. Module 02 Page 392 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Birthday Paradox: Probability Because these events are all independent, we can The probability that the first person does not share a birthday with any previous person is 100 percent because there are no previous people in the set. This can be written as 365/365 The second person has only one preceding person, and the probability that the second person has a birthday different from the first is 364/365. @. - Z:ee g?:gep te\;s: :rr:ég:f:: :fozzinsgfi‘;w"h probability for the third person is ’ 363/365 compute the probability as follows: 365/365 * 364/365 * 363/365 * 362/365... * 342/365 (342/365 is the probability of the 23rd person sharing a birthday with a preceding person) When we convert these to decimal values (truncate to 3 decimal places) yields:. 1*0.997... N A 5 *0.994 * 0.991 * 0.989 * 0.986 *...0.936 = 0.49, or 49 percent This 49 percent is the probability that 23 people will not have any birthdays in common; thus, there is a 51 B h ven Crc) hance e e 2otof th 2 that 2 will have a birthday in common L All Rights Reserved. Reproductionis Strictly Prohibited Birthday Paradox: Probability The probability that the first person does not share a birthday with any previous person is 100% because there are no previous people in the set. This can be written as 365/365. The second person has only one preceding person, and the odds that the second person has a birthday different from the first are 364/365. The third person might share a birthday with two preceding people, so the odds of sharing a birthday with either of the two preceding people are 363/365. Because each of these are independent, we can compute the probability as follows: 365/365 * 364/365 * 363/365 * 362/365... * 342/365 (342 is the probability of the 23rd person who shares a birthday with a preceding person). When we convert these to decimal values, it yields (truncating at the third decimal point) 1 * 0.997 * 0.994 * 0.991 * 0.989 * 0.986 *... 0.936 = 0.49 or 49%. This is the probability that 23 people will not have any birthdays in common; thus, there is a 51% (better than even odds) chance that two of the 23 will have a birthday in common. The idea behind the birthday attack is to attempt to find a collision for a given hash. Now, assume that the hash is MD5 with a 128-bit output. You would have to try 27128 possible hashes to guarantee a collision, which is a very large number. In decimal notation, it is 3.4028236692093846346337460743177e+38 Now, from the birthday paradox, we need 1.174v2/128 or 21656477542535013597.184 hashes to guarantee a collision. Furthermore, this is still a very large number but many orders of magnitude smaller than the abovementioned value. Module 02 Page 393 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.