## Posts in Category: Basics

### Fatal Flawed Assumptions

Tuesday, October 13, 2009 4:31:00 AM

### Passwords can be stored safely

Passwords are far easier to find if they are stored somewhere. Let’s say a thief is in a room with hundreds of safes, each marked with what it contains. One of the safes says “All safe combinations”. Even if this is the hardest safe in the room to crack, it’s going to be the target. Just storing the passwords in one location leaves a user at much higher chance of loosing everything in one go. This practice also opens up the door to the “oops” factor. For instance, assume that a user stores all on-line passwords in some type of browser of browser add-in that automatically enters login details. All the user has to do is step away from their computer without locking it for someone (anyone) to quickly jump on and do what they want (change passwords to something they know, move money around, etc.)

### All combinations must be tested in order to find a valid password

This is not the case, and should be obvious if you think about the problem. If you have lost your keys, how long does it take for you to find them? You start thinking of locations you might find the key and only search those locations until you find the key. There are likely to be many places you don’t bother looking because you already found the keys. The same is true for passwords.

How many passwords do you need to test to find a valid password? Only as many as it takes to find the password.

Assuming that the password has been generated randomly we start entering the realm of probability statistics. On average, a hacker only has to test HALF the password combinations. However, 25% of the time the hacker finds the password in the first 25% of passwords. 1 in every 100 attacks will find the password in the first 1% of passwords tested. This logic follows on so that just like lotto, there is a chance that the hacker will locate the password on the VERY FIRST TRY. Also just like the lotto, it wouldn’t happen often, but it can happen.

This fact is quite scary to put faith in those large number of combinations. I like to assume that the password will be found in the first 0.1% for company data (assumes that 1 in every 1000 attacks finds the password in the first 1% of passwords tested), but this could be increased or decreased depending on how valuable the data is.

### Randomly Generated Passwords are always stronger

Since brute force attacks normally start at one number and proceeds through a all combinations in order, then the random nature of password generation leads to a potentially weaker password. 50% of randomly generated passwords will be closer to the beginning of a “brute force” attack check. 10% of passwords will be in the first 10% of passwords to be checked. So for an organisation with 10,000 passwords, all generated randomly, it’s likely that at least 1 will be in the first 0.01% of passwords to be checked. But random is as random does, so even one password generated by a random password generator COULD be the very first password to be checked by brute force means. The likelihood of this is low, but it is still possible. Therefore randomly generated passwords CAN be stronger, but they can also be weaker.

The best way to counter this is to increase the total combinations that the password COULD be to a level which means that even a password located in the first 0.01% of passwords tested would still take a tremendous amount of time to get to.

### Hackers Test Possible Password Combinations in a specific order

The brute force method is most easily done by iterating through combinations in order, much like an odometer scrolls through the distance in a car. By 999,999 the car’s odometer has at one time or another shown every combination of values between 0 and 999,999 (but it takes a while to get through all of them). Unlike a car, several computers can be used, each one testing a different range of combinations. The more computers attempting to crack the password, the smaller the range of passwords each one has to test and therefore the faster the time to crack the password. This means that a password of any specific characters may be located very quickly.

The best way to counter this is to increase the total combinations that the password COULD be to a level that even thousands of computers will take a tremendous amount of time to get through.

### An Encryption with More Bits is Stronger

See Estimating the time to crack a password

The strength of an encryption is in the amount of time taken to crack an unknown password. The factors that affect this amount of time are:

- The password – an encryption is only as secure as the password. Once the password is compromised, so is the encryption.
- The number of “Bits” which translates to the number of possible options of passwords. Note though, the Bit rate is only as long as the password used. A very short password on a very large bit encryption effectively reduced the bit rate of the encryption.
- The time required to test each password. This is a combination of both the time taken to transform the cipher into a de-ciphered text AND the time taken to check if the de-ciphered text is accurate. If the hacker knows what a portion of the encrypted message is, they are going to find it much faster to check than if they have no idea what the de-ciphered text looks like.

Unfortunately many IT professionals take as given that the possible combinations (key bit size) is the greatest security factor, and after that (assuming the same bit size is achieved), then faster algorithms are better.

But this is simply incorrect. Given the SAME key length (in bits), a faster algorithm is less secure. The security of encryptions comes by the number of possible iterations of "keys" multiplied by the time taken to try each iteration. For instance, an encryption that takes 10 mins to try when there are 1,000 possible keys is more secure than an encryption taking 10 milliseconds to run with 100,000 possible keys.

It’s more secure because the first encryption method is going to take longer to decrypt if the cracker doesn’t know the password.

### A Single Hacker only has Limited Resources

The problem with Hackers is that they normally aren’t some kid sitting in their bedroom trying to work out how to get your data. The chances are they have access to a company’s computer system (i.e. an IT Department worker), have access to university computers, or have access to hundreds to thousands of computers that have been “hacked” previously.

How many computers should you assume are poised to attack your system? As a rule of thumb I would say 100 for a very small company, 10,000 for a small company and 100,000 for a large company.

Comments(52)

### What is Cryptograhy

Tuesday, October 13, 2009 4:23:00 AM

In these posts I’ll describe some basic principles of cryptography.

With over a decade of cryptography experience I’ll offer information, tips and tricks I’ve learnt over time.

I believe that most cryptographic implementations are flawed because of simple lack of understanding. I’ll attempt to outline how cryptography works so that people can make systems stronger.

### What Is Cryptography?

Cryptography literally means hiding information. Cryptography of data can be likened to security measure on a building. Some measures, such as guarded doors, prevent intrusion into the building by unauthorised people, which is like firewalls blocking intrusion into a computer network. Some measure ensure that only some people have access to some areas of the building, such as security cards, which is similar to computer login security. Some measures prevent intruders from gaining access to your specific items in a building, such as safes protecting company documents, which is similar to encrypting data.

And just like these similes, if a thief is knowledgeable enough, has the right tools and has enough time, they can get in and get the valuables. There is no security that can be put on a building that will stop someone getting in if they have the time, money and resources. The intention is to make it so difficult and require so much effort that it isn’t worth while.

If you think your office building with the very best security measures, a military strike force is likely to make short work of getting your valuables. Therefore all of your security measures are targeted at organisations with fewer resources than governments and armies. So if you want to protect information that is important to national security, a well secured office building isn’t adequate. However, information that is only useful to your competitors is likely to be perfectly safe in the same office.

Unfortunately computers cut through a lot of physical barriers, so the resources required to break into and through computer security is more a matter of time. In the real world the time taken to crack a safe is dependent on the construction of the safe (materials and design), the skill of the safe cracker and the tools the safe cracker has at hand. In cyberspace the time taken to crack an encryption is dependent on the strength of the encryption (type and key), and the processor resources available to crack the encryption. Throw 1,000 safe crackers at a safe and you will probably slow down the safe cracking process. Through 1,000 computers at an encryption and you will crack the encryption 1,000 times faster.

Once someone has your data, encrypted or otherwise, it is just a matter of time before they can access the data. For this reason the strongest focus of cryptography is on the procedures and processes put in place to block people from getting to the data in the first place. That includes ensuring the communication taking place is between validated and authenticated people and ensuring that the communication is secure. Encryption, although a valuable tool, is always a safety backup.

Copyright 2006 Blog Author