Cryptography

Fatal Flawed Assumptions 

Tuesday, October 13, 2009 4:31:00 AM Categories: Basics Passwords/Keys

Passwords can be stored safely

Passwords are far easier to find if they are stored somewhere. Let’s say a thief is in a room with hundreds of safes, each marked with what it contains. One of the safes says “All safe combinations”. Even if this is the hardest safe in the room to crack, it’s going to be the target. Just storing the passwords in one location leaves a user at much higher chance of loosing everything in one go. This practice also opens up the door to the “oops” factor. For instance, assume that a user stores all on-line passwords in some type of browser of browser add-in that automatically enters login details. All the user has to do is step away from their computer without locking it for someone (anyone) to quickly jump on and do what they want (change passwords to something they know, move money around, etc.)
 

All combinations must be tested in order to find a valid password

This is not the case, and should be obvious if you think about the problem. If you have lost your keys, how long does it take for you to find them? You start thinking of locations you might find the key and only search those locations until you find the key. There are likely to be many places you don’t bother looking because you already found the keys. The same is true for passwords.
 
How many passwords do you need to test to find a valid password? Only as many as it takes to find the password.
 
Assuming that the password has been generated randomly we start entering the realm of probability statistics. On average, a hacker only has to test HALF the password combinations. However, 25% of the time the hacker finds the password in the first 25% of passwords. 1 in every 100 attacks will find the password in the first 1% of passwords tested. This logic follows on so that just like lotto, there is a chance that the hacker will locate the password on the VERY FIRST TRY. Also just like the lotto, it wouldn’t happen often, but it can happen. 
 
This fact is quite scary to put faith in those large number of combinations. I like to assume that the password will be found in the first 0.1% for company data (assumes that 1 in every 1000 attacks finds the password in the first 1% of passwords tested), but this could be increased or decreased depending on how valuable the data is.
 

Randomly Generated Passwords are always stronger

Since brute force attacks normally start at one number and proceeds through a all combinations in order, then the random nature of password generation leads to a potentially weaker password. 50% of randomly generated passwords will be closer to the beginning of a “brute force” attack check. 10% of passwords will be in the first 10% of passwords to be checked. So for an organisation with 10,000 passwords, all generated randomly, it’s likely that at least 1 will be in the first 0.01% of passwords to be checked. But random is as random does, so even one password generated by a random password generator COULD be the very first password to be checked by brute force means. The likelihood of this is low, but it is still possible. Therefore randomly generated passwords CAN be stronger, but they can also be weaker.
 
The best way to counter this is to increase the total combinations that the password COULD be to a level which means that even a password located in the first 0.01% of passwords tested would still take a tremendous amount of time to get to.
 

Hackers Test Possible Password Combinations in a specific order

The brute force method is most easily done by iterating through combinations in order, much like an odometer scrolls through the distance in a car. By 999,999 the car’s odometer has at one time or another shown every combination of values between 0 and 999,999 (but it takes a while to get through all of them). Unlike a car, several computers can be used, each one testing a different range of combinations. The more computers attempting to crack the password, the smaller the range of passwords each one has to test and therefore the faster the time to crack the password. This means that a password of any specific characters may be located very quickly.
 
The best way to counter this is to increase the total combinations that the password COULD be to a level that even thousands of computers will take a tremendous amount of time to get through.
 

An Encryption with More Bits is Stronger

See Estimating the time to crack a password
 
The strength of an encryption is in the amount of time taken to crack an unknown password. The factors that affect this amount of time are:
  1. The password – an encryption is only as secure as the password. Once the password is compromised, so is the encryption.
  2. The number of “Bits” which translates to the number of possible options of passwords. Note though, the Bit rate is only as long as the password used. A very short password on a very large bit encryption effectively reduced the bit rate of the encryption.
  3. The time required to test each password. This is a combination of both the time taken to transform the cipher into a de-ciphered text AND the time taken to check if the de-ciphered text is accurate. If the hacker knows what a portion of the encrypted message is, they are going to find it much faster to check than if they have no idea what the de-ciphered text looks like.
 
Unfortunately many IT professionals take as given that the possible combinations (key bit size) is the greatest security factor, and after that (assuming the same bit size is achieved), then faster algorithms are better.
 
But this is simply incorrect. Given the SAME key length (in bits), a faster algorithm is less secure. The security of encryptions comes by the number of possible iterations of "keys" multiplied by the time taken to try each iteration. For instance, an encryption that takes 10 mins to try when there are 1,000 possible keys is more secure than an encryption taking 10 milliseconds to run with 100,000 possible keys.
 
It’s more secure because the first encryption method is going to take longer to decrypt if the cracker doesn’t know the password.
 

A Single Hacker only has Limited Resources

The problem with Hackers is that they normally aren’t some kid sitting in their bedroom trying to work out how to get your data. The chances are they have access to a company’s computer system (i.e. an IT Department worker), have access to university computers, or have access to hundreds to thousands of computers that have been “hacked” previously.
 
How many computers should you assume are poised to attack your system? As a rule of thumb I would say 100 for a very small company, 10,000 for a small company and 100,000 for a large company.

 

Password and Key Cracking 

Tuesday, October 13, 2009 4:26:00 AM Categories: Cracking Passwords/Keys
Passwords and keys are different things.  Passwords are normally used to confirm/validate that a user for access or communication. A Key is the code that will encrypt or decrypt data. Sometimes passwords are used as keys, or more commonly keys are generated from passwords. Although they have separate purposes, and are usually very different in length, the methods used to crack them are normally fairly similar. On this page I will use the term “Password”, as this is normally the weaker of the two, but the same attacks can be performed on Keys.
 
The most common are:
 

Dumpster Diving

This is used by identity thieves too. Many people print codes and keys, especially for things like wireless networks so that staff can configure codes correctly. If these are just “thrown” then they can be found and used.
 
 

Social Engineering

This is where social and cultural tricks are used to gain access to secure areas. For example: someone rings you stating they are from your IT Department and need your password in order to test something. Or a man dressed in the right uniform just strolls into the server room, loads hardware onto a trolley and leaves.
 

Brute Force

Every combination of values is tested until one works. This is the single slowest way of cracking.
 
Normally a process like this iterates through every combination of every character, a-z then A-Z then 0-9 and then all the funny extra characters like quotation marks and other such symbols. If a password was only 1 character long, that’s not many options. However, every extra character exponentially increases the number of combinations.
 
Let’s assume only characters can be used – just lower case.
a-z = 26
 
Number of Characters
Number of Combinations
1
26
2
676
3
17,576
4
456,976
5
11,881,376
6
308,915,776
7
8,031,810,176
8
208,827,064,576
9
5,429,503,678,976
10
141,167,095,653,376
 
Let’s assume only characters can be used, upper and lower case.
a-z = 26
A-Z = 26
Total = 52
Therefore, a total of 52 different combinations with only 1 character. But if you include 2 you can have aa, ab, ac, ad, etc. all the way through to ZZ. Therefore the combinations multiply and come to 2,704 combinations.
Number of Characters
Number of Combinations
1
52
2
2,704
3
140,608
4
7,311,616
5
380,204,032
6
19,770,609,664
7
1,028,071,702,528
8
53,459,728,531,456
9
2,779,905,883,635,710
10
144,555,105,949,057,000
 
You should be able to see that the number of combination changes greatly depending on the length of the password and the number of characters in the password.
 
This is why some web sites mandate a minimum length and a inclusion of numbers.
 
The more combinations there are, the more possible passwords that AREN’T yours there are likely to be, so your password gets lost in the crowd. So the strength comes from the “maximum” number of combinations.
 
In computer terms the “character” is the bits. 1 bit has two options, on or off. Two bits have 4 combinations.00, 01, 10, 11. Every additional bit doubles the number of combinations so that 8 bits can form 256 unique combinations. This is what is meant by the bit length of encryption.
 
 

Dictionary Attack

Similar to Brute Force, except instead of trying every possible character the attack is “loaded” with likely passwords and keys. For instance, most passwords are words, or based in part on words. The Dictionary Attack still provides for variation, but the variation is based on likely combinations.
For example, the following is just a small example as to variations that might be created from the dictionary word “password”
Password
pAssword
pa55w0rd
password452

 

What is Cryptograhy 

Tuesday, October 13, 2009 4:23:00 AM Categories: Basics
In these posts I’ll describe some basic principles of cryptography.
 
With over a decade of cryptography experience I’ll offer information, tips and tricks I’ve learnt over time.
 
I believe that most cryptographic implementations are flawed because of simple lack of understanding. I’ll attempt to outline how cryptography works so that people can make systems stronger.

What Is Cryptography?

Cryptography literally means hiding information. Cryptography of data can be likened to security measure on a building. Some measures, such as guarded doors, prevent intrusion into the building by unauthorised people, which is like firewalls blocking intrusion into a computer network. Some measure ensure that only some people have access to some areas of the building, such as security cards, which is similar to computer login security. Some measures prevent intruders from gaining access to your specific items in a building, such as safes protecting company documents, which is similar to encrypting data.
 
And just like these similes, if a thief is knowledgeable enough, has the right tools and has enough time, they can get in and get the valuables. There is no security that can be put on a building that will stop someone getting in if they have the time, money and resources. The intention is to make it so difficult and require so much effort that it isn’t worth while.
 
If you think your office building with the very best security measures, a military strike force is likely to make short work of getting your valuables. Therefore all of your security measures are targeted at organisations with fewer resources than governments and armies. So if you want to protect information that is important to national security, a well secured office building isn’t adequate. However, information that is only useful to your competitors is likely to be perfectly safe in the same office.
 
Unfortunately computers cut through a lot of physical barriers, so the resources required to break into and through computer security is more a matter of time. In the real world the time taken to crack a safe is dependent on the construction of the safe (materials and design), the skill of the safe cracker and the tools the safe cracker has at hand. In cyberspace the time taken to crack an encryption is dependent on the strength of the encryption (type and key), and the processor resources available to crack the encryption. Throw 1,000 safe crackers at a safe and you will probably slow down the safe cracking process. Through 1,000 computers at an encryption and you will crack the encryption 1,000 times faster.
 
Once someone has your data, encrypted or otherwise, it is just a matter of time before they can access the data. For this reason the strongest focus of cryptography is on the procedures and processes put in place to block people from getting to the data in the first place. That includes ensuring the communication taking place is between validated and authenticated people and ensuring that the communication is secure. Encryption, although a valuable tool, is always a safety backup.

 

Copyright 2006 Blog Author