Code Breaking Methods – Cryptology – Cryptanalysis = Code breaking
The code breakers of Bletchley Park were actually cryptanalysts, who are code breakers. Cryptanalysis is the study of analyzing information systems in order to study the hidden aspects of the systems. There are several way to find the blind spot in an encryption scheme.
The easiest attack, is social engineering. If you ever claim to be a “temp” and you need the password on an account reset, then the “helpless” temp is a good line of attack.
This is the most time consuming attack, as all possible combinations are tried until the right key is found. However, it is guaranteed to work, given enough time and computing resources. The game of Brute Force, is that if you change your password every 28 days, then I have to crack it in 14 days to get 14 days access. Privacy demands that I have to make my password able to withstand an attack, within 28 days, or until I change the password.
Length of password stops the brute Force attack.
It is easy to crack a 6 letter password,but far more difficult to crack a 10 letter password even with cloud computing. You are recommended to use a 14 or 15 character password.
Of course it goes without saying that your password will use special characters, upper case and a number. The reason is that this forces the attack to use all 95 keys on the keyboard, rather than 26 lower + 10 numbers. A key comprised from 36 items is easier to crack that 95 characters. Go for length rather than complexity to thwart a brute force attack.
This is now old school, but of course is worthwhile being aware of. The English language uses certain letters with a higher frequency and other letters hardly at all. Consider the use of the letter E compared to how often you’ll see an X or a Z. That’s frequency analysis at work. Any self respecting ciphers will work to block frequency analysis.
Man in the Middle Attack.
Here the attacker acts as an “agent”, sat between both parties. They each think they are communicating with the correct person, but a 3rd person is acting as a broker or middle man to their communication.
A Man in the middle is an eavesdropper. He acts like a router. Which is why the weak MD5 encryption used on Cisco routers is a major concern. The ideal place for surveillance to take place is on the ISP’s router. Think of the UK’s Snoopers Charter where the ISP has to store all your browsing history for 12 months. The government is carrying out an Man in the Middle Attack via the router.
Its worthwhile noting that foreign governments have the expertise and motive to carry them out. The Greek government was hacked by a 3rd party for several months.
If a plain text part of the message can be identified, it gives clues to the encryption keys.
In Bletchley Park, standard wartime messages such as weather forecasts gave away known plain text, which helped identify the keys in use.
One Time Pad
The only encryption system that cannot be broken, is a one time pad. This needs a list of random keys the same length or longer than the message. The keys must never be reused.
Side attacks using programming flaws are often used.
To start the key we need an IV or Initialisation Vector. If the software reuses a small IV, then the encryption is easily broken. Any system where the IV is not totally random will fail when the code breakers start working on it. They will spot the patterns and reuse of the IV, and then be able to break the code.
Privacy demands that Cryptologists have the upper hand over Cryptanalysts.
Use the strongest encryption keys that you can. Follow the EU ENISA advise to use RSA 4k at a minimum and move to RSA 16k as soon as software allows. RSA 2048 is not safe to use. Neither are the hashing programs for MD5 or SHA1.
But the greatest weaknesses will always be You. Make sure you use 15 character passwords, use special characters in every password, and change your password often.
It’s a game of cat and mouse. Long may Cryptologists rule.
CEH – Certified Ethical Hackers course.