Importance of cryptographic security

Importance of Cryptographic security

It is very important to know the importance of cryptographic security. Think that you’ve taken some data and encrypted it and effectively put it into a safe and shipped that safe off to someone else. You’re hoping, of course, that the information inside that is really secure, but how do you really know? The attackers obviously don’t have the combination to the safe. The attackers are going to find a way to get into the safe. They’re going to try every possible combination. May be they know that this particular safe was built in a way that allows access if you use the right kind of tools against it. Those are the ways the attackers are using to break the cryptographic security. This is why we should know the importance of cryptographic security.

What is the Importance of Cryptographic Security?

These are some of the attacks done by the attackers:

Known Plaintext Attack (KPA)

Sometimes it’s a cryptographic shortcoming or sometimes it’s just the way that we’ve implemented the cryptography and what we’re using. One attack against a number of different cryptographic methods is called the known plaintext attack, or KPA. This is when the attacker has, obviously, the encrypted information but they also might have a little bit of the plaintext – something that they were able to discern perhaps in some other way. If you have a little bit of the plaintext you may be able to start breaking down the importance of cryptographic security. This known plaintext is often called the crib. It helps you determine what the rest of the plaintext happens to be.

The password file

We use cryptography quite a bit when we’re storing passwords on our devices because we often store these passwords as hashes. A hash is a one-way communication. You can’t determine what the password is once you have the hash. The only way to try to determine what that password is is to try hashing every other possible combination and see if you can get the two hashes to match each other.

Rainbow Tables

One way to optimize this would be to create an enormous table that took every possible password option and already had pre-calculated and stored this data. We call these rainbow tables, so instead of having to perform the hash for every possible scenario you’ve already done it and stored that hash information. This means all you need to do now is perform a simple search, and in a matter of seconds, you can match up hashes and determine what these passwords might be. One of the challenges thought is that different methods of storing passwords store the hash in different ways. So the hash for Windows is going to be different than a hash for MySQL. That means you’ll need to build a separate set of rainbow tables for each one of these unique situations. This is also why it’s recommended that you salt any passwords that are going to be stored. A salt is an extra bit of random information that’s added to the password, so even if somebody was storing exactly the same password with two different usernames those two hashes would be completely different and would be impossible to be able to discern using a rainbow table.

Dictionary Attacks

If you are trying to reverse-engineer someone’s password one of the best ways to do this is with a dictionary attack. People tend to use common words as their passwords, and if you could get the most common words and try those first, you’ve got a better chance of finding those passwords very quickly. You can find many lists on the internet that have the most common passwords that people have used where words like password and ninja and football tend to be in the top five or top ten of passwords that people will use. You’ll find those word lists customized by language. Sometimes there’s line of work. And if you’re someone who’s trying to audit your own passwords, you may want to have a look at some of those lists and try a brute-force yourself. This will catch people that are using common words. It’ll catch the people that aren’t putting a lot of thought into their password. But you’ll still need to use other types of password attacks if you plan on catching people who are very secure with their passwords.

Brute force

With a brute-force attack you don’t use a dictionary. Instead you’re using every possible combination of letters, special characters, and numbers to try to determine what someone’s password might be. If you’re trying to use a brute force attack online, it can be very difficult. It’s a slow process and most systems detect when somebody’s using the wrong password over and over and they either slow down or completely disable an account. Instead, it’s much easier if you can gain access to that file that contains the hash passwords. That way you can take it offline and run it through an automated process where you don’t have the slowdowns or any type of disabling of account that you have to deal with. You can calculate a hash compare it to what’s stored, and see if you can determine what those passwords might be. This may take a lot of computing power to calculate all of these hashes but at least you know you’re going through every possible combination and you will be able to determine what that password is.

 

Birthday attack

 If you have a classroom of 23 students, what is the possibility that two of those students share exactly the same birthday? It may surprise you to know that it’s about 50%. If you increase the number of students to 30, there’s almost 70% chance that two of those students are going to share exactly the same birthday. In the digital world, we call this a hash collision. That’s when you have the same hash value even though you might have different plaintext that’s being calculated for that hash. That’s not something you’d like to see in your hashing algorithms. With the hash collision the attacker would be able to use their own plaintext to match a hash value that you’re using for validation. One thing you can do is to use larger and larger hash sizes in an attempt to avoid any type of collision. This is a fundamental rule in hashing.

There are a number of cryptographic algorithms that we’ve used through the years that we no longer take advantage of. Instead we’ve moved to algorithms that are better and stronger.

Leave a Comment

Your email address will not be published. Required fields are marked *