# Attacks on Cryptographic Systems (Part I)

• Soft Attacks
No matter how sophisticated the attack techniques become, one must not forget that when the ultimate goal is to obtain the secret message, coercion or social engineering are often the most effective attack techniques. These attacks are based on using physical or psychological threats, robbery, bribery, embezzlement, etc. The attacks are mostly directed to human links of the data security chain.
Social Networks have become a launching pad for these kind of attacks. In a typical soft attack such as the so-called spear-phishing, e-mail addresses and information about the victims social circle is harvested from social networks and then used to send targeted e-mail with malware that cause to reveal secret information for access to secured systems.
• Brute Force Attacks
Assuming, as Kerchoff’s principle recommends, that the algorithm used for encryption and the general context of the message are known to the cryptanalyst, the brute-force attack involves the determination of the specific key being used to encrypt a particular text. When successful, the attacker will also be able to decipher all future messages until the keys are changed. One way to determine the key entails exhaustive search of the key-space (defined as the set of all possible valid keys for the particular crypto-system).
Brute force is a passive, off-line attack in which the attacker Eve passively eavesdrops the communication channel and records cipher text exchanges for further analysis, without interacting with either Alice or Bob.
To estimate the time that a successful brute-force attack will take we need to know the size of the key-space and the speed at which each key can be tested. If $N_k$ is the number of valid keys and we can test $N_s$ keys per second, it will take, on average $\frac{1}{2}(\frac{N_k}{N_s})$ seconds to find the proper key by brute-force.
The threat that a brute-force attack poses cannot be underestimated in the real world. Most financial institutions use cipher-systems based on DES. Keys of length 56-bits, such as the one used by the
standard implementation of DES, can be obtained by brute-force using computer hardware and software available since the late 1990’s. Indeed, to counter this possibility, most contemporary implementations of DES use a derivative known as Triple-DES (or 3-DES) which uses three different 56-bit keys instead of one. The effective key length for the combined 3-DES key is a more secure 168 bits.
Brute force analysis have been used in combination with other attacks as was the case for the deciphering of the Enigma. The famous bombes were an example of the brute-force approach working in combination with a mathematical method that provided an important reduction of the key-space.

To be continued…..

Advertisements

### 8 Responses to Attacks on Cryptographic Systems (Part I)

1. Wandee says:

The One-Time-Pad invented in 1917 by Mauborgne and Vernam is till today the only known encryption tool that theoretically can not be broken. Why nobody ever suggested another way of using the One-Time-Pad (replacement of characters with randomly selected characters from a pad) is a mystery to me. A Pad that doesn’t require equal length to the message being encrypted and that is re-usable as long as the key stays secret. It is possible and has been done; so why do we still look for a mathematical algorithm that never will be safe or secure under brute force attack?

• Mario says:

In a one time pad system it is not advisable to re-use sequences of characters because there are methods that will reveal both, the message and the key of the parts where this was done. During WW2 and few years after the Allies where able to decipher Russian messages because Russian cryptographers become complaisant (or too busy) and repeated entire pages of the random keys sent to the field agents.
For the case of messages encoded using binary strings, there is a trivial operation (XOR) to will reveal the message if the key is repeated.

• Wandee says:

In my comment is no suggestion that would imply the re-use sequences of characters. If you go to >http://wandeeblog.wordpress.com < you will find the start of a blog I am intending to complete within the first week of the New Year to show that it is possible to have a secure OTP which permits to reuse the key as long as it stays secret. The system (software developed and tested by us) has been actually tested by 3 independent universities and below is a reply from the deputy dean of the computer and software development department of an Australian University:

"Hi Wandee, If part of the cipher-text is lost, can you decrypt the remainder of the message? I'm thinking – no. This has some of the properties of a block chaining cipher. I'm not complaining – it's very good. I can't see any weaknesses at all."

We still wait for the reply from the two other universities (focusing on cryptology) that suggested to us that they could break the code if we would use an OTP that would be outside the rules laid down by Shannon in 1949. We are still waiting and we know that we will have to wait until doomsday and thereafter since our Pad cannot be broken without being in the possession of the correct key.

2. Mario says:

Wandee, excuse my skepticism, we all have seen a lot of claims about unbreakable schemes go up in flames before. However, I am always open minded and willing to analyze new algorithms. Moreover, as you know one of the cardinal rules of modern encryption is that the algorithm should be publicly available and only the key needs to be secret . I guess that, after you have secured your intellectual property rights, you should publish your method for the whole cryptographic community to see.

• Anonymous says:

Mario, the problem are algorithms that got us into trouble in the first place. The One-Time-Pad doesn’t use an algorithm but requires a physical action by someone that has to select random characters for the pad used to replace the characters of the original message. People that work in the field know that. They also know that a message cannot exceed the length of the Pad or that it will generate pattern that can be identified.
There seems not much of intellectual property since we didn’t invent anything but used simple rules permitting us to generate a Pad that is endless despite the fact that it is only a 1.4 KB file that contains 500 to 600 characters. Like Newton couldn’t claim an intellectual property right to gravity we don’t have a claim on something for us so obvious that has been overlooked for such a long time – nearly 100 years.
As far as skepticism goes, we had to face it when we approached academics working in the field at different universities. When we asked them to evaluate the system we got replies like having no time due to other workload or from Bruce Schneier a flat 3 words No Thank You without regards or anything. The ones that replied and took the time are stunned as Jim in Australia who, believe me, tried everything to break the system. For them the claim has turned into a fact, only to go up in flames if our system can be broken. One hint for you before the New Year starts – the solution is not an algorithm but text. If you would like the complete text of our blog prior of us publishing it all (we would take 2 to 3 weeks with that to allow discussions about each chapter) give me an email address and I will mail it to you. As a reply here I would think it would exceed what you would regard as a normal reply (8 A4 pages). My email address is wandee@inbox.com. My partners and I don’t have a problem with it if you would like to publish the results if you come to the same conclusions as 3 professors (one a deputy dean of computer and computer languages department, another working in computer science and cryptology and the last working in the field of mathematics), that we have something of substance. When we started our enterprise we certainly didn’t look for mega bucks, but we felt very angry about privacy and the way it has been eroded. It started off with an article in an US magazine reporting about the NSA center in Utah about 2 years ago.

Regards

Wandee

3. Anonymous says:

I tried to but it seems that it will not work on the last day of the year.
Happy New Year – Wandee

4. Anonymous says:

Here is another mystery of modern science – I was locked into my email account when replying to your comment and now I have been reduced to Anonymous.

Happy New Year Mario, for you, your family and friends. Looking forward to hear from you!

Best Regards

Wandee