Here Cryptography is a science that applies complex mathematics and logic to design strong encryption methods. Achieving strong encryption, the hiding of data’s meaning, also requires intuitive leaps that allow creative application of known or new methods. So cryptography is also an art.
Information plays a vital role in the running of business, organizations, military operations etc. Information in the wrong hands can lead to loss of business or catastrophic results. To secure communication, a business can use cryptology to cipher information. Cryptology involves transforming information into non human readable format and vice versa.
Cryptography is the study and application of techniques that hide the real meaning of information by transforming it into non human readable formats and vice versa.
Lets illustrate this with the aid of an example. Suppose you want to send the message “I LOVE APPLES”, you can replace every letter in the phrase with the third successive letter in the alphabet. The encrypted message will be “K NQYG CRRNGV”. To decrypt our message, we will have to go back three letters in the alphabet using the letter that we want to decrypt. The image below shows how the transformation is done.
It is a common observation that the network administrators invest time and money to design security around the applications, servers and other infrastructure components, but tend to take cryptographic security less seriously. Before we talk about various attacks, lets understand first that cryptography is all about key, the data, and the encryption-decryption of the data using key. Few cryptographic attacks try to decipher the key, while the others try to steal data on the wire by performing some advanced decryption. Lets take a look at few common attacks on cryptography.
In this type, the attacker intrudes into the network and establishes a successful man-in-the-middle connection. Attacker silently watches the HTTPS traffic on the wire, and waits for the targeted website to respond to some browsers HTTPS request. As we learnt earlier, the server is supposed to send its digital certificate to browser as a part of SSL handshake process. Attacker grabs this certificate, and notes down various details such as domain name, expiration date, cipher strength etc. Attacker then creates his own certificate, also called as a self-signed certificate, containing the same information as that of the captured certificate. From this point onwards, attacker becomes a real man-in-the-middle whereby each browser request is intercepted and responded with the fake certificate. As a normal response to such situation, the web browser pops-up a warning to user, which in most cases is ignored by the person browsing website, and thus the attacker is successful. Further on the server side, attacker establishes a separate HTTPS connection to complete the request and the result of response is fed back into the browser on the connection already established. This gives attacker a complete control on the SSL traffic and help steal the personal information. Since this attack involves a real intrusion into the network, it is less likely to happen, but can result into a serious data loss. Also since the attacker is not breaking request and response chain, it becomes tough to detect the data stealing operation.
Similar to the attack mentioned above, in this type attacker injects a JavaScript code snippet into the browser to create a man-in-the-browser situation. This snippet monitors all SSL activities and records the session. While this is happening, the attacker also records encrypted version of the same session and programmatically tries to find out cipher strength and the key, besides stealing data. This attack is becoming more popular lately, due to multiple open source browsers and various security vulnerability problems with each of those.
This is another intrusive type of attack whereby the attacker gains access into the web server which hosts the website. This can be achieved by using multiple intrusion techniques already discussed in previous articles of this series. Once the server is compromised, attacker uses elevated privilege attack to gain access to the certificate store, from where the private key can be obtained. Attacker then uses packet sniffing to download an entire HTTPS session and stores it for offline decryption. The decryption process needs private key which is already stolen, and the public key which is available in the browsers trusted authority key store. The data set deciphered so, might reveal vital personal information such as userid, address, credit card number etc, assuming that the targeted website sells goods online using e-commerce technology.
This attack relies on a mathematical theory called as birthday problem paradox, which says that statistically, in a set of randomly selected people some pairs of people will have same birthday. This theory tends to more accurate as the number of people chosen is large. In cryptography, the data integrity is established using a hash or checksum, which is calculated at both ends of the transmission to ensure that the data is not tampered with. Birthday attack targets on the hash, and needs multiple attackers coming together who individually capture chunks of data and share it among themselves. Each chunk is then analyzed programmatically to create additional set of data, in such a way that the hash of it matches that of the data chunk. In other words, for a given chunk of data and hash combination, the mathematical algorithm creates a clone data set. Further process of the original data chunk and the resultant data set, helps derive the encryption key. This attack is a very time consuming and technically complex type, but can be possible using multiple powerful computing machines and software programs.
As we learnt earlier, attackers always aim for data as well as the key in order to completely compromise a cryptographic system. A chosen dataset method consists of two different types. In first type, called chosen plaintext, attacker is assumed to have access to the original data and the encrypted version of it. Attacker then applies multiple encryption keys to the original data, each time the output is compared with the already encrypted version. If the result is positive, it means the key is derived. In the second type, called chosen ciphertext, attacker has the cipher text and also the decrypted version of it. Again, attacker tries multiple keys until the output matches that of the decrypted version obtained already. These attacks are bit less time consuming, however need attacker to gain enormous amount of data and computational power to seek the desired results.
This is a different type of attack wherein, attacker sends very small data sets to be encrypted by SSL protocol. Attacker captures the resultant outcome and stores it against the transmitted dataset. Upon performing such operation on lots of data chunks, a key can be eventually derived. This process is very slow and can take days to decipher the key, and such attacks could be found to be originating from within the firms network. To speed up the process this method is usually combined with the group key decipher attack.
As learnt earlier, key based encryption is dependent on the length of key, where a bigger key result into lot of time required deciphering it. In group key deciphering attack, multiple attackers come together, each one with their powerful machine. Unlike the brute force way where lot of data is captured, in group method only a given set of data is captured and used. This data is subjected to all the possible permutations of keys, to try decrypting the data. Since usually a 256bit encryption can take multiple years to decipher, using multiple powerful computing machines can bring the time down. Attackers also use statistical grouping of keys to be tried from different machines, to bring that time down further. In past, few such experiments showed that cracking a 128bit key required only few days. With improving CPU speeds and throughputs, it is feared that cracking a 1024bit key can unfortunately be a reality soon.
Cryptography is all about trust, whereby a trusted certificate provider authority signs a certificate. The provider itself is supposed to be extremely secure; however it has unfortunately happened in the past that their own private key is either exposed or stolen by attacker. Attacker then uses this private key to sign certificate created for a domain name, which is their own site. Any browser being lured to this website will not suspect such a website; this is because the certificate will pass the authenticity test. This happens because the public key of such certificates will already be present in the browser certificate store. This can, and in the past has, resulted into loss of personal information.
Attackers main aim is usually to steal the data. Since it is a troublesome and highly technical process in cryptography, few attackers tend to use legacy methods such as a denial of service attack. SSL negotiation adds it payload on the TCP protocol, thus slowing down the communication to achieve security. To achieve SSL denial of service attack, the attacker establishes SSL communication through a browser and then sends multiple bogus packets with varying length on that channel. Each packet is decrypted and processed on the server side, thus eventually exhausting CPU power, resulting into service outage. In another form which takes place at layer-3, the TCP port 443 is bombarded with bogus fragmented packets, creating similar effect.
In the FOSS world, cryptography is mainly used on the web servers by implementing the SSL protocol. Besides, open source developers can digitally sign the code before sending to a trusted party, to prevent wire-tapping. On a web server, the very first step is to use a digital certificate from a trusted authority. It should also exhibit latest and stronger cipher algorithm, and the key length should at least be 256bit. Second step, is to protect the certificate store, which is that crucial area on the web server, where the websites private key is stored. Only administrators and the network managers should have access to it. To protect FOSS network from brute force attacks, other network security protections should be in place, which are already discussed in previous articles of this series. While most of the critical infrastructures implement a firewall, a UTM device and powerful antivirus or anti-Trojan software, it becomes imperative to have an intrusion detection system (IDS) in place. IDS systems are capable of intercepting denial of service and brute force attacks and also help stop other critical anomalies. In case of Linux workstations, cryptography can be used to encrypt a file or entire disk too.