Brute-force attacks are the simplest form of attack against a cryptographic system. In a brute-force attack, the attacker simply guesses repeatedly at the encryption key until he or she stumbles upon the correct value for the key and gains access to the encrypted information. In this video, learn how attackers wage brute-force attacks and how security professionals can protect against them.
- [Narrator] As long as cyber security experts have used encryption to protect sensitive information, attackers have sought to undermine that security and gain unauthorized access to that protected information. Over the centuries, attackers have developed a number of techniques designed to help them crack cryptographic algorithms. Brute force attacks are the simplest form of attack against a cryptographic system. In a brute force attack, the attacker simply guesses repeatedly at the encryption key until he or she stumbles upon the correct value for the key and gains access to the encrypted information.
Of course, guessing isn't easy, and brute force attacks can take a very long time to complete successfully, if they ever succeed. Brute force attacks require very little information to wage. The attacker simply needs to have an example of encrypted cipher text. For this reason, brute force attacks are also called known ciphertext attacks. Earlier in this course, I shared the example of a simple shift cipher. It simply moves each of the letters of the alphabet a certain number of places.
For example, a cipher with a shift of one, changes A's to B's, B's to C's, and so on. With a shift of 3, A's become D's and B's become E's. This is a very simple cipher because there are only 25 possible shift keys. If you shift letters 26 places, well the A's become A's and the B's become B's, and the cipher text is the same as the plain text. That's certainly not very secure. If you go ahead and shift 27 places, it's the same thing as shifting them one place.
The A's become B's and the B's become C's. In a situation like this, where there are only 25 possibilities, we say that the keyspace, or the list of all possible keys, is small. There are only 25 different encryption keys, and someone conducting a brute force attack, would only have to guess, at most, 25 times before cracking the key. Modern algorithms use much longer keys so they generally aren't susceptible to brute force attacks.
Consider what's actually a fairly short key, using 56 bits of encryption, such as the outdated data encryption standard. That's 56 digits that may each be occupied by either a 1 or a 0. That might not sound like much, but it leaves 72 quadrillion possibilities, making it very hard to guess the decryption key. You'd need to guess up to 72 quadrillion times, and, if you used the more modern advanced encryption standard, AES, you'll find the numbers become unpronouncable.
A 128 bit key has this many possibilities, and a 256 bit key has even more. As I mentioned, brute force attacks simply aren't possible against modern encryption algorithms, with one exception. If there's a flaw in the way that the encryption algorithm works that limits the size of the keyspace, brute force attacks may become possible.
Members who take all eight courses in the series will be prepared to take and pass the CISSP exam. Find the companion study books at the Sybex test prep site and review the complete CISSP Body of Knowledge at https://www.isc2.org/cissp-domains/default.aspx.
- Understanding security and evaluation models
- Cloud computing and virtualization
- Securing hardware
- Client and server vulnerabilities
- Web security vulnerabilities
- Securing mobile and smart devices
- Understanding encryption
- Key management and public key infrastructure
- Physical security
Skill Level Advanced
Learning Cryptography and Network Securitywith Lisa Bock1h 45m Intermediate
CISSP Cert Prep: 2 Asset Securitywith Mike Chapple58m 11s Advanced
1. Security Engineering
2. Cloud Computing and Virtualization
3. Hardware Security
4. Client and Server Vulnerabilities
5. Web Security
6. Mobile Security
7. Smart Device Security
9. Symmetric Cryptography
10. Asymmetric Cryptography
11. Key Management
12. Public Key Infrastructure
13. Cryptanalytic Attacks
14. Physical Security
- Mark as unwatched
- Mark all as unwatched
Are you sure you want to mark all the videos in this course as unwatched?
This will not affect your course history, your reports, or your certificates of completion for this course.Cancel
Take notes with your new membership!
Type in the entry box, then click Enter to save your note.
1:30Press on any video thumbnail to jump immediately to the timecode shown.
Notes are saved with you account but can also be exported as plain text, MS Word, PDF, Google Doc, or Evernote.