Brute force attacks are the simplest form of attack against a cryptographic system. In a brute force attack, the attacker simply guesses repeatedly at the encryption key until he or she stumbles upon the correct value for the key and gains access to the encrypted information. In this video, learn how attackers wage brute force attacks and how security professionals can protect against them.
- [Announcer] As long as cyber-security experts have used encryption to protect sensitive information, attackers have sought to undermine that security and gain unauthorized access to that protected information. Over the centuries, attackers have developed a number of techniques designed to help them crack cryptographic algorithms. Brute-force attacks are the simplest form of attack against a cryptographic system. In a brute-force attack, the attacker simply guesses repeatedly at the encryption key until he or she stumbles upon the correct value for the key and gains access to the encrypted information.
Of course, guessing isn't easy, and brute-force attacks can take a very long time to complete successfully, if they ever succeed. Brute-force attacks require very little information to wage. The attacker simply needs to have an example of encrypted ciphertext. For this reason, brute-force attacks are also called known ciphertext attacks. Earlier in this course, I shared the example of a simple shift cipher, that simply moves each of the letters of the alphabet a certain number of places.
For example, a cipher with a shift of one changes As to Bs, Bs to Cs, and so on. With a shift of three, As become Ds, and Bs become Es. This is a very simple cipher, because there are only 25 possible shift keys. If you shift letters 26 places, the As become As and the Bs become Bs, and the cipher text is the same as the plain text. That's certainly not very secure. If you go ahead and shift 27 places, it's the same thing as shifting them one place: the As become Bs and the Bs become Cs.
In a situation like this, where there are only 25 possibilities, we say that the key space, or the list of all possible keys, is small. There are only 25 different encryption keys, and someone conducting a brute-force attack would only have to guess, at most, 25 times before cracking the key. Modern algorithms use much longer keys, so they generally aren't susceptible to brute-force attacks. Consider what's actually a fairly short key, using 56 bits of encryption, such as the outdated data encryption standard.
That's 56 digits that may each be occupied by either a one or a zero. That might not sound like much, but it leaves 72 quadrillion possibilities, making it very hard to guess the decryption key. You'd need to guess up to 72 quadrillion times, and if you use the more modern advanced encryption standard, AES, you'll find that the numbers become unpronounceable. A 128-bit key has this many possibilities.
And a 256-bit key has even more. As I mentioned, brute-force attacks simply aren't possible against modern encryption algorithms, with one exception. If there's a flaw in the way that the encryption algorithm works that limits the size of the key space, brute-force attacks may be possible against that weak implementation of the cryptographic system.
- Comparing viruses, worms, and Trojans
- Backdoors and logic bombs
- Understanding the attacker
- Attack types: from denial of service to brute force attacks
- Preventing insider threats
- Wireless attacks
- Understanding cross-site scripting
- Preventing SQL injection
- Social engineering
- Scanning for vulnerabilities
- Penetration testing
- Assessing the impact of vulnerabilities