An intro to cryptanalysis.

An intro to cryptanalysis.

By ghost | 7618 Reads |

0     0

What is cryptanalysis? Cryptanalysis is the art of examining crypto systems in hopes of finding ways in which they''re not secure. There are many different ways to

Why do I care? It has been said that every good cryptologist is also a skilled cryptanalyst, and it certainly seems to make sense. After all, cryptology is all about security, and trying to break something is often the best way to test it's security. How could you possibly understand how secure your cryptosystem is without first knowing how previous ones have been insecure.

How can a cryptosystem be insecure? Cryptosystems can be insecure in lots of ways. One way is for the encryption algorithm to be too simple, allowing us to find patterns between the ciphertext, key and plaintext. For example, if every even length key always produces an odd length ciphertext, you can reduce the number of possible keys (AKA keyspace) based on knowing the ciphertext. Perhaps the most common weakness in cryptosystems has been a limited number of possible keys, or keyspace. An attacker with sufficient resources could try decrypting the message with every possible key until he got something that looked like plaintext. This type of attack is known as a brute force.

Types of attacks. Modern cryptanalysis is insanely hard, so people working in the field often … well, they almost cheat. They will encrypt a message using a weakened cryptosystem (for example, IDEA with a very short key. Or pgp, given that you know half of the private key too) and try to analyse that. By analysing patterns in the ciphertext, one can get an idea of where the actual algorithm could be weak.

Brute Force. The simplest of attacks. In this, the attacker simply decrypts the ciphertext with every possible key until something looking like plaintext plops out. This will always be theoretically possible, given sufficient resources, however with modern cryptosystems, 'sufficient resources' means a supercomputer the size of our galaxy.

Known/Guessed plaintext. In this attack, the attacker knows, or believes he can guess the original message, either in part or in whole. Since he has the corresponding ciphertext, he can try and use his reasoning to discover a pattern that extends into more of the message, or perhaps discover part of the key.

Given plaintext. In this unlikely scenario, the attacker doesn't just know what the message is, he can actually choose it. A possible example here is if an attacker has accessed the password file of a public site. He can create accounts using whatever password he likes, and then see what the resulting ciphertext is.

A word in closing. As I mentioned above modern cryptosystems are considered extremely secure. People who talk about breaking them come up with numbers a like " a 1, followed by (a 1 followed by a million zeros) zeros ", or phrases like 'if you had a computer the size of the galaxy, and printed a digit on every atom in the universe' and so forth. Still, people once said such things about systems like DES, and the WEP farse has shown just how relevant cryptanalysis can be. The person that breaks WPA will hold the world in their palm for a short while.

Next Up. Another one of DC's cyptanalysis challenges is comming along nicely, and my next article will probably be a case study of an insecure system. maybe: One time pad (with reused key) an enigma code or perhaps WEP