Rainbow Tables Password Attacks

Password attacks are the classic way an attacker can use to gain access to a computer system by determining the password and log in. The process of password cracking is recovering a password from data that has been stored or transmitted by a computer system by a network or malware. Most users think that password are compromised when an attacker uses every possible combinations of letter, numbers, and character to a crack a password, called a brute force style of attack. Although it is possible for an attacker to enter a number of different variations of a passwords at a login prompt, in reality this is not practical. Every through with the high processing power of computer today this is still a very slow method of attack. Now days most operating system and online accounts can be set to disable all login for a length of time after a limited number of incorrect attempts, locking out any possible access to the account.

Although a brute force style of attack once was the primary method used by hacker to crack password, more recently attacker have been using rainbow tables. A Rainbow table is a pre-computed table for reversing cryptographic hash functions usually for cracking password hash tables. This method is used in recovering a plaintext password up to a certain length consisting of a limited set of characters and numbers.

Rainbow tables are a compressed representation of cleartext password that are related and organized in a sequence, called a chain. Each chain starts with an initial password that is hashed and then fed into a function that produces a different cleartext password, then repeated for a set number of rounds. The password will be broken and hashed and ran through the same procedure used to create the initial table, this results in the initial password of the chain. The process is then repeated, starting with the initial password until the original digest is found. The password used at the last iteration is the cracked password.

Hash tables are constructed by hashing each word in a password dictionary the password-hash pairs are stored in a table, stored by a hash value. A hash function maps the plaintext to hashes so that no one can tell a plaintext from its hash. To use a hash table take the hash and perform a binary search in the table to find the original password, if it is present. The hash function for a given set of rainbow tables must match the hashed password the user wants to recover.

There are two steps when using a rainbow table, first by creating a table and then the table can be used to crack a password. This makes password attackers easier by creating a large pre generated set of candidate digests. Using a rainbow table is a space verses time trade off which uses less computer processing time and more storage. Whereas a then a brute force attack calculates a hash function on every attempt but more processing time and less storage space than a simple lookup table with one entry per hash. Using a key derivation function that employs a salt makes this attack method infeasible. Generating a password using a rainbow table requires a significant amount of time, once it is created it has significant advantages over other password attack methods. Rainbow tables can be repeated for attacks on other passwords with a much faster rate than a dictionary attacks, and the amount of memory needed on the attacking machine is greatly reduced.

In order to increase the strength of hashed based passwords as well as defending against rainbow tables, a salt can be implemented as an extra layer of password protection by adding a randomly generated string. A salt is random data used as an additional input to a one way function that hashes a password. The primary function of using a salt in a password is to defend against dictionary attacks and pre-computed rainbow tables. A new salt is randomly generated for each password, then concatenated and processed with a hash function. The resulting output is stored with the salt in a database.

What are Firewalls, why do they matter?

Having Wi-Fi access where ever you go may not always be a good thing. Having a constant mobile network connection increase the changes of online threads. There are ways to prevent this but sometimes it is not enough just too simple true off your device, more personal device have GPS pre-installed into the firm wear a hacker could track your movements. One way to defended against this is by implementing a network firewall to shield your device from malicious threats.

A firewall is a network security system that controls the incoming and outgoing network traffic based on an applied rule set. This type of network security is a barrier between a trusted and secure internet network and another network. There are very many firewalls available online, thing to consider when choosing a firewall for network security. In general, your decision should be based on performance, application features, and most of all cost. Performance requirements might include how many device and users do you have online at a single time? Choosing a firewall based on features can be the most difficult, everyday updates for firewall provide even more features that just a simple network security layer. The features a user needs to focus on is what are you trying to secure within your network, online gaming, web browsing, or home office? Lastly the cost of the firewall to implement within the network. There are two types of costs: fixed and recurring costs. Having a fixed cost is paying upfront for the system, this may include hardware and installation. A recurring cost with having a firewall is having technical support and subscriptions.

 

Orignal Article – https://www.infosecurity-magazine.com/news/firewall-still-critical-tool-in/

The Blowfish Algorithm

The Blowfish algorithm was first published in 1993 by Bruce Schneier.  Designed to run efficiently on 32 bit computers, it was a fast, free alternative to existing encryption algorithms. Blowfish was one of the first secure block ciphers not subjected to any patterns and free for anyone to use.  The following year, the Blowfish paper was featured in a software encryption workshop in Cambridge, UK.

Blowfish is a symmetric-key algorithm that operates on 64 bit blocks with a key length ranging from 32 to 448 bits.  The algorithm implements a 16 rounds Feistel cipher.  A Feistel Cipher, also called “Feistel Networks,” is a symmetric structure used in the construction of block ciphers. The encryption and decryption operations are similar, or identical and requires only a reversal of the key schedule so the size of the code required to implement is halved.

Symmetric-key algorithms use the same cryptographic keys for both encryption of plaintext and decryption of cypher text.  The keys used may be identical or transformed to go back and forth between both ends of the transmission, similar to a shared secret between two or more parties maintaining a private information link.  Implementing this algorithm in a transmission protocol requires both parties to have access to the secret key, one of the main drawbacks of using this encryption in comparison to public-key encryptions.  There are two types of symmetric key algorithms: stream and block ciphers.  Stream ciphers encrypt the digits of a message one at a time.  Block ciphers take a number of bits and encrypts them as a single unit padding the plaintext to a multiple of the block size.

The opposite of the symmetric-key algorithm is the asymmetric-key algorithm, where different keys are used for encryption and decryption.  Asymmetric cryptography occurs when a pair of keys are used to encrypt and decrypt a message that arrives securely but the decryption key cannot be derived from the encryption key.  This type of algorithm is best used for transmitting encryption keys or other data securely when the sender and receiver have no opportunity to agree on a secret key in private.

There are three main differences between symmetric and asymmetric algorithms, speed, key management, and hybrid cryptosystems which need to be considered before implementing the algorithms in a given system.

  • The speed which symmetric-key algorithms process is faster than asymmetric-key algorithms because it is harder to decipher which key to use for decryption from the encryption key.
  • A disadvantage in using a symmetric-key algorithm is key management, between both ends. A copy of the key must be shared between both parties during the transmission in order to encrypt and decrypt the data, a necessary requirement of a using “shared secret key.”
  • Hybrid cryptosystem for both symmetric and asymmetric algorithms are an advantage both algorithms have to offer. First, asymmetric algorithms are used to distribute symmetric keys at the start of a session.  Once the symmetric key is known, a faster algorithm can be use with the original key to encrypt data transmission for the remainder of the session.

Today, the Blowfish algorithm is used as an encryption algorithm for replacement of Data Encryption Standard (DES) algorithms.  Except when the keys are changed, it is a fast block cipher.  Using blowfish as a cipher algorithm should be considered because it was designed to run efficiently and is free to use and implement in a data transfer system.

 

References:

https://searchsecurity.techtarget.com/definition/Blowfish

https://www.schneier.com/academic/blowfish/

http://www.splashdata.com/splashid/blowfish.htm

Using Quantum Cryptography as a Secure Transmission of Data

Implementing a secure method for storing and transmitting data is a real issue facing businesses who are serious about protecting vital data.  Through the use of cryptography, an organization can transform its data into a secure form so an outside party cannot access the data during a transmission.  Of the many possible data cryptography solutions available, quantum cryptography leads the way as the best tangible solution to not only giving a secure method of transmission for sending data, but also lets users know if data within the message has been intercepted by an outside party.

Quantum cryptography incorporates principles of quantum mechanics to securely develop a shared key for the use of data encryption, as well as detect data interceptions by an outside party.  The main components of quantum cryptography is the Heisenberg’s Uncertainty Principle which states “anything that is measured from a quantum system will alter the information about the normal state or path of that system, except if the quantum state is compatible with the measurement.”  In other words, measuring a quantum system disturbs the system and yields incompatible information about the state between the measurements.

The hypothetical use and implementation of quantum computers will allow the breaking of various popular public-key encryption methods such as signature schemes and various cryptographic tasks that have been thought to be impossible to intercept using classical non-quantum communication methods.

Research into Quantum Cryptography began in the early 1970’s when the idea of quantum information theory was first proposed by Stephen Wiesner.  As a graduate of Columbia University, he proposed some of the fundamental concepts of quantum cryptography include superdense coding and quantum money.

Superdense coding is a technique used to send two bits of classical information using only one qubit.  A qubit, or quantum bit, was developed by Wienser in 1983 as a unit of quantum information within a two-state quantum-mechanical system.  In a non-quantum system, a bit would have to be in one state or another, being either true or false.  However, in a quantum system, the qubit is allowed to be in a superposition of both states, in a simultaneous state of true and false.  The concept of quantum money illustrates how to design a bank note in such a way that it will become impossible to forge.  This idea was influenced by further developments in quantum key distribution protocols, the process of using quantum communication to establish a shared key between two parties to exchange the key.  Using a secure method a quantum key distribution protocol will make message interception methods like a “man in the middle attack” against a quantum system by an outside source impossible.

When two parties are attempting to send a message using a quantum communication system, an individual photon is transmitted with the encoded information from the sender.  Using Heisenberg’s Uncertainty Principle, if a third party tries to intercept a quantum message no information will be given without introducing permutations into the system, thus revealing the third party’s presence.   No permutations will imply that a third party did not succeed in measuring the information encoded from within the photon.  If the intended receives the message, then the photon was not measured or intercepted by an outside party.

A business must consider all solutions before choosing a data cryptography policy to implement.  These factors may include average size of data transmission, current data encryption policy, and size organization.  The technology for quantum cryptography implementation may not fully exist or fit in every business security scenario, but it will go far to insuring a safe data transmission and notification if there is a possibility of data interception by an outside source.

 

Works Cited

Ciampa, Mark. “Quantum Cryptography.” Ciampa, Mark. CompTIA Security+ Guide to Network Security Fundamentals, 4th. Boston: CENGAGE Learning, 2012. 428 to 429. Book.

Wikipedia, the free encyclopedia. Quantum cryptography. 6 2 2015. Web Document. 15 2 2015.

—. Quantum money. 2 4 2014. Web Document. 15 2 2015.

—. Qubit. 19 1 2015. Web Document. 15 2 2015.

—. Stephen Wiesner. 27 10 2013. Web Document. 15 2 2015.

—. Superdense coding. 27 1 2015. Web Document. 15 2 2015.

 

Denial of Service (Dos) Attacks

There are many different types of network based attacks on the Internet today.  One of the most common types of attacks is the “Denial of Service (or Dos) attack.”  The Dos attack is a deliberate attempt to prevent authorized users from accessing a system by overwhelming it with a flow of requests.  This is also referred to as a “Distributed Denial of Service” (DDos) attack if a hacker uses a large group of zombie computers within a botnet, a collection of network connected computers communicating with other computers, to flood a system with requests.  The first ever DDos attack was demonstrated by hacker Khan C. Smith during the 1998 Defcon conference.

Some methods an attacker may use to initiate a DDos attack include consuming all the computational resources within a network, disrupting the configuration information within a system, or obstructing the communication media between the intended users’ and victims’ network so that they can no longer communicate.  If a DDos attack is launched, the following symptoms will be experienced: slow network performance, unavailability of services and resources, and the disruption of physical network components.

The two most common types of DDos attacks are: Ping Flooding and Smurf attack.  In a Ping Flood type attack, the attacker will use the Ping utility to send multiple networked computers a flood of packets.  The Ping utility works by a user first sending an Internet Control Message Protocol (IMCP) echo request message to a given host,  in which the host will respond with an ICMP echo response message which indicating that the host is online.

A second type is a “Smurf Attack” (or SYN flood attack) in which an attacker tricks a computer device into responding to false requests.  An unsuspecting victim broadcasting a ping request to all computers on the network but changes the address from which the request originated using a technique called “IP Spoofing.”  In most cases, Dos attacks involve IP spoofing by forging IP sender addresses so that the location of the attacking machines cannot easily be identified and traced back to the source IP address.

A great online resource to better learn about how DDos network attacks are carried out is http://www.digitalattackmap.com.  Built through a collaborative effort between Google and Arbor Network, this site shows live data visualization of network traffic which matches the signature of daily DDos attacks from around the world.

In conclusion, it is not possible for a network administrator to defend against all types of Dos attacks.  Staying current with network security threats and simple network hardening, the risk of network failure by a network based attack is greatly reduced.

External Sources

http://www.digitalattackmap.com

http://www.incapsula.com/ddos/ddos-attacks/denial-of-service.html

http://en.wikipedia.org/wiki/Denial-of-service_attack