Rainbow Tables Password Attacks

Password attacks are the classic way an attacker can use to gain access to a computer system by determining the password and log in. The process of password cracking is recovering a password from data that has been stored or transmitted by a computer system by a network or malware. Most users think that password are compromised when an attacker uses every possible combinations of letter, numbers, and character to a crack a password, called a brute force style of attack. Although it is possible for an attacker to enter a number of different variations of a passwords at a login prompt, in reality this is not practical. Every through with the high processing power of computer today this is still a very slow method of attack. Now days most operating system and online accounts can be set to disable all login for a length of time after a limited number of incorrect attempts, locking out any possible access to the account.

Although a brute force style of attack once was the primary method used by hacker to crack password, more recently attacker have been using rainbow tables. A Rainbow table is a pre-computed table for reversing cryptographic hash functions usually for cracking password hash tables. This method is used in recovering a plaintext password up to a certain length consisting of a limited set of characters and numbers.

Rainbow tables are a compressed representation of cleartext password that are related and organized in a sequence, called a chain. Each chain starts with an initial password that is hashed and then fed into a function that produces a different cleartext password, then repeated for a set number of rounds. The password will be broken and hashed and ran through the same procedure used to create the initial table, this results in the initial password of the chain. The process is then repeated, starting with the initial password until the original digest is found. The password used at the last iteration is the cracked password.

Hash tables are constructed by hashing each word in a password dictionary the password-hash pairs are stored in a table, stored by a hash value. A hash function maps the plaintext to hashes so that no one can tell a plaintext from its hash. To use a hash table take the hash and perform a binary search in the table to find the original password, if it is present. The hash function for a given set of rainbow tables must match the hashed password the user wants to recover.

There are two steps when using a rainbow table, first by creating a table and then the table can be used to crack a password. This makes password attackers easier by creating a large pre generated set of candidate digests. Using a rainbow table is a space verses time trade off which uses less computer processing time and more storage. Whereas a then a brute force attack calculates a hash function on every attempt but more processing time and less storage space than a simple lookup table with one entry per hash. Using a key derivation function that employs a salt makes this attack method infeasible. Generating a password using a rainbow table requires a significant amount of time, once it is created it has significant advantages over other password attack methods. Rainbow tables can be repeated for attacks on other passwords with a much faster rate than a dictionary attacks, and the amount of memory needed on the attacking machine is greatly reduced.

In order to increase the strength of hashed based passwords as well as defending against rainbow tables, a salt can be implemented as an extra layer of password protection by adding a randomly generated string. A salt is random data used as an additional input to a one way function that hashes a password. The primary function of using a salt in a password is to defend against dictionary attacks and pre-computed rainbow tables. A new salt is randomly generated for each password, then concatenated and processed with a hash function. The resulting output is stored with the salt in a database.

The Blowfish Algorithm

The Blowfish algorithm was first published in 1993 by Bruce Schneier.  Designed to run efficiently on 32 bit computers, it was a fast, free alternative to existing encryption algorithms. Blowfish was one of the first secure block ciphers not subjected to any patterns and free for anyone to use.  The following year, the Blowfish paper was featured in a software encryption workshop in Cambridge, UK.

Blowfish is a symmetric-key algorithm that operates on 64 bit blocks with a key length ranging from 32 to 448 bits.  The algorithm implements a 16 rounds Feistel cipher.  A Feistel Cipher, also called “Feistel Networks,” is a symmetric structure used in the construction of block ciphers. The encryption and decryption operations are similar, or identical and requires only a reversal of the key schedule so the size of the code required to implement is halved.

Symmetric-key algorithms use the same cryptographic keys for both encryption of plaintext and decryption of cypher text.  The keys used may be identical or transformed to go back and forth between both ends of the transmission, similar to a shared secret between two or more parties maintaining a private information link.  Implementing this algorithm in a transmission protocol requires both parties to have access to the secret key, one of the main drawbacks of using this encryption in comparison to public-key encryptions.  There are two types of symmetric key algorithms: stream and block ciphers.  Stream ciphers encrypt the digits of a message one at a time.  Block ciphers take a number of bits and encrypts them as a single unit padding the plaintext to a multiple of the block size.

The opposite of the symmetric-key algorithm is the asymmetric-key algorithm, where different keys are used for encryption and decryption.  Asymmetric cryptography occurs when a pair of keys are used to encrypt and decrypt a message that arrives securely but the decryption key cannot be derived from the encryption key.  This type of algorithm is best used for transmitting encryption keys or other data securely when the sender and receiver have no opportunity to agree on a secret key in private.

There are three main differences between symmetric and asymmetric algorithms, speed, key management, and hybrid cryptosystems which need to be considered before implementing the algorithms in a given system.

  • The speed which symmetric-key algorithms process is faster than asymmetric-key algorithms because it is harder to decipher which key to use for decryption from the encryption key.
  • A disadvantage in using a symmetric-key algorithm is key management, between both ends. A copy of the key must be shared between both parties during the transmission in order to encrypt and decrypt the data, a necessary requirement of a using “shared secret key.”
  • Hybrid cryptosystem for both symmetric and asymmetric algorithms are an advantage both algorithms have to offer. First, asymmetric algorithms are used to distribute symmetric keys at the start of a session.  Once the symmetric key is known, a faster algorithm can be use with the original key to encrypt data transmission for the remainder of the session.

Today, the Blowfish algorithm is used as an encryption algorithm for replacement of Data Encryption Standard (DES) algorithms.  Except when the keys are changed, it is a fast block cipher.  Using blowfish as a cipher algorithm should be considered because it was designed to run efficiently and is free to use and implement in a data transfer system.

 

References:

https://searchsecurity.techtarget.com/definition/Blowfish

https://www.schneier.com/academic/blowfish/

http://www.splashdata.com/splashid/blowfish.htm

Using Quantum Cryptography as a Secure Transmission of Data

Implementing a secure method for storing and transmitting data is a real issue facing businesses who are serious about protecting vital data.  Through the use of cryptography, an organization can transform its data into a secure form so an outside party cannot access the data during a transmission.  Of the many possible data cryptography solutions available, quantum cryptography leads the way as the best tangible solution to not only giving a secure method of transmission for sending data, but also lets users know if data within the message has been intercepted by an outside party.

Quantum cryptography incorporates principles of quantum mechanics to securely develop a shared key for the use of data encryption, as well as detect data interceptions by an outside party.  The main components of quantum cryptography is the Heisenberg’s Uncertainty Principle which states “anything that is measured from a quantum system will alter the information about the normal state or path of that system, except if the quantum state is compatible with the measurement.”  In other words, measuring a quantum system disturbs the system and yields incompatible information about the state between the measurements.

The hypothetical use and implementation of quantum computers will allow the breaking of various popular public-key encryption methods such as signature schemes and various cryptographic tasks that have been thought to be impossible to intercept using classical non-quantum communication methods.

Research into Quantum Cryptography began in the early 1970’s when the idea of quantum information theory was first proposed by Stephen Wiesner.  As a graduate of Columbia University, he proposed some of the fundamental concepts of quantum cryptography include superdense coding and quantum money.

Superdense coding is a technique used to send two bits of classical information using only one qubit.  A qubit, or quantum bit, was developed by Wienser in 1983 as a unit of quantum information within a two-state quantum-mechanical system.  In a non-quantum system, a bit would have to be in one state or another, being either true or false.  However, in a quantum system, the qubit is allowed to be in a superposition of both states, in a simultaneous state of true and false.  The concept of quantum money illustrates how to design a bank note in such a way that it will become impossible to forge.  This idea was influenced by further developments in quantum key distribution protocols, the process of using quantum communication to establish a shared key between two parties to exchange the key.  Using a secure method a quantum key distribution protocol will make message interception methods like a “man in the middle attack” against a quantum system by an outside source impossible.

When two parties are attempting to send a message using a quantum communication system, an individual photon is transmitted with the encoded information from the sender.  Using Heisenberg’s Uncertainty Principle, if a third party tries to intercept a quantum message no information will be given without introducing permutations into the system, thus revealing the third party’s presence.   No permutations will imply that a third party did not succeed in measuring the information encoded from within the photon.  If the intended receives the message, then the photon was not measured or intercepted by an outside party.

A business must consider all solutions before choosing a data cryptography policy to implement.  These factors may include average size of data transmission, current data encryption policy, and size organization.  The technology for quantum cryptography implementation may not fully exist or fit in every business security scenario, but it will go far to insuring a safe data transmission and notification if there is a possibility of data interception by an outside source.

 

Works Cited

Ciampa, Mark. “Quantum Cryptography.” Ciampa, Mark. CompTIA Security+ Guide to Network Security Fundamentals, 4th. Boston: CENGAGE Learning, 2012. 428 to 429. Book.

Wikipedia, the free encyclopedia. Quantum cryptography. 6 2 2015. Web Document. 15 2 2015.

—. Quantum money. 2 4 2014. Web Document. 15 2 2015.

—. Qubit. 19 1 2015. Web Document. 15 2 2015.

—. Stephen Wiesner. 27 10 2013. Web Document. 15 2 2015.

—. Superdense coding. 27 1 2015. Web Document. 15 2 2015.