IT Security and Penetration Testing

Chapter 6
Encryption and Password Cracking
 Objectives
• Understand basic cryptographic principles
• Understand the fundamentals of encryption
• Describe the most common ciphers in use today
• Identify the most common attacks on passwords
• Use various programs for cracking passwords

Computer Security and Penetration Testing 2

 Encryption and Password Cracking

• Strong passwords
– Good defense against unwanted entry
• Guessing, stealing, or cracking passwords
– Foundation of defeating any kind of security

Computer Security and Penetration Testing 3

 Cryptography
• Cryptography
– Algorithm encrypts a ciphertext document from a
plaintext document
– Algorithm decrypts the ciphertext back into plaintext
• Transposition
– Change in the position or order of letters or words
– Does not rely on length of password
– Transposition is based on probabilities
– Anyone can break a transposition cipher based on
frequency of letters

Computer Security and Penetration Testing 4

 Cryptography (continued)

• Substitution
– Replacement of a letter or group of letters with
another letter or group of letters
– Enigma
• Possibly the most famous substitution cryptography
machine
• Used by the German Army during World War II
– Turing Bombe
• Machine to crack the “Enigma Code”
• Developed by Alan Turing

Computer Security and Penetration Testing 5

 Cryptography (continued)

• Substitution (continued)
– Colossus
• Programmable computer (1943 by Max Newman)
• Common terms when dealing with cryptography
– Cleartext
– Cyphertext
– Key
– Algorithm
– Hash

Computer Security and Penetration Testing 6

 Symmetric and Asymmetric Key
Encryption
• Encryption can be performed with either a symmetric
key or an asymmetric key

Computer Security and Penetration Testing 7

 Symmetric Key Encryption
• Sometimes called secret key algorithms
• Uses same key to encrypt and to decrypt the data
• Sender and recipient must have a copy of the key
– Inherent vulnerability of secret key algorithms is that
the key must be transmitted
• Faster that asymmetric key algorithms

Computer Security and Penetration Testing 8

Symmetric Key Encryption (continued)

Computer Security and Penetration Testing 9

Symmetric Key Encryption (continued)
• Stream Ciphers
– Use a key stream to encrypt and decrypt a plaintext
message
• Key stream is similar to a one-time pad
– A list of random numbers from 1 to 25
– Numbers in the one-time pad are added to the letters
in the plaintext to encrypt
• And subtracted from the cyphertext to decrypt
– Algorithm XORs key stream with plaintext message

Computer Security and Penetration Testing 10

Symmetric Key Encryption (continued)
• Block Ciphers
– Operate on blocks of data
• Algorithm breaks the plaintext document into blocks
(usually 8 or 16 bytes long)
– Operates on each block independently
• Plaintext will always be padded
• Block ciphers allow you to reuse keys

Computer Security and Penetration Testing 11

 Asymmetric Key Algorithms
• Also called public key algorithms
• Two keys for encrypting and decrypting data
• Each user has a public key and a private key
– Public keys can be sent unencrypted over unsecured
media
• Public key encrypts data
– Private key decrypt s data encrypted with public key

Computer Security and Penetration Testing 12

 Asymmetric Key Algorithms
(continued)

Computer Security and Penetration Testing 13

 Asymmetric Key Algorithms
(continued)
• DSA (Digital Signature Algorithm)
– Digital signature connects documents with the holder
of a specific key
– Considered too slow for general encryption
• Digital Time Stamps
– Connects document with a specific time of origination

Computer Security and Penetration Testing 14

 Cryptanalysis
• Cryptanalyst decodes messages to make them
readable
• First and most important step in cryptanalysis
– Detecting the key values

Computer Security and Penetration Testing 15

 Description of Popular Ciphers
• Average user tends to confuse the categories within
the cryptographic taxonomy

Computer Security and Penetration Testing 16

 Symmetrical Key Ciphers
• DES (Data Encryption Standard)
– A block cipher
– Developed in the early- to mid-1970s
– FIPS-approved cryptographic algorithm
– Uses a 56-bit key to encrypt and decrypt
– Breaks the plaintext into 64-bit blocks
• Applies a series of permutations to each block
– Can use same algorithm for encryption and decryption

Computer Security and Penetration Testing 17

 Symmetrical Key Ciphers (continued)
• Security of DES
– Dependent upon the chosen key
– Susceptible to brute-force attacks
• 3DES (Triple DES)
– Encrypts text three times with DES using different keys
• Speed of 3DES
– Almost three times slower than DES
• Security of 3DES
– Equivalent to single DES using a 112-bit key

Computer Security and Penetration Testing 18

 Symmetrical Key Ciphers (continued)
• AES (Advanced Encryption Standard)
– Also known as Rijndael
– Block cipher adopted as an encryption standard by the
U.S. government
– Superseded DES in 2001
– Uses a block size of 128 bits, and can use either 128-,
192-, or 256-bit keys
– Input bit sequence is copied to a 4×4 array of bytes
known as the State array
• Transformed via a series of substitutions/transpositions

Computer Security and Penetration Testing 19

 Symmetrical Key Ciphers (continued)
• Speed of AES
– Faster than DES, but slower than Blowfish
• Security of AES
– All successful attacks upon AES have been through
side-channel attacks
– Side-channel attacks are based on factors other than
the strength of the algorithm

Computer Security and Penetration Testing 20

 Symmetrical Key Ciphers (continued)
• IDEA (International Data Encryption Algorithm)
– Algorithm developed at ETH Zurich, in Switzerland
– Uses a 128-bit key, and operates on 64-bit blocks
– Uses series of identical operations applied to the data
for both encryption and decryption
• Speed of IDEA
– Somewhat faster than 3DES, but slower than DES
• Security of IDEA
– Resistant to differential cryptanalysis
– Some weak keys are known

Computer Security and Penetration Testing 21

 Symmetrical Key Ciphers (continued)
• Skipjack
– NSA-developed encryption algorithm that was
developed for use in the Clipper chip
– Uses an 80-bit key size and operates on 64-bit blocks
– Partially vulnerable to differential cryptanalysis
• RC4
– Designed by RSA Data Security, Inc.
– Main benefit of RC4 is its speed
– Can be useful where moderate security is needed

Computer Security and Penetration Testing 22

 Other Symmetric Key Ciphers
• Quantum Cryptography
– Method for secure key exchange over an insecure
channel based on the nature of photons
– Base assumption of quantum cryptography is the
Heisenberg uncertainty principle
– If a photon’s polarization is read in the same basis twice
• The polarization will be read correctly and will remain
unchanged
– Quantum cryptography has a special defense against
eavesdropping

Computer Security and Penetration Testing 23

 Other Symmetric Key Ciphers
(continued)
• Blowfish
– Algorithm developed by Bruce Schneier of
Counterpane Systems
• Enigma
– Used by the German forces in World War II
• Vigenère
– A historical and easy-to-solve substitution cipher

Computer Security and Penetration Testing 24

 Asymmetric Key Ciphers
• RSA (Rivest, Shamir, and Adleman)
– Most popular public key encryption standard
– RSA develops keys that are the product of two 1024-
bit prime numbers
– Invented in 1977
– RSA is based on the fact that it is very difficult to factor
large numbers
• Security of RSA
– Some progress has been made in factoring large
(300+ digit) numbers

Computer Security and Penetration Testing 25

 Asymmetric Key Ciphers (continued)
• Diffie-Hellman
– Allows two parties who do not have prior knowledge of each
other to establish a shared secret key
• Over a public, insecure channel
– Currently considered secure
• DSS (Digital Signature Standard)
– Based on the Digital Signature Algorithm (DSA)
– Used to generate digital signatures for authentication of
electronic documents
– Combination of public key cryptography and a hash function

Computer Security and Penetration Testing 26

 Asymmetric Key Ciphers (continued)
• Elliptic Curve Cryptosystems
– Elliptic curves are harder to solve than factoring the
products of large prime numbers
– Elliptic curves, as used in cryptography, are mainly
defined over finite fields
– Shorter keys can be used
• Neo for Java
– Uses a matrix of 251 8-bit numbers
– Said to be the equivalent of RSA-1024

Computer Security and Penetration Testing 27

 Asymmetric Key Ciphers (continued)
• Lattice-Based Cryptosystems
– Based on NP-complete problems involving geometric
shapes built of lines or vectors
– Lattice-based systems have not proven to be effective
for cryptography
• As they are too slow in practice

Computer Security and Penetration Testing 28

 Cryptographic Hash Functions
• Hash functions are used in cryptography to transform
variable length into a fixed-size hash value
• Hashes are often referred to as “digital fingerprints”
• One-way hashes
– Easy to create the hash from the input data, but very
difficult to recreate the input data from the hash
• Message Digest Algorithm 5 (MD5)
– Secure hash algorithm developed in 1992 by Rivest
– Operates on input data using 512-bit blocks, and
produces a 128-bit hash value

Computer Security and Penetration Testing 29

 Cryptographic Hash Functions
(continued)
• SHA, SHS (Secure Hash Algorithm)
– Developed by the U.S. government and adopted as a
FIPS standard
– Several variations of SHA hash functions exist
– Operates on either 512-bit blocks or 1024-bit blocks
– SHA-1 hashes are 160 bits long
– SHA-2, produce larger hashes (224, 256, 384, and
512 bits)
– Considered superior to MD5

Computer Security and Penetration Testing 30

 Attacks on Passwords
• Password protection is open to many kinds of attack
– From dictionary attacks to sheer guesswork

Computer Security and Penetration Testing 31

 Dictionary Attacks
• Guessing passwords by using a list of common
words
• Can determine the key necessary to decrypt an
encrypted document
• Usually do not work against complex passwords
• Crackers need the file that contains the passwords
of the target
• Defense: limit the number of guesses allowed before
the user is locked out

Computer Security and Penetration Testing 32

 Dictionary Attacks (continued)
• Hybridization attacks
– Guess passwords by creating new words
– Add letters or numbers to every word in a dictionary
– Some hybridization methods use a number spread
• Insert numbers into passwords
– Duplication: duplicating a word to form a new word
– Substituting with symbols: replacing letters in words
with symbols that look similar to the missing letters

Computer Security and Penetration Testing 33

 Dictionary Attacks (continued)

Computer Security and Penetration Testing 34

 Dictionary Attacks (continued)
• Guidelines to protect against dictionary and
hybridization attacks
– Avoid using the same password for everything
– Avoid using one’s own name in a password, as well as
that of a child, spouse, friend, or pet
– Avoid using common words or names for passwords
– Include random letters, numbers, and characters
– Avoid writing down difficult passwords where they
might easily be found

Computer Security and Penetration Testing 35

 Brute-Force Attacks
• Use all possible combination of letters, numbers, and
special characters to determine the target password
• Very time consuming and requires patience
• Slow compared to dictionary attacks
• Need a large amount of RAM and a fast processor
• Most effective when the encrypted document or
password hash file
– Can be extracted from the target system and tested on
an anonymous offline location

Computer Security and Penetration Testing 36

 Observation
• “Snooping,” “eavesdropping,” or “shoulder-surfing”
• Used whenever an attacker has physical proximity
– And can literally watch the victim type in their
username and password

Computer Security and Penetration Testing 37

 Keyloggers
• Records every key pressed on the target’s computer
• Can easily be installed on any computer
• Keyloggers are generally invisible to the victim

Computer Security and Penetration Testing 38

 Social Engineering
• Cracker can pretend to be a legitimate user of the
target system
– And extract information simply by asking
• People behave naively when a so-called computer
expert questions them
• Another form of social engineering is called phishing

Computer Security and Penetration Testing 39

 Sniffing Methods
• Crackers use packet sniffers
– To catch cleartext passwords from protocols such as
Telnet, FTP, and POP3

Computer Security and Penetration Testing 40

 Password File Stealing
• Cracker can steal or copy the files where the
password hashes are stored
– From the victim’s computer
• Cracker can take all the time necessary to perform a
brute-force attack
• Sometimes passwords are not stored in the main
system but in a shadow file
– Readable only by users with administrative privileges

Computer Security and Penetration Testing 41

 Password Crackers
• Some widely used cracker programs are:
– Cain and Abel
– Crack
– John the Ripper
– Telnet_crack
– THC Hydra
– L0phtCrack

Computer Security and Penetration Testing 42

 Cain and Abel
• Developed for Windows systems
• Handles large variety of tasks and is user-friendly
• Functions include
– Recover passwords by sniffing the network
– Crack encrypted passwords using dictionary, brute-
force, and cryptanalysis attacks
– Record VoIP conversations
– Decode scrambled passwords
– Reveal password boxes

Computer Security and Penetration Testing 43

 Cain and Abel (continued)

Computer Security and Penetration Testing 44

 Crack
• Alec Muffet designed Crack for UNIX-based systems
in 1991
• Scans UNIX password files and then extracts weak
logon passwords
• Can also detect encrypted ciphertext by using the
Crypt (3) algorithm

Computer Security and Penetration Testing 45

 John the Ripper
• A fast password cracker
• Currently available for many versions of UNIX, DOS,
Win32, BeOS, and OpenVMS
• Primary purpose is to detect weak UNIX passwords
• Can edit its dictionary to add more common words
• Modes
– Wordlist mode, single-crack mode, incremental mode,
and external mode

Computer Security and Penetration Testing 46

 Telnet_Crack
• Uses a dictionary attack to crack Telnet account
passwords
• Available for UNIX and Linux platforms
• Hackers must specify the Telnet account name and
the IP address of the computer holding the user’s
account to crack

Computer Security and Penetration Testing 47

 THC Hydra
• Useful network authentication cracker which
supports many different services

Computer Security and Penetration Testing 48

 L0phtcrack and Lc5
• Developed to help system administrators and
security professionals
– Check password weaknesses of the Windows NT
operating system
• The company that owned L0phtCrack, the @Stake
company, was purchased by Symantec
• Symantec has discontinued support

Computer Security and Penetration Testing 49

 Summary
• Requiring the use of effective, strong passwords is
one of the best ways to secure a network against
attackers
• Basic types of cryptography include transposition and
substitution ciphers
• Encryption can be performed using either symmetric
key algorithms or asymmetric key algorithms
• Popular symmetric key ciphers include DES, 3DES,
AES (Rijndael), IDEA, Skipjack, and RC4

Computer Security and Penetration Testing 50

 Summary (continued)
• Popular asymmetric key ciphers include RSA, Diffie-
Hellman, DSS, and elliptic curve cryptography
• Cryptographic hash functions generate a fixed-size
hash value from a message of any length
• Effective password security depends on choosing
strong passwords
• Common attacks on passwords include technical
measures and physical techniques
• Password-cracking programs are readily available

Computer Security and Penetration Testing 51