information security(160702) - · pdf filecourse in information security (160702) ... 3 write...

VENUS INTERNATIONAL COLLEGE OF TECHNOLOGY Gandhinagar

Department of Computer Enggineering

Information Security(160702)

Name :

Enroll no.

:

Class

: 6th SEM C.E.

Year

: 2014-15

VENUS INTERNATIONAL COLLEGE OF TECHNOLOGY

Gandhinagar

CERTIFICATE

This is certify that

Mr./Ms.______________________________ Roll No. ___________________ of B.E Third Year 6th Sem C.E. has satisfactory completed the course in Information Security (160702).

_______________________ ____________________ Signature of Faculty Signature of HOD

DATE OF SUBMISSION: / / 2015

Index

Sr. No. Description Page No.

Date Sign

1 Implement your own symmetric key algorithm for

encryption and decryption using C. 1 / /15

2 Write a Program to implement a Ceaser Cipher. 5 / /15 3 Write a Program to implement a RSA Algorithm. 7 / /15 4

To study about stereography. Hide some text data

behind image by using openstegno tool. 9 / /15

5 To study about various attack scenarios and perform

man in the middle attack. 13 / /15

6 To study about crypt tool and hash calc. 17 / /15 7

Installation and configuration of Active directory on

server 2008. 21 / /15

8

Connect client computer to the active directory

domain and login using users created in active

directory. 26 / /15

9 Implement https (Secure http) on server 2008. 34 / /15 10 Configure FTP server with IPsec. 44 / /15 11 Implement Brute force attack. 56 / /15

Information Security VICT CE 2014-15 1

©Krunal Bhardwaj

Practical – 1

AIM : Implement your own symmetric key algorithm for encryption and

decryption using C.

Program :

#include<stdio.h>

#include<string.h>

void cipher(int i,int c);

int findMin();

void makeArray(int,int);

char arr[22][22],darr[22][22],emessage[111],retmessage[111],key[55];

char temp[55],temp2[55];

int k=0;

int main()

{

char *message,*dmessage;

int i,j,klen,emlen,flag=0;

int r,c,index,min,rows;

clrscr();

printf("Enetr the key\n");

fflush(stdin);

gets(key);

printf("\nEnter message to be ciphered\n");

fflush(stdin);

gets(message);

strcpy(temp,key);

klen=strlen(key);

k=0;

for(i=0; ;i++)

{

if(flag==1)

break;

for(j=0;key[j]!=NULL;j++)

{

if(message[k]==NULL)

{

flag=1;

arr[i][j]='-';

}

else

{

arr[i][j]=message[k++];

}

}

}


©Krunal Bhardwaj

r=i;

c=j;

for(i=0;i<r;i++)

{

for(j=0;j<c;j++)

{

printf("%c ",arr[i][j]);

}

printf("\n");

}

k=0;

for(i=0;i<klen;i++)

{

index=findMin();

cipher(index,r);

}

emessage[k]='\0';

printf("\nEncrypted message is\n");

for(i=0;emessage[i]!=NULL;i++)

printf("%c",emessage[i]);

printf("\n\n");

emlen=strlen(emessage); //emlen is length of encrypted message

strcpy(temp,key);

rows=emlen/klen; //rows is no of row of the array to made from ciphered message

rows;

j=0;

for(i=0,k=1;emessage[i]!=NULL;i++,k++)

{

//printf("\nEmlen=%d",emlen);

temp2[j++]=emessage[i];

if((k%rows)==0)

{

temp2[j]='\0';

index=findMin();

makeArray(index,rows);

j=0;

}

}

printf("\nArray Retrieved is\n");

k=0;

for(i=0;i<r;i++)

{

for(j=0;j<c;j++)

{

printf("%c ",darr[i][j]);

//retrieving message

retmessage[k++]=darr[i][j];

}

printf("\n");

}


©Krunal Bhardwaj

retmessage[k]='\0';

printf("\nMessage retrieved is\n");

for(i=0;retmessage[i]!=NULL;i++)

printf("%c",retmessage[i]);

getch();

return(0);

}

void cipher(int i,int r)

{

int j;

for(j=0;j<r;j++)

{

emessage[k++]=arr[j][i];

} // emessage[k]='\0';

}

void makeArray(int col,int row)

{

int i,j;

for(i=0;i<row;i++)

{

darr[i][col]=temp2[i];

}

}

int findMin()

{

int i,j,min,index;

min=temp[0];

index=0;

for(j=0;temp[j]!=NULL;j++)

{

if(temp[j]<min)

{

min=temp[j];

index=j;

}

}

temp[index]=123;

return(index);

}


©Krunal Bhardwaj

Output:

Encryption:

Decryption:


©Krunal Bhardwaj

Practical – 2

AIM : Write a Program to implement a Ceaser Cipher.

Program :

#include<stdio.h>

#include<conio.h>

#include<string.h>

void main()

{

int i,j,shift,k,temp;

char pt[100],ency[100];

char value(int);

clrscr();

printf("Please Enter The PlainText=\n");

gets(pt);

printf("Please Enter The shift value=\n");

scanf("%d",&shift);

printf("\n \n The Encrypted Text is=\n");

for (i=0;i<strlen(pt);i++)

{

if (pt[i]==' ')

{

ency[i]=pt[i];

printf("%c",pt[i]);

}

else

{

if (pt[i]=='.')

{

ency[i]=pt[i];

printf("%c",pt[i]);

}

else

{

temp=pt[i]+shift;

ency[i]=temp;

printf("%c",temp);

}

}

}

printf("\n \n The Decrypted Text is=\n");


©Krunal Bhardwaj

for (i=0;i<strlen(pt);i++)

{

if (ency[i]==' ')

{

printf("%c",ency[i]);

}

else

{

if (ency[i]=='.')

{

printf("%c",pt[i]);

}

else

{

temp=ency[i]-shift;

printf("%c",temp);

}

}

}

ency[i]='\0';

getch();

}

Output:-


©Krunal Bhardwaj

Practical – 3

AIM : Write a Program to implement a RSA Algorithm.

Program :

#include<stdio.h>

#include<conio.h>

void main()

{

int p,q,n,e,i;

int temp,temp1,d,pt,c,m;

clrscr();

printf("Enter The first Prime number=\n");

scanf("%d",&p);

printf("Enter The second Prime number=\n");

scanf("%d",&q);

n=p*q;

q=(p-1)*(q-1);

e=2;

while (e>1)

{

if (q%e!=0)

goto end;

else

e++;

}

end :

d=1;

temp=e-2;

d=((temp*q)+1)/e;

last:

printf("\nd=%d",d);

printf("\nThe Public Key is e={%d} and n={%d}\n",e,n);

printf("The Private Key is d={%d} and n={%d}\n",d,n);

printf("Enter The Plain Text=\n");

scanf("%d",&pt);

c=1;

printf("The cipher text is=\n");

for (i=0;i<e;i++)

c=c*pt%n;

c=c%n;

printf("%d",c);

m=1;

printf("\nThe Decryeted text is=\n");


©Krunal Bhardwaj

for (i=0;i<e;i++)

m=m*c%n;

m=m%n;

printf("%d\n",m);

getch();

}

Output:-


©Krunal Bhardwaj

Practical – 4

AIM : To study about stereography. Hide some text data behind image by

using openstegno tool.

Introduction :

(1) What is steganography?

Steganography is the science of hidisng secret message inside another larger and

harmless looking message. This is one notch above regular cryptography; which just obscures

the original message. Steganography tries to conceal the fact that there is a message in the

first place. Steganography message often appears to be something else than the original

(secret) message, like a picture, sound, larger text, etc.

Some terms related to Steganography:

Plaintext: The original secret message that needs to be communicated.

Cipher text: Secret message is often first encrypted using traditional methods.

Encrypted message is known as cipher text.

Cover text: A larger and harmless looking data which is used as container for the

plaintext/cipher text. This can be a picture, sound, text, etc.

Stegotext: The data generated after embedding the plaintext/cipher text into the cover

text.

(2) How steganography work?

The normal procedure is to first encrypt the plaintext to generate the cipher text, and

then modify the cover text in some way to contain the cipher text. The generated Stegotext is

sent over to the intended recipient. If a third party snoops the Stegotext in between, then they

will just see some harmless looking picture (or sound, etc). Once the recipient receives the

Stegotext, the cipher text is extracted from it by reversing the logic that was used to embed it

in the first place. The cipher text is decrypted using the traditional cryptography to get back

the original plaintext.

The steganography will work smartly using Openstego tool as describe following steps.

http://en.wikipedia.org/wiki/Steganography


©Krunal Bhardwaj

(3) OpenStego (Demonstration)

(i) Download OpenStego, and extract the same using any unzip application. Start

the application by executing openstego.bat (on Windows) or

openstego.sh (on *NIX). (For using OpenStego from command-line,

please refer here)

(ii) Embedding Data

Consider the scenario where Alice wants to send a text (secret.text) to Bob.

The picture is a sensitive data, and needs to be sent such that no one can make

out that it is being sent over to Bob. In this case, Alice will first select a

harmless looking bigger sized picture (wallpaper.png) and use it as the cover

file. Both the pictures are shown below as an example:

Here, secret. text =Hello…..

Alice will start OpenStego, and under "Embed" tab, she will select secret.jpg as

the "Source Data File (Message file)", wallpaper.png as the "Source Image File (Cover file)", and send.png as "Output Image File (Stego file)". For extra layer of security, she would also like to encrypt the secret data before embedding, and so she will check the "Encrypt Data" checkbox, and provide a password.


©Krunal Bhardwaj

On clicking "OK" button, OpenStego will embed the secret.jpg file into the

wallpaper.png, and will generate send.png as the output, as shown below.

send.png & wallpaper.png

There is essentially no visible difference between the original wallpaper.png and

generated send.png. Alice can safely send over the send.png file to Bob. If someone snoops

the file in the middle, he/she will just find a harmless wallpaper image.


©Krunal Bhardwaj

(iii)Extracting Data

On receiving the image file from Alice, Bob will extract the original message

file using OpenStego. Under the "Extract" tab, he will select send.png as the

"Image File Containing Embedded Data (Stego file)", and select a suitable folder

for "Output Folder for Data File (Message file)".

On clicking "OK" button, OpenStego will prompt for the password that was used to embed

the original file. Alice should have passed the password to Bob to enable him to extract the

data.

Bob will type in the password and click "OK". OpenStego will extract the original secret.jpg

file, and display the information message accordingly.

You can check that the extracted secret.jpg file is same as the original one.


©Krunal Bhardwaj

Practical – 5

AIM : To study about various attack scenarios and perform man in the middle

attack.

Program :

ATTACK SCENARIOS

The popularity of scenarios have been increased among software engineers and are

proven to be valuable for eliciting information about systems requirements, communicating

with stakeholders and providing context for requirements (Ryser, 2000). As a result,

scenarios have been applied in many different areas of computer science research, such as

software engineering (Potts, 1994), business-process reengineering (Anton, 1994), and user

interface design (Carroll, 1991). In particular, many cases can be found in the literature (Ryser, 1999 – Ryser 2000 – Lalioti, 1995), where scenarios have been used for the validation of requirements.

As such, we define a Security Attack Scenario as an attack situation describing the actors

of a software system and their secure capabilities as well as possible attackers and their

goals, and it identifies how the secure capabilities of the system’s actors prevent (if they

prevent) the satisfaction of the attackers’ goals. A Security Attack Scenario involves a

possible attacker, possible attack(s), the resources that are attacked, and the actors of the

system related to the attack together with their secure capabilities.

Man in the Middle (MITM) Attack

What Is a Man-in-the-Middle Attack?

A man-in-the-middle attack is a type of cyberattack where a malicious actor inserts

him/herself into a conversation between two parties, impersonates both parties and gains

access to information that the two parties were trying to send to each other. A man-in-the-

middle attack allows a malicious actor to intercept, send and receive data meant for someone

else, or not meant to be sent at all, without either outside party knowing until it is too late.

Man-in-the-middle attacks can be abbreviated in many ways, including MITM, MitM, MiM

or MIM.

Key Concepts of a Man-in-the-Middle Attack

Man-in-the-middle is a type of eavesdropping attack that occurs when a malicious actor inserts himself as a relay/proxy into a communication session between people or systems.

A MITM attack exploits the real-time processing of transactions, conversations or transfer of other data.

Man-in-the-middle attacks allow attackers to intercept, send and receive data never meant to be for them without either outside party knowing until it is too late.


©Krunal Bhardwaj

Man-in-the-Middle Attack Examples

In the image above, you will notice that the attacker inserted him/herself in-between the flow

of traffic between client and server. Now that the attacker has intruded into the

communication between the two endpoints, he/she can inject false information and intercept

the data transferred between them.

Below is another example of what might happen once the man in the middle has inserted

him/herself.


©Krunal Bhardwaj

The hacker is impersonating both sides of the conversation to gain access to funds. This

example holds true for a conversation with a client and server as well as person-to-person

conversations. In the example above, the attacker intercepts a public key and with that can

transpose his own credentials to trick the people on either end into believing they are talking

to one another securely.

Interactions Susceptible to MITM Attacks

Financial sites – between login and authentication Connections meant to be secured by public or private keys Other sites that require logins – where there is something to be gained by having access

Here, we use the Ettercap to understand the MITM in Network.

(1) Install the Ettercap in to the computer.

(2) After installation open Ettercap, select sniff mode and select your network

interface as shown below.

(3) Now scan for hosts in your sub net by going to Hosts ---> scan for hosts


©Krunal Bhardwaj

(4) Now open host list from hosts tab and select the IP address of the victim as target 1

and IP address of the router as target 2

(5) Now start ARP poisoning by going to mitm ---> ARP Poisoning

Finally start the sniffer by going to start ---> start sniffing. Now if the victim logs into

Gmail, face book yahoo mail...etc .we will get his user name and password.


©Krunal Bhardwaj

Practical – 6 AIM : To study about crypt tool and hash calc.

Cryptool:

1. Ceaser Encryption/Decryption:-

Plain Text:-

Krunal Bhardwaj

Key:-D

Encryption

Decryption


©Krunal Bhardwaj

2. Vigenere Encryption/Decryption:-

Plain Text:-

Krunal Bhardwaj

Shift Value:- 1,2,3

Key:-BCD

Encryption

Decryption


©Krunal Bhardwaj

3. PlayFair Encryption/Decryption:-

Plain Text:-

Krunal Bhardwaj

Key:-DAK

Encryption

Decryption


©Krunal Bhardwaj

HashCalc:

Plain Text:-

Krunal Bhardwaj

Key:-Krun@l


©Krunal Bhardwaj

Practical – 7

AIM : Installation and configuration of Active directory on server 2008.

To Installation of Active directory on server 2008, the required steps are given

below.

Step-1:- First we need to let the server know, which role it is going to be perform. Open the

Add roles of Initial Configuration Tasks of the server 2008.

Step-2:- Go to Server Roles and select the Active Directory Domain Services and click on

to the Next button.


©Krunal Bhardwaj

Step-3:-With Clicking Three times of Next button the ADS Installation Process will be

start. After Installation the Message will be displayed as “Installation Succeeded”.

Step-4:- After that go to run and type command as “dcpromo”, The Active Directory

Domain Service Installation Wizard will be open and select the Use advanced mode

installation and click on to Next button.

The Installer will check the Os Compatibility of the system and click on to the Next button.


©Krunal Bhardwaj

Step-5:-After that Choose a Deployment Configuration will be open and select the Create a

new domain in a new forest, click on to the Next button.

Step-6:-After that Give the FQDN (Fully Qualified Domain Name) click on to the Next

button.

Server will check the same forest is available or not in to the server. Provide a Domain

NetBIOS name click on to the Next button.


©Krunal Bhardwaj

Step-7:-Set the Forest Functional Level of the Server 2008 click on to the Next button.

Select The Global catalog click on to the Next button.

Step-8:-Select the Location of Database, Log Files Folder and SYSVOL folder click on

to the Next button.

Give the Password of the Server click on to the next button and provide us to all summary

of the ADS click on to the Next Export settings button otherwise click on to the Next

button.


©Krunal Bhardwaj

Step-9:-Configures the Active Domain Service of the server 2008 and Installation is

Completed.

Click on to the Finish button. And Restart the System.


©Krunal Bhardwaj

Practical – 8

AIM : Connect client computer to the active directory domain and login using

users created in active directory.

On Server computer Login from administrative account and open Active directory users and

computers.

Right click on Users folder and select User form New options


©Krunal Bhardwaj

In open window fill the user information and click on next

On password screen give password and remove tick mark from User must change password

at next login


©Krunal Bhardwaj

On summary screen click on Finish button

Verify that you have successfully created user accounts


©Krunal Bhardwaj

Now make this user the member of built in Domain Admins group

User must be show in the Member tab of Domain Admins group's properties


©Krunal Bhardwaj

Now create a computer account for client computer. Right click on Computers folder And

select Computer from New options

Give client computer name [ Make sure you give exact same name which you have on client

computer, Check it before giving here on client computer ]


©Krunal Bhardwaj

On managed screen Do not check on This is a managed computer Click on next

On next screen click on finish


©Krunal Bhardwaj

Next step is to grant the access of add client in domain. To do this open domain controller

security policy

In left pane expand the local polices. In local polices select User Rights Assignment and in

right pane double click on Add workstation to domain


©Krunal Bhardwaj

Now add administrators [group], administrator [Account], and Vinita[ User which you want

to grant the access]

Now refresh the group policy by running GPUPDATE commands in run

We have completed all necessary steps on server in our next article we will see how to use

this account to make client


©Krunal Bhardwaj

Practical – 9

AIM : Implement https (Secure http) on server 2008.

Process of implementing https will do in four steps:

1. Create the Certificate Signing Request

2. Install the Certificate

3. Bind the Certificate to a website

4. Install any Intermediate Certificates

1. Create the Certificate Signing Request:

Step1:- The first step in ordering an SSL certificate is generating a Certificate Signing

Request. This is very easy to do in IIS7 using the following instructions.

Step2:-Click here to hide or show the images.

Step3:-Click on the Start menu, go to Administrative Tools, and click on Internet

Information Services (IIS) Manager.


©Krunal Bhardwaj

Step4:-Click on the name of the server in the Connections column on the left. Double-click

on Server Certificates.

In the Actions column on the right, click on Create Certificate Request...


©Krunal Bhardwaj

Step5:-Enter all of the following information about your company and the domain you are

securing and then click Next.

Step6:- Leave the default Cryptographic Service Provider. Increase the Bit length to 2048

bit or higher. Click Next.


©Krunal Bhardwaj

Step7:- Click the button with the three dots and enter a location and filename where you

want to save the CSR file. Click Finish.

Once you have generated a CSR you can use it to order the certificate from a certificate

authority. If you don't already have a favorite, you can compare SSL features from each

provider using our SSL Wizard or by comparing cheap SSL certificates, Wildcard

Certificates, or EV certificates. Once you paste the contents of the CSR and complete the

ordering process, your order is validated, and you will receive the SSL certificate file.


©Krunal Bhardwaj

2. Install the Certificate:

Step1:-Click on the Start menu, go to Administrative Tools, and click on Internet

Information Services (IIS) Manager.

Step2:-Click on the name of the server in the Connections column on the left. Double-click

on Server Certificates.

Step3:-In the Actions column on the right, click on Complete Certificate Request...


©Krunal Bhardwaj

Step4:-Click the button with the three dots and select the server certificate that you received

from the certificate authority. If the certificate doesn't have a .cer file extension, select to

view all types. Enter any friendly name you want so you can keep track of the certificate on

this server. Click OK.

Step5:- If successful, you will see your newly installed certificate in the list. If you receive

an error stating that the request or private key cannot be found, make sure you are using the

correct certificate and that you are installing it to the same server that you generated the CSR

on. If you are sure of those two things, you may just need to create a new Certificate Request

and reissue/replace the certificate. Contact your certificate authority if you have problems

with this.


©Krunal Bhardwaj

3. Bind the Certificate to a website:

Step1:-In the Connections column on the left, expand the sites folder and click on the

website that you want to bind the certificate to. Click on Bindings... in the right column.

Step2:- Click on the Add... button.


©Krunal Bhardwaj

Step3:-Change the Type to https and then select the SSL certificate that you just installed. Click

OK.

1. You will now see the binding for port 443 listed. Click Close.


©Krunal Bhardwaj

4. Install any Intermediate Certificates

Step1:-Most SSL providers issue server certificates off of an Intermediate certificate so you

will need to install this Intermediate certificate to the server as well or your visitors will

receive a Certificate Not Trusted Error. You can install each Intermediate certificate

(sometimes there is more than one) using these instructions:

1. Download the intermediate certificate to a folder on the server.

2. Double click the certificate to open the certificate details.

3. At the bottom of the General tab, click the Install Certificate button to start the

certificate import wizard. Click Next.

Step2:-Select Place all certificates in the following store and click Browse.


©Krunal Bhardwaj

Step3:- Check the Show physical stores checkbox, then expand the Intermediate

Certification Authorities folder, select the Local Computer folder beneath it.

Click OK. Click Next, then Finish to finish installing the intermediate certificate.


©Krunal Bhardwaj

Practical – 10

AIM : Configure FTP server with IPsec.

Process will complete in two different steps :

1. First we enable or say configure FTP server

2. Configuring IPsec Policies

1. First we enable or say configure FTP server :

Open Server Manager, go to Roles and click “Add Roles” .


©Krunal Bhardwaj

Click Next until you reach Select Role Services page, leave the default and check FTP

Server, FTP Service and FTP Extensibility at the bottom. Click Next, follow the wizard and

finish the role installation.


©Krunal Bhardwaj

Now open IIS Manager from Start > Administrative Tools, expand the server, right click

Sites, and click Add FTP Site, give it a site name and configure the physical path as needed.


©Krunal Bhardwaj

Configure Binding and SSL. In our case, we’d like to bind to all unassigned IP addresses and do not

use SSL.


©Krunal Bhardwaj

Enable Basic Authentication and configure authorization. In our case I’ll start with allowing

All users both Read and Write permission as long as all users on the server are password

protected.


©Krunal Bhardwaj

Click Finish to finish the configuration.

Open Windows Firewall with Advanced Security from Start > Administrative Tools, go to

Inbound Rules in the left pane, and create a new rule by clicking New Rule in the Action

Pane, select Port and click next.


©Krunal Bhardwaj

Apply this rule to TCP port 21, and click

Next

Keep the default configure for the rest of steps to allow the connection and apply it to all

profiles, name the rule and finish the wizard.


©Krunal Bhardwaj

2. Configuring IPSec Policies:

Open Active Directory Users & Computers. Right-click the domain (or an OU if you want to

only configure a specific set of computers). Choose Properties.


©Krunal Bhardwaj

In the Properties window click the Group Policy tab. Click New to configure a new GPO (if

you don't have one set for that OU already). Give it a descriptive name, such as Secure

Services.

Click Edit to edit the GPO.

Navigate to Computer Settings > Windows Settings > Security Settings > IP Security Policies

on Active Directory. You can now manually configure the IPSec Policy.


©Krunal Bhardwaj

After the new IPSec Policy is in place, right-click it and select

Assign.

In order for the changes to take place, either reboot the client computers or refresh their

computer policy.


©Krunal Bhardwaj

Practical – 11

AIM : Implement Brute force attack.

Brute-Force Attacks:

Brute-force attacks are fairly simple to understand, but difficult to protect against.

Encryption is math, and as computers become faster at math, they become faster at trying all

the solutions and seeing which one fits.

These attacks can be used against any type of encryption, with varying degrees of

success. Brute-force attacks become faster and more effective with each passing day as

newer, faster computer hardware is released.

Brute-Force Basics

Brute-force attacks are simple to understand. An attacker has an encrypted file say,

your LastPass or KeePass password database. They know that this file contains data they

want to see, and they know that there’s an encryption key that unlocks it. To decrypt it, they

can begin to try every single possible password and see if that results in a decrypted file.

They do this automatically with a computer program, so the speed at which someone

can brute-force encryption increases as available computer hardware becomes faster and

faster, capable of doing more calculations per second. The brute-force attack would likely

start at one-digit passwords before moving to two-digit passwords and so on, trying all

possible combinations until one works.

A “dictionary attack” is similar and tries words in a dictionary or a list of common

passwords instead of all possible passwords. This can be very effective, as many people use

such weak and common passwords.

Why Attackers Can’t Brute-Force Web Services

There’s a difference between online and offline brute-force attacks. For example, if an

attacker wants to brute-force their way into your Gmail account, they can begin to try every

single possible password — but Google will quickly cut them off. Services that provide

access to such accounts will throttle access attempts and ban IP addresses that attempt to log

in so many times. Thus, an attack against an online service wouldn’t work too well because

very few attempts can be made before the attack would be halted.

For example, after a few failed login attempts, Gmail will show you a CATPCHA

image to verify you aren’t a computer automatically trying passwords. They’ll likely stop

your login attempts completely if you managed to continue for long enough.


©Krunal Bhardwaj

On the other hand, let’s say an attacker snagged an encrypted file from your computer

or managed to compromise an online service and download such encrypted files. The attacker

now has the encrypted data on their own hardware and can try as many passwords as they

want at their leisure. If they have access to the encrypted data, there’s no way to prevent them

from trying a large number of passwords in a short period of time. Even if you’re using

strong encryption, it’s to your benefit to keep your data safe and ensure others can’t access it.

Hashing

Strong hashing algorithms can slow down brute-force attacks. Essentially, hashing

algorithms perform additional mathematical work on a password before storing a value

derived from the password on disk. If a slower hashing algorithm is used, it will require

thousands of times as much mathematical work to try each password and dramatically slow

down brute-force attacks. However, the more work required, the more work a server or other

computer has to do each time as user logs in with their password. Software must balance

resilience against brute-force attacks with resource usage.

Brute-Force Speed

Speed all depends on hardware. Intelligence agencies may build specialized hardware

just for brute-force attacks, just as Bit coin miners build their own specialized hardware

optimized for Bit coin mining. When it comes to consumer hardware, the most effective type

of hardware for brute-force attacks is a graphics card (GPU). As it’s easy to try many

different encryption keys at once, many graphics cards running in parallel are ideal.


©Krunal Bhardwaj

At the end of 2012, Ars Technica reported that a 25-GPU cluster could crack every

Windows password under 8 characters in less than six hours. The NTLM algorithm Microsoft

used just wasn’t resilient enough. However, when NTLM was created, it would have taken

much longer to try all these passwords. This wasn’t considered enough of a threat for

Microsoft to make the encryption stronger.

Speed is increasing, and in a few decades we may discover that even the strongest

cryptographic algorithms and encryption keys we use today can be quickly cracked by

quantum computers or whatever other hardware we’re using in the future.

Protecting Your Data from Brute-Force Attacks

There’s no way to protect you completely. It’s impossible to say just how fast computer

hardware will get and whether any of the encryption algorithms we use today have

weaknesses that will be discovered and exploited in the future. However, here are the basics:

Keep your encrypted data safe where attackers can’t get access to it. Once they have your data copied to their hardware, they can try brute-force attacks against it at their leisure.

If you run any service that accepts logins over the Internet, ensure that it limits login attempts and blocks people who attempt to log in with many different passwords in a short period of time. Server software is generally set to do this out of the box, as it’s a good security practice.

Use strong encryption algorithms, such as SHA-512. Ensure you’re not using old encryption algorithms with known weaknesses that are easy to crack.

Use long, secure passwords. All the encryption technology in the world isn’t going to help if you’re using “password” or the ever-popular “hunter2″.

information security(160702) - · pdf filecourse in information security (160702) ... 3 write...

Documents