Reply to Re: Cracking encrypted data?

Your name:

Reply:


Posted by Gordon Burditt on 12/18/11 11:50

>How easy is it to find the keyif you know parts of the encrypted data
>are equal to common words like name, email, etc.
>
>I am using blowfish to encrpyt my client data on the server. My fear
>is if someone breaks into the server they could examine the source
>code and quickly tell which parts of the encrypted data correspond to
>certain commonly used strings . So given that knowledge would they
>easily
>be able to crack it?

Many ciphers are supposedly resistant to known-plaintext and
chosen-plaintext attacks. In a chosen-plaintext attack, the attacker
gets to choose the plaintext (e.g. he goes to an ATM and enters a
PIN of his choice (correct or not), which the ATM then transmits
encrypted to the bank, and sniffs the packets sent to the bank).

>When security sites publish times it takes to crack the key of
>encrypted data, does that assume the crackers already know what the
>data should say?

I don't know, but such data is very dependent on the state of the
art in computers and the budget of the attacker: if they can afford
a massively parallel cracking system, such as the NSA or some guy
on a college campus able to use lots of servers on campus. It also
depends on the existence of a crack which can speed up decryption
enormously.

You have to watch out for encryption of something with a limited
number of values. For example, if you encrypt the "sex" field
separately and without using any IV or variable data, there will
be 2 or 3 main plaintexts (Male, Female, and perhaps Unknown. These
might be coded with a single letter but it doesn't matter) and a
corresponding 2 or 3 ciphertexts. Just counting the frequency of
these may be enough to crack this. If not, adding a record (signing
up a new customer with a known sex) and noting which count went up
could crack the whole column.

Similar problems exist with fields like title (Mr, Mrs, Miss, Dr., etc.),
marital status (single, married, widowed, divorced), middle initial
(26 main possibilities in English, and some of them are unlikely),
credit card type, state, etc. Also some forms of encryption may reveal
the length of the plaintext (and 'YES' and 'NO' have different lengths).

Gordon L. Burditt

[Back to original message]
Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация