Brute-force attack
In cryptography, a brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found. Alternatively, the attacker can attempt to guess the key which is typically created from the password using a key derivation function. This is known as an exhaustive key search.
A brute-force attack is a
When password-guessing, this method is very fast when used to check all short passwords, but for longer passwords other methods such as the dictionary attack are used because a brute-force search takes too long. Longer passwords, passphrases and keys have more possible values, making them exponentially more difficult to crack than shorter ones.[2]
Brute-force attacks can be made less effective by obfuscating the data to be encoded making it more difficult for an attacker to recognize when the code has been cracked or by making the attacker do more work to test each guess. One of the measures of the strength of an encryption system is how long it would theoretically take an attacker to mount a successful brute-force attack against it.[3]
Brute-force attacks are an application of brute-force search, the general problem-solving technique of enumerating all candidates and checking each one. The word 'hammering' is sometimes used to describe a brute-force attack,[4] with 'anti-hammering' for countermeasures.[5]
Basic concept
Brute-force attacks work by calculating every possible combination that could make up a password and testing it to see if it is the correct password. As the password's length increases, the amount of time, on average, to find the correct password increases exponentially.[6]
Theoretical limits
The resources required for a brute-force attack grow
There is a physical argument that a 128-bit symmetric key is computationally secure against brute-force attack. The
However, this argument assumes that the register values are changed using conventional set and clear operations, which inevitably generate entropy. It has been shown that computational hardware can be designed not to encounter this theoretical obstruction (see reversible computing), though no such computers are known to have been constructed.[citation needed]
As commercial successors of governmental
Various publications in the fields of cryptographic analysis have proved the energy efficiency of today's FPGA technology, for example, the COPACOBANA FPGA Cluster computer consumes the same energy as a single PC (600 W), but performs like 2,500 PCs for certain algorithms. A number of firms provide hardware-based FPGA cryptographic analysis solutions from a single FPGA
An underlying assumption of a brute-force attack is that the complete key space was used to generate keys, something that relies on an effective
Credential recycling
Credential recycling is the
Unbreakable codes
Certain types of encryption, by their mathematical properties, cannot be defeated by brute force. An example of this is
Countermeasures
In case of an offline attack where the attacker has gained access to the encrypted material, one can try key combinations without the risk of discovery or interference. In case of online attacks, database and directory administrators can deploy countermeasures such as limiting the number of attempts that a password can be tried, introducing time delays between successive attempts, increasing the answer's complexity (e.g., requiring a CAPTCHA answer or employing multi-factor authentication), and/or locking accounts out after unsuccessful login attempts.[19][page needed] Website administrators may prevent a particular IP address from trying more than a predetermined number of password attempts against any account on the site.[20]
Reverse brute-force attack
In a reverse brute-force attack, a single (usually common) password is tested against multiple usernames or encrypted files.[21] The process may be repeated for a select few passwords. In such a strategy, the attacker is not targeting a specific user.
See also
- Bitcoin mining
- Cryptographic key length
- Distributed.net
- Hail Mary Cloud
- Key derivation function
- MD5CRK
- Metasploit Express
- Side-channel attack
- TWINKLE and TWIRL
- Unicity distance
- RSA Factoring Challenge
- Secure Shell
Notes
- ^ Paar, Pelzl & Preneel 2010, p. 7.
- ^ Urbina, Ian (2014). "The Secret Life of Passwords. The New Times". The New York Times.
- ISBN 978-3-642-24177-2, retrieved September 5, 2021
- ^ "Secure your site from Brute force attacks using Sebsoft's Anti Hammering Authentication Plugin #MoodlePlugins #MoodleSecurity". elearnmagazine.com. e Learn Magazine. January 16, 2016. Retrieved October 27, 2022.
- ^ "Configure Serv-U to protect against brute force attacks". solarwinds.com. Solar Winds. Retrieved October 27, 2022.
- ^ "Brute Force Attack: Definition and Examples". www.kaspersky.com. October 20, 2020. Retrieved November 8, 2020.
- ^ Landauer 1961, p. 183-191.
- ^ Graham 2011.
- ^ Rudisail, B. (November 17, 2022). "Password-cracking With High-Performance GPUs: Is There a Way to Prevent It?". Spiceworks. Retrieved December 24, 2023.
- ^ Pires, F. (October 18, 2022). "Eight RTX 4090s Can Break Passwords in Under an Hour". Future Publishing. Retrieved December 25, 2023.
- ^ Kingsley-Hughes 2008.
- ^ Kamerling 2007.
- ^ "November 2019 | TOP500 Supercomputer Sites". www.top500.org. Archived from the original on November 19, 2019. Retrieved May 15, 2020.
- ^ Viega, Messier & Chandra 2002, p. 18.
- ^ CERT-2008.
- ^ Ellis 2005.
- ^ NSA-2009.
- ^ Reynard 1997, p. 86.
- ^ Burnett & Foster 2004.
- ^ Ristic 2010, p. 136.
- ^ "InfoSecPro.com - Computer, network, application and physical security consultants". www.infosecpro.com. Archived from the original on April 4, 2017. Retrieved May 8, 2018.
References
- Adleman, Leonard M.; Rothemund, Paul W.K.; Roweis, Sam; Winfree, Erik (June 10–12, 1996). On Applying Molecular Computation To The Data Encryption Standard. Proceedings of the Second Annual Meeting on DNA Based Computers. Princeton University.
- Cracking DES – Secrets of Encryption Research, Wiretap Politics & Chip Design. ISBN 1-56592-520-3.
- Burnett, Mark; Foster, James C. (2004). Hacking the Code: ASP.NET Web Application Security. Syngress. ISBN 1-932266-65-8.
- Diffie, W.; Hellman, M.E. (1977). "Exhaustive Cryptanalysis of the NBS Data Encryption Standard". Computer. 10: 74–84. S2CID 2412454.
- Graham, Robert David (June 22, 2011). "Password cracking, mining, and GPUs". erratasec.com. Retrieved August 17, 2011.
- Ellis, Claire (March 2005). "Exploring the Enigma". Plus Magazine.
- Kamerling, Erik (November 12, 2007). "Elcomsoft Debuts Graphics Processing Unit (GPU) Password Recovery Advancement". Symantec.
- Kingsley-Hughes, Adrian (October 12, 2008). "ElcomSoft uses NVIDIA GPUs to Speed up WPA/WPA2 Brute-force Attack". ZDNet.
- Landauer, L (1961). "Irreversibility and Heat Generation in the Computing Process". IBM Journal of Research and Development. 5 (3): 183–191. doi:10.1147/rd.53.0183. Archived from the originalon March 3, 2016.
- Paar, Christof; Pelzl, Jan; Preneel, Bart (2010). Understanding Cryptography: A Textbook for Students and Practitioners. Springer. ISBN 978-3-642-04100-6.
- Reynard, Robert (1997). Secret Code Breaker II: A Cryptanalyst's Handbook. Jacksonville, FL: Smith & Daniel Marketing. ISBN 1-889668-06-0. Retrieved September 21, 2008.
- Ristic, Ivan (2010). Modsecurity Handbook. Feisty Duck. ISBN 978-1-907117-02-2.
- ISBN 0-596-00270-X. Retrieved November 25, 2008.
- Wiener, Michael J. (1996). "Efficient DES Key Search". Practical Cryptography for Data Internetworks. W. Stallings, editor, IEEE Computer Society Press.
- "Technical Cyber Security Alert TA08-137A: Debian/Ubuntu OpenSSL Random Number Generator Vulnerability". United States Computer Emergency Readiness Team (CERT). May 16, 2008. Archived from the original on September 16, 2008. Retrieved August 10, 2008.
- "NSA's How Mathematicians Helped Win WWII". National Security Agency. January 15, 2009. Archived from the original on March 7, 2009.
External links
- RSA-sponsored DES-III cracking contest
- Demonstration of a brute-force device designed to guess the passcode of locked iPhones running iOS 10.3.3
- How We Cracked the Code Book Ciphers – Essay by the winning team of the challenge in The Code Book