Cryptographic Attacks

(OBJ 2.3 & 2.4)

Cryptographic Attacks

• Techniques and strategies that adversaries employ to exploit vulnerabilities in cryptographic systems with the intent to compromise the confidentiality, integrity, or authenticity of data
• Defeat the cryptographic protections, either by deciphering encrypted data without the appropriate key, impersonating another user, or creating forgeries that cryptographic systems would deem authentic.

Downgrade Attacks

• Also known as a version rollback attack
• Force systems to use weaker or older cryptographic standards or protocols
• Exploit known vulnerabilities or weaknesses in outdated versions
• Example: POODLE attack on SSL 3.0
  • POOLE attack, also known as the Padding Oracle On Downgraded Legacy Encryption attack, which targeted SSL version 3.0
  • Many systems still support SSL 3.0 for backward compatibility
  • Note: Some systems downgrade automatically in order to support legacy versions just for compatibility with more devices/users.
• These downgrade attacks are dangerous because they turn the very nature of evolving security, such as the development of stronger, more robust cryptographic protocols, against itself.
• Countermeasures include phasing out support for insecure protocols and version-intolerant checks
  • Many systems have phased out support for legacy protocols that are known to be insecure, even if it means sacrificing backward compatibility
  • In Version-intolerant checks, a system tests the waters by initially claiming to only support the most recent protocol version. They will respond accordingly if the other system does not support this version, but if there is any interference forcing a downgrade, this will quickly become apparent.

Collision Attacks

• Find two different inputs producing the same hash output
• Undermine data integrity verification relying on hash functions
• Vulnerabilities in hashing algorithms, e.g., MD5, can lead to collisions
  • MD5 was a popular hashing function, however, over the years, many vulnerabilities in its structure made collision attacks much more feasible, a way to create two different sequences that hashed out to the same MD5 hash was found so now MD5 is unsuitable for further use in security certificates and encryption technologies.
• These collisions undermine the trust and reliability placed on cryptographic tools, and they can potentially allow malicious actors to impersonate trusted entities, forge digital signatures, or distribute tampered data while appearing genuine.
• Birthday Paradox or Birthday Attack
  • In a group of just 23 people, there's a better than even chance that two of them share the same birthday.
  • The probability that two distinct inputs, when processed through a Hashing (OBJ 1.4) function, will produce the same output, or a collision
• Necessity for hashing algorithm updates

Quantum Computing Threat

• Quantum computing

  • A computer that uses quantum mechanics to generate and manipulate quantum bits (qubits) in order to access enormous processing powers.
  • Uses quantum bits (qubits) instead of using ones and zeros

• Quantum Communication

  • A communications network that relies on qubits made of photons (light) to send multiple combinations of ones and zeros simultaneously which results in tamper resistant and extremely fast communications

• Qubit

  • A quantum bit composed of electrons or photons that can represent numerous combinations of ones and zeros at the same time through superposition
  • Enable simultaneous processing of multiple combinations at the same time

• Quantum computing is designed for very specific use cases

  • Complex math problems
  • Trying to do something like the modeling of an atom or atomic structure

• Threat to traditional encryption algorithms (RSA, ECC) by rapid factorization of large prime numbers

  • Remember cryptography is used to secure communications and data by relaying on how difficult a math problem is to compute with traditional computers, that's what gives the strength in cryptography
  • Key exchange using asymmetric communication is done with Public Key Infrastructure (PKI)
  • Example: If I take two prime numbers and I multiply them together and I give you the result, that result is really easy to calculate if you know what the two prime numbers are.
  • With quantum computing, this becomes a relatively easy math problem!
  • In fact Asymmetric Algorithms which are those that rely on this hard math problem. have been mathematically proven to be broken by quantum computers.
  • Right now there are no real quantum computers in use, but it will happen at some point.

• Post-quantum cryptography

  • A new kind of cryptographic algorithm that can be implemented using today’s classic computers but is also impervious to attacks from future quantum computers
  • Aims to create algorithms resistant to quantum attacks
  • First method is to create post-quantum cryptography is to increase the key size
    • Increases the number of permutations that are needed to be brute-forced
    • Works well when dealing with Symmetric Algorithms like AES.
      • Increasing from AES-128 to AES-256 I have doubled my key length, but I have actually squared the number of possible combinations that are going to have to be figured out by that quantum computer.
  • Second method is to create something like lattice-based cryptography and super singular isogeny key exchange
    • Researchers are working on this as of now

• NIST selected four post-quantum cryptography standards

  • Pre-quantum: Asymmetric Encryption algorithms are used for key exchanges and digital signatures in PKI
  • CRYSTALS-Kyber algorithm - general encryption needs
    • Uses a relatively small encryption key and is focused on the difficulty of solving learning with error problems over modular lattices to provide a post-quantum encryption algorithm that is roughly equivalent to the strength of our current AES 256-based algorithms used in symmetric encryption.
  • Digital signatures algorithms
    • CRYSTALS-Dilithium (most recommended)
      • Focuses on the difficulty of solving structured lattices
    • FLACON
      • Focuses on the difficulty of solving structured lattices
    • SPHINCS+
      • Focuses on the use of hashing functions.