Chapter VII – Ubreakable. Yeah, right! Brut-force attacks.

The aim of this chapter is to explain why it is important to create reasonable passwords for your email accounts and encryption key. We’ll do it through a description of how a (simplistic) attack on passwords is conducted.

But before…

How your private key is protected

A private PGP key (PGP is the name of the technology used to encrypt emails) is a string of 2048 or 4096 bits, that is 0’s and 1’s. To make is more reasonable for presentation you usually see it as a string of characters (which are 8-bit) so the key when printed on screen is not extremely long. If you haven’t looked at your encryption keys yet, they look much like the picture on top of this site.

A brut-force attack is by definition an attempt to to create all possible combinations of these 0’s and 1’s and then apply them to decrypt your email. Creating all possible combination of such number of bits would take a very long time, unreasonable even, so this is not really done.

What’s done then? Your private (decryption) key is protected with a password. Here’s how it’s applied. The password you set is first processed by a hashing function in order to create a 128 or 256 encryption/decryption key, because the most popular key-encryption algorithms require a fixed-length key to do their job. And passwords by their nature can be anything, therefore can have any length. You decide how long your password is.

So the key-encryption key is much shorter than the one used for decrypting email. Therefore, for a brut-force attack it is a lot more reasonable to try all combinations of this key to decrypt (some people say unlock) your private key and then decrypt the email. Complicated? Nope, just three steps. Bear with me a bit longer.

In essence this is what a brut-force attack is. But hackers are clever people and they would not stop here.

In fact, before a plain brut-force search is executed, a hacker uses the biggest lie in the world to make their job quicker – statistics. In other words, before starting heavy lifting, we’re going to check whether you were lazy setting up your password.

Dictionary attacks

In one of previous chapter we told you that your email server admins know your passwords. Indeed they do if they want to. Fear not, not for straight away evil purpose. What many companies do is create statistics of most popular passwords though. I know what you’re going to say: everybody sets a different password and such statistics do not make sense. Oh really?

A quick thinking hacker would google “most popular passwords” and for example arrive at a site like this: http://www.passwordrandom.com/most-popular-passwords. What this page publishes is the image of idiocy of Internet users, or for our purpose here a handy dictionary.

When we talk about a dictionary, we’re not thinking about Collins. We are thinking about the result of statistical analysis of passwords submitted to email providers to secure your email account.

So what we do is download such a dictionary, load it to our brut-force attack program and try the first 1000, 10000, maybe more passwords. We take a password, generate key-encryption key, decrypt the private key and decrypt the email.

These statistics don’t lie. There’s a fat chance one of these will just work. This procedure frees us from generating countless 0-1 combinations and we’ve saved a lot of time.

Yet another approach at attacking lazy people

I had a pleasure to work with workstations to which in order to have access (well, to gain it quickly without messing with settings) I asked a user to let me know the password. In a trusted (or not) environment there is nothing extraordinary about it, happens every day. It was not a huge surprise when some of the passwords I received were two-letters long and only letters. What is interesting about it is that one of them was the computer access password of a CEO.

Considering the length of the English alphabet we can almost instantly generate all 2-letter combinations of letters and digits. We do not need too much more to generate 3 or 4 symbol long combinations.  We mostly use only English letters for passwords, because often enough the keyboards we use do not allow us to enter special diacritic symbols that exist in languages like French, German, Polish, not to mention symbols characteristic to Asian tongues.

When we generate those, we create our own dictionary and then proceed according to the method described in the previous section here.

 

As an exercise I’d advise you to look again at the listing here: http://www.passwordrandom.com/most-popular-passwords and find out how high in the list your passwords are.¬† The higher they are, the less sense it makes to set them up at all.

You know nothing, there’s a lot more to it

What we’ve described above is an extremely simplistic attack. There’s a lot more to it indeed. For instance, when an attack is aimed at a specific person, the dictionaries are tailored¬† by entering dates of birth, marriage, husband, wife, children and pet names, favorite radio station, foot size, etc. All this information is now available online, so a dictionary is rather simple to compile.

End of Chapter VII