DOCSLIB.ORG

Cryptographic (In)Security in Android Apps an Empirical Analysis

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Cryptographic (In)Security in Android Apps an Empirical Analysis Radboud University Nijmegen TRU/e Security Faculty Of Science Radboud University, Nijmegen, Netherlands Cryptographic (In)Security in Android Apps An Empirical Analysis Master Thesis in Cyber Security Supervisor: Author: Dr. Veelasha Moonsamy Milad Masoodi Second reader: Dr. Fabian van den Broek July 20, 2020 As our circle of knowledge expands, so does the circumference of darkness surrounding it. |Albert Einstein I Acknowledgements No work of immense effort has ever been accomplished by the trials of one man alone, as such is this humble attempt. While I have performed this work through great dedication and effort relative to my situation, I could never achieve a final result of such adequacy without the help of many adept and selfless scientists, instructors, and friends that aided me in every step of the way. Atop all is Dr. Moonsamy; her excellent guidance and insight in critical moments on intricate details shaped this work. Along with the staff of the cybersecurity group of Radboud University, exceptional scientists that opened the gates of this fantastic field for me, and not to forget the invisible staff of the department, those who clean, maintain, and keep the environment operational so we could learn. It behooves me to thank Dr. Manuel Egele for CryptoLint, the incredible software that helped me design mine, my wonderful uncle, friend, and mentor Kamal Mohajerani who provided help, support, guidance, and elucidated every consultation with care and patience which considerably affected the format of this research, and my very good friend Sina Afshar for proofreading and commenting on my thesis. Last but not least, my mother, Dr. Sue Mohajerani, whose grand sacrifice made all of this ever possible. II Abstract For so long Android developers have relied on third-party documentation for their cryp- tographic needs; this, however, has changed in recent years with the gradual introduction of Android's documentation. Nevertheless, the accuracy of the documentation and their effect on the cryptographic security of Android apps in the wild has not been well-studied so far. This thesis aimed to shed light on these topics with several approaches; we defined a set of rules that we perceive to represent cryptographic security, then we thoroughly scrutinized the documentation around those rules, after that we designed and executed series of automated tests to analyze 6900 real apps to grasp an understanding of the current state of their security. Eventually, we concluded that Android documentation not only fails to contribute to the cryptographic security of the apps, but it also has an adverse effect on the matter as with more time, number of insecure apps in the circulations have gradually increased. III Contents List of Figures VIII List of TablesIX List of ListingsX 1 Introduction1 1.1 Objectives...................................2 1.2 Procedure...................................3 1.3 Structure...................................3 2 Android Preliminaries4 2.1 Android OS..................................4 2.1.1 Android Version History.......................4 2.1.2 Backward Compatibility.......................5 2.1.3 OS Security..............................5 2.2 APK......................................7 2.2.1 Extracting Information From Android Apps............8 2.2.2 SMALI................................ 10 2.3 Android Security Guidelines......................... 10 3 Cryptographic Preliminaries 12 3.1 IND-CPA Security.............................. 12 3.1.1 Definition of IND-CPA........................ 12 3.1.2 IND-CPA for Android Security................... 13 3.2 Cryptographic Rules............................. 14 3.2.1 Rule 1: Avoid Use of ECB Mode of Encryption.......... 14 3.2.2 Rule 2: Avoid Incorrect Implementation of IV........... 15 3.2.3 Rule 3: Avoid the Use of Constant Encryption Key........ 17 3.2.4 Rule 4: Avoid Use of Constant Salts for PBE........... 18 3.2.5 Rule 5: Avoid Use of Fewer Than 1; 000 Iteration for PBE.... 19 3.2.6 Rule 6: Avoid Use of Static Seed in SecureRandom(.)...... 19 3.2.7 Rule 7: Avoid Use of Insecure Hash Algorithms.......... 20 4 Related Work 21 5 Investigation into Android Documentation 23 5.1 Improper Modes of Operation (Rule 1)................... 23 5.2 Improper IV Usage (Rule 2)......................... 24 5.3 Constant Secret Key (Rule 3)........................ 24 5.4 Constant Salt in PBE (Rule 4)....................... 24 5.5 Low Iteration PBE (Rule 5)......................... 25 IV 5.6 Bad Random Seed (Rule 6)......................... 25 5.7 Outdated Hash Algorithms (Rule 7).................... 26 6 Experimentation 28 6.1 Experiment Structure............................ 28 6.2 Dataset Acquisition............................. 28 6.3 Pre-Processing................................ 29 6.4 Decompilation................................ 30 6.5 Rules Analysis................................ 30 6.5.1 Rule 1................................. 31 6.5.2 Rule 2................................. 32 6.5.3 Rule 3................................. 32 6.5.4 Rule 4................................. 33 6.5.5 Rule 5................................. 33 6.5.6 Rule 6................................. 33 6.5.7 Rule 7................................. 34 6.6 Metadata Extraction............................. 34 6.7 Post-Processing................................ 35 7 Results and Findings 36 7.1 Evolutionary Analysis............................ 36 7.1.1 Rule 1................................. 37 7.1.2 Rule 2................................. 37 7.1.3 Rule 3................................. 38 7.1.4 Rule 4................................. 39 7.1.5 Rule 5................................. 40 7.1.6 Rule 6................................. 41 7.1.7 Rule 7................................. 42 7.2 Contemporary State Analysis........................ 42 7.3 Findings.................................... 44 8 Discussion 47 9 Limitations 49 10 Future Work 50 11 Conclusion 52 Bibliography 53 Appendices 59 A Experimentation Output 60 A.1 Contemporary Analysis........................... 60 A.2 Evolutionary Analysis............................ 61 V List of Abbreviations AES Advanced Encryption Standard API Application Programming Interface APK Android Package File ART Android Runtime CBC Cipher Block Channing CFG Control Flow Graph CG Call Graph CHF Cryptographic Hash Function CIL Common Intermediate Language CMA Cryptographic Misuse Analyzer CSV Comma Separated Values CTR Counter Mode DEX Dalvic Executable ECB Electronic Code Book GCM Galois/Counter Mode GUI Graphic User Interface HKDF Hash based Key Derivation Function ID Identifier IND-CCA Indistinguishability under Chosen Ciphertext Attacks IND-CPA Indistinguishability under Chosen Plaintext Attacks IPC Inter-Process Communication IV Initialization Vector JCA Java Cryptography Architecture JCP Java Cryptographic Provider KDF Key Derivation Functions MAC Message Authentication Code VI NIST National Institute of Standards and Technology OS Operating System PBE Password-Based Encryption PRNG Pseudo Random Number Generator RegEx Regular Expressions RNG Random Number Generator SDK Software Development Kit SHA1PRNG Secure Hash Algorithm 1 Random Number Generator TRNG True Random Number Generator VM Virtual Machine VII List of Figures 2.1 Android app reverse engineering overview.................8 2.2 Class file vs. DEX file structure.......................9 3.1 Structure of ECB encryption blocks.................... 15 3.2 Structure of CBC encryption blockscipher................. 16 3.3 Structure of GCM encryption blockscipher................. 17 3.4 Effect of salt in PBE............................. 18 3.5 Example of execution a hash algorithm................... 20 6.1 Experimentation steps............................ 29 7.1 Usage trends of Rule 1............................ 38 7.2 Usage trends of Rule 2............................ 38 7.3 Usage trends of Rule 2............................ 39 7.4 Comparison between Rule 1 and Rule 2.................. 39 7.5 Usage trends of Rule 3............................ 40 7.6 Usage trends of Rule 4............................ 40 7.7 Usage trends of Rule 5............................ 41 7.8 Misuses of Rules 4 and 5........................... 41 7.9 Usage trends of Rule 6............................ 42 7.10 Usage trends of Rule 7............................ 43 7.11 State of contemporary apps......................... 43 7.12 Comparison of misuses of all rules..................... 44 7.13 Correct and incorrect implementation to total apps with cryptography. 46 VIII List of Tables 2.1 Android version history...........................5 5.1 List of supported hash algorithms and their relative security....... 27 6.1 ECB misuse detection parameters...................... 31 6.2 IV misuse detection arguments....................... 32 6.3 Constant key misuse detection parameters................. 32 6.4 Salt misuse detection parameters...................... 33 6.5 Iteration count misuse detection parameters................ 33 6.6 Seed misuse detection parameters...................... 34 6.7 Hash misuse detection arguments...................... 34 6.8 Misuse analysis verdicts........................... 34 7.1 Cryptography in apps (2014-2020)..................... 37 7.2 API level of apps............................... 37 A.1 Contemporary analysis numbers...................... 60 A.2 Evolutionary analysis numbers....................... 61 IX List of Listings 6.1 Call to Androzoo............................... 29 6.2 Decompilation command with APKtool.................. 30 6.3
Load more

Recommended publications
  • Advanced Encryption Standard (Aes) Modes of Operation
    ADVANCED ENCRYPTION STANDARD (AES) MODES OF OPERATION 1 Arya Rohan Under the guidance of Dr. Edward Schneider University of Maryland, College Park MISSION: TO SIMULATE BLOCK CIPHER MODES OF OPERATION FOR AES IN MATLAB Simulation of the AES (Rijndael Algorithm) in MATLAB for 128 bit key-length. Simulation of the five block cipher modes of operation for AES as per FIPS publication. Comparison of the five modes based on Avalanche Effect. Future Work 2 OUTLINE A brief history of AES Galois Field Theory De-Ciphering the Algorithm-ENCRYPTION De-Ciphering the Algorithm-DECRYPTION Block Cipher Modes of Operation Avalanche Effect Simulation in MATLAB Conclusion & Future Work References 3 A BRIEF HISTORY OF AES 4 In January 1997, researchers world-over were invited by NIST to submit proposals for a new standard to be called Advanced Encryption Standard (AES). From 15 serious proposals, the Rijndael algorithm proposed by Vincent Rijmen and Joan Daemen, two Belgian cryptographers won the contest. The Rijndael algorithm supported plaintext sizes of 128, 192 and 256 bits, as well as, key-lengths of 128, 192 and 256 bits. The Rijndael algorithm is based on the Galois field theory and hence it gives the algorithm provable 5 security properties. GALOIS FIELD 6 GALOIS FIELD - GROUP Group/Albelian Group: A group G or {G, .} is a set of elements with a binary operation denoted by . , that associates to each ordered pair (a, b) of elements in G an element (a . b) such that the following properties are obeyed: Closure: If a & b belong to G, then a . b also belongs to G.
    [Show full text]
  • Block Ciphers
    Block Ciphers Chester Rebeiro IIT Madras CR STINSON : chapters 3 Block Cipher KE KD untrusted communication link Alice E D Bob #%AR3Xf34^$ “Attack at Dawn!!” message encryption (ciphertext) decryption “Attack at Dawn!!” Encryption key is the same as the decryption key (KE = K D) CR 2 Block Cipher : Encryption Key Length Secret Key Plaintext Ciphertext Block Cipher (Encryption) Block Length • A block cipher encryption algorithm encrypts n bits of plaintext at a time • May need to pad the plaintext if necessary • y = ek(x) CR 3 Block Cipher : Decryption Key Length Secret Key Ciphertext Plaintext Block Cipher (Decryption) Block Length • A block cipher decryption algorithm recovers the plaintext from the ciphertext. • x = dk(y) CR 4 Inside the Block Cipher PlaintextBlock (an iterative cipher) Key Whitening Round 1 key1 Round 2 key2 Round 3 key3 Round n keyn Ciphertext Block • Each round has the same endomorphic cryptosystem, which takes a key and produces an intermediate ouput • Size of the key is huge… much larger than the block size. CR 5 Inside the Block Cipher (the key schedule) PlaintextBlock Secret Key Key Whitening Round 1 Round Key 1 Round 2 Round Key 2 Round 3 Round Key 3 Key Expansion Expansion Key Key Round n Round Key n Ciphertext Block • A single secret key of fixed size used to generate ‘round keys’ for each round CR 6 Inside the Round Function Round Input • Add Round key : Add Round Key Mixing operation between the round input and the round key. typically, an ex-or operation Confusion Layer • Confusion layer : Makes the relationship between round Diffusion Layer input and output complex.
    [Show full text]
  • Modern Password Security for System Designers What to Consider When Building a Password-Based Authentication System
    Modern password security for system designers What to consider when building a password-based authentication system By Ian Maddox and Kyle Moschetto, Google Cloud Solutions Architects This whitepaper describes and models modern password guidance and recommendations for the designers and engineers who create secure online applications. A related whitepaper, Password security ​ for users, offers guidance for end users. This whitepaper covers the wide range of options to consider ​ when building a password-based authentication system. It also establishes a set of user-focused recommendations for password policies and storage, including the balance of password strength and usability. The technology world has been trying to improve on the password since the early days of computing. Shared-knowledge authentication is problematic because information can fall into the wrong hands or be forgotten. The problem is magnified by systems that don't support real-world secure use cases and by the frequent decision of users to take shortcuts. According to a 2019 Yubico/Ponemon study, 69 percent of respondents admit to sharing passwords with ​ ​ their colleagues to access accounts. More than half of respondents (51 percent) reuse an average of five passwords across their business and personal accounts. Furthermore, two-factor authentication is not widely used, even though it adds protection beyond a username and password. Of the respondents, 67 percent don’t use any form of two-factor authentication in their personal life, and 55 percent don’t use it at work. Password systems often allow, or even encourage, users to use insecure passwords. Systems that allow only single-factor credentials and that implement ineffective security policies add to the problem.
    [Show full text]
  • Implementation and Performance Analysis of PBKDF2, Bcrypt, Scrypt Algorithms
    Implementation and Performance Analysis of PBKDF2, Bcrypt, Scrypt Algorithms Levent Ertaul, Manpreet Kaur, Venkata Arun Kumar R Gudise CSU East Bay, Hayward, CA, USA. [email protected], [email protected], [email protected] Abstract- With the increase in mobile wireless or data lookup. Whereas, Cryptographic hash functions are technologies, security breaches are also increasing. It has used for building blocks for HMACs which provides become critical to safeguard our sensitive information message authentication. They ensure integrity of the data from the wrongdoers. So, having strong password is that is transmitted. Collision free hash function is the one pivotal. As almost every website needs you to login and which can never have same hashes of different output. If a create a password, it’s tempting to use same password and b are inputs such that H (a) =H (b), and a ≠ b. for numerous websites like banks, shopping and social User chosen passwords shall not be used directly as networking websites. This way we are making our cryptographic keys as they have low entropy and information easily accessible to hackers. Hence, we need randomness properties [2].Password is the secret value from a strong application for password security and which the cryptographic key can be generated. Figure 1 management. In this paper, we are going to compare the shows the statics of increasing cybercrime every year. Hence performance of 3 key derivation algorithms, namely, there is a need for strong key generation algorithms which PBKDF2 (Password Based Key Derivation Function), can generate the keys which are nearly impossible for the Bcrypt and Scrypt.
    [Show full text]
  • Visualization of the Avalanche Effect in CT2
    University of Mannheim Faculty for Business Informatics & Business Mathematics Theoretical Computer Science and IT Security Group Bachelor's Thesis Visualization of the Avalanche Effect in CT2 as part of the degree program Bachelor of Science Wirtschaftsinformatik submitted by Camilo Echeverri [email protected] on October 31, 2016 (2nd revised public version, Apr 18, 2017) Supervisors: Prof. Dr. Frederik Armknecht Prof. Bernhard Esslinger Visualization of the Avalanche Effect in CT2 Abstract Cryptographic algorithms must fulfill certain properties concerning their security. This thesis aims at providing insights into the importance of the avalanche effect property by introducing a new plugin for the cryptography and cryptanalysis platform CrypTool 2. The thesis addresses some of the desired properties, discusses the implementation of the plugin for modern and classic ciphers, guides the reader on how to use it, applies the proposed tool in order to test the avalanche effect of different cryptographic ciphers and hash functions, and interprets the results obtained. 2 Contents Abstract .......................................... 2 Contents .......................................... 3 List of Abbreviations .................................. 5 List of Figures ...................................... 6 List of Tables ....................................... 7 1 Introduction ..................................... 8 1.1 CrypTool 2 . 8 1.2 Outline of the Thesis . 9 2 Properties of Secure Block Ciphers ....................... 10 2.1 Avalanche Effect . 10 2.2 Completeness . 10 3 Related Work ..................................... 11 4 Plugin Design and Implementation ....................... 12 4.1 General Description of the Plugin . 12 4.2 Prepared Methods . 14 4.2.1 AES and DES . 14 4.3 Unprepared Methods . 20 4.3.1 Classic Ciphers, Modern Ciphers, and Hash Functions . 20 4.4 Architecture of the Code . 22 4.5 Limitations and Future Work .
    [Show full text]
  • Key Derivation Functions and Their GPU Implementation
    MASARYK UNIVERSITY FACULTY}w¡¢£¤¥¦§¨ OF I !"#$%&'()+,-./012345<yA|NFORMATICS Key derivation functions and their GPU implementation BACHELOR’S THESIS Ondrej Mosnáˇcek Brno, Spring 2015 This work is licensed under a Creative Commons Attribution- NonCommercial-ShareAlike 4.0 International License. https://creativecommons.org/licenses/by-nc-sa/4.0/ cbna ii Declaration Hereby I declare, that this paper is my original authorial work, which I have worked out by my own. All sources, references and literature used or excerpted during elaboration of this work are properly cited and listed in complete reference to the due source. Ondrej Mosnáˇcek Advisor: Ing. Milan Brož iii Acknowledgement I would like to thank my supervisor for his guidance and support, and also for his extensive contributions to the Cryptsetup open- source project. Next, I would like to thank my family for their support and pa- tience and also to my friends who were falling behind schedule just like me and thus helped me not to panic. Last but not least, access to computing and storage facilities owned by parties and projects contributing to the National Grid In- frastructure MetaCentrum, provided under the programme “Projects of Large Infrastructure for Research, Development, and Innovations” (LM2010005), is also greatly appreciated. v Abstract Key derivation functions are a key element of many cryptographic applications. Password-based key derivation functions are designed specifically to derive cryptographic keys from low-entropy sources (such as passwords or passphrases) and to counter brute-force and dictionary attacks. However, the most widely adopted standard for password-based key derivation, PBKDF2, as implemented in most applications, is highly susceptible to attacks using Graphics Process- ing Units (GPUs).
    [Show full text]
  • A Block Cipher Algorithm to Enhance the Avalanche Effect Using Dynamic Key- Dependent S-Box and Genetic Operations 1Balajee Maram and 2J.M
    International Journal of Pure and Applied Mathematics Volume 119 No. 10 2018, 399-418 ISSN: 1311-8080 (printed version); ISSN: 1314-3395 (on-line version) url: http://www.ijpam.eu Special Issue ijpam.eu A Block Cipher Algorithm to Enhance the Avalanche Effect Using Dynamic Key- Dependent S-Box and Genetic Operations 1Balajee Maram and 2J.M. Gnanasekar 1Department of CSE, GMRIT, Rajam, India. Research and Development Centre, Bharathiar University, Coimbatore. [email protected] 2Department of Computer Science & Engineering, Sri Venkateswara College of Engineering, Sriperumbudur Tamil Nadu. [email protected] Abstract In digital data security, an encryption technique plays a vital role to convert digital data into intelligible form. In this paper, a light-weight S- box is generated that depends on Pseudo-Random-Number-Generators. According to shared-secret-key, all the Pseudo-Random-Numbers are scrambled and input to the S-box. The complexity of S-box generation is very simple. Here the plain-text is encrypted using Genetic Operations and S-box which is generated based on shared-secret-key. The proposed algorithm is experimentally investigates the complexity, quality and performance using the S-box parameters which includes Hamming Distance, Balanced Output and the characteristic of cryptography is Avalanche Effect. Finally the comparison results motivates that the dynamic key-dependent S-box has good quality and performance than existing algorithms. 399 International Journal of Pure and Applied Mathematics Special Issue Index Terms:S-BOX, data security, random number, cryptography, genetic operations. 400 International Journal of Pure and Applied Mathematics Special Issue 1. Introduction In public network, several types of attacks1 can be avoided by applying Data Encryption/Decryption2.
    [Show full text]
  • Key Agreement from Weak Bit Agreement
    Key Agreement from Weak Bit Agreement Thomas Holenstein Department of Computer Science Swiss Federal Institute of Technology (ETH) Zurich, Switzerland [email protected] ABSTRACT In cryptography, much study has been devoted to find re- Assume that Alice and Bob, given an authentic channel, lations between different such assumptions and primitives. For example, Impagliazzo and Luby show in [9] that imple- have a protocol where they end up with a bit SA and SB , respectively, such that with probability 1+ε these bits are mentations of essentially all non-trivial cryptographic tasks 2 imply the existence of one-way functions. On the other equal. Further assume that conditioned on the event SA = hand, many important primitives can be realized if one-way SB no polynomial time bounded algorithm can predict the δ functions exist. Examples include pseudorandom generators bit better than with probability 1 − 2 . Is it possible to obtain key agreement from such a primitive? We show that [7], pseudorandom functions [5], and pseudorandom permu- 1−ε tations [12]. for constant δ and ε the answer is yes if and only if δ > 1+ε , both for uniform and non-uniform adversaries. For key agreement no such reduction to one-way functions The main computational technique used in this paper is a is known. In fact, in [10] it is shown that such a reduction strengthening of Impagliazzo’s hard-core lemma to the uni- must be inherently non-relativizing, and thus it seems very form case and to a set size parameter which is tight (i.e., hard to find such a construction.
    [Show full text]
  • Hash Functions
    11 Hash Functions Suppose you share a huge le with a friend, but you are not sure whether you both have the same version of the le. You could send your version of the le to your friend and they could compare to their version. Is there any way to check that involves less communication than this? Let’s call your version of the le x (a string) and your friend’s version y. The goal is to determine whether x = y. A natural approach is to agree on some deterministic function H, compute H¹xº, and send it to your friend. Your friend can compute H¹yº and, since H is deterministic, compare the result to your H¹xº. In order for this method to be fool-proof, we need H to have the property that dierent inputs always map to dierent outputs — in other words, H must be injective (1-to-1). Unfortunately, if H is injective and H : f0; 1gin ! f0; 1gout is injective, then out > in. This means that sending H¹xº is no better/shorter than sending x itself! Let us call a pair ¹x;yº a collision in H if x , y and H¹xº = H¹yº. An injective function has no collisions. One common theme in cryptography is that you don’t always need something to be impossible; it’s often enough for that thing to be just highly unlikely. Instead of saying that H should have no collisions, what if we just say that collisions should be hard (for polynomial-time algorithms) to nd? An H with this property will probably be good enough for anything we care about.
    [Show full text]
  • FPGA Implementation and Analysis of the Block Cipher Mode Architectures for the PRESENT Light Weight Encryption Algorithm
    ISSN (Print) : 0974-6846 Indian Journal of Science and Technology, Vol 9(38), DOI: 10.17485/ijst/2016/v9i38/90314, October 2016 ISSN (Online) : 0974-5645 FPGA Implementation and Analysis of the Block Cipher Mode Architectures for the PRESENT Light Weight Encryption Algorithm A. Prathiba* and V. S. Kanchana Bhaaskaran School of Electronics Engineering, VIT University Chennai, Chennai - 600127, India; prathi_communication@yahoo. co.in, [email protected] Abstract Objective: This paper presents the Field Programmable Gate Array (FPGA) implementations of the different block cipher mode architectures of the ISO standardized light weight block cipher PRESENT, designed for resource constrained devices. Methods/ Statistical Analysis: The performance evaluations compare the implementations of the different block cipher modes, namely Electronic Code Book (ECB) mode, Cipher Block Chaining (CBC) mode, Cipher Feedback Mode (CFB), Output Feed Back Mode (OFB) and CounTeR (CTR) mode for the PRESENT cipher. The throughput of encryption of three successive 64 bit blocks of data ranges from 565.312Mbps to 574.784Mbps for the modes other than the cipher feedback arrives as 68.912 Mbps, 155.392Mbps and300.8 Mbps for a 64 bit block of data for the input streams of size 8 bits, 16 bits andmode 32 in bits the respectively.Spartan-3 FPGA. Findings: The throughput The throughput for providing of the confidentialityblock cipher mode through hardware encryption architectures in the cipher of the feedback light weight mode cipher PRESENT demonstrates the high speed performance of the cipher in encryption/decryption of data as blocks and streams. Application/ Improvement: different modes of operation for the light weight block cipher PRESENT.
    [Show full text]
  • Salting Vs Stretching Passwords for Enterprise Security
    Salting vs Stretching Passwords for Enterprise Security Password security is important. Salting and stretching a password are two ways to make passwords more secure from attackers. You can use the strategies separately or deploy them in tandem for the most security. This article covers the logic of password protection, including salting and stretching passwords. Database attacks Because passwords are a user’s key to their data, they are a key target for attackers. Popular methods of password attacks happen through brute force and rainbow attacks: Brute force attacks are a trial and error approach where a computer guesses until it gets it right. This may sound ineffective, but computers can try many, many times. In this era of computing, “Hashcat breaks an 8 character full coverage (a-zA-Z0-9!-=) password in 26 days on a single 1080 Nvidia GPU.” Rainbow attacks are another form of cracking passwords, where all possible combinations of hashed passwords are pre-computed and stored in a dictionary. Then, an attacker runs through their list of hashes to find a match. If their scan returns a match, then they have the password. Passwords help prevent attacks First things first: nothing online is perfectly secure. Not even computers not connected to the internet are perfectly secure. We use passwords to minimize risk of attack, not to guarantee it will never happen. Though you cannot guarantee security, there are some ways to increase database security. Salting and stretching passwords are two such strategies: 1. Salting passwords. Designing the password encryption so only one password is compromised rather than the whole database.
    [Show full text]
  • Identifying Open Research Problems in Cryptography by Surveying Cryptographic Functions and Operations 1
    International Journal of Grid and Distributed Computing Vol. 10, No. 11 (2017), pp.79-98 http://dx.doi.org/10.14257/ijgdc.2017.10.11.08 Identifying Open Research Problems in Cryptography by Surveying Cryptographic Functions and Operations 1 Rahul Saha1, G. Geetha2, Gulshan Kumar3 and Hye-Jim Kim4 1,3School of Computer Science and Engineering, Lovely Professional University, Punjab, India 2Division of Research and Development, Lovely Professional University, Punjab, India 4Business Administration Research Institute, Sungshin W. University, 2 Bomun-ro 34da gil, Seongbuk-gu, Seoul, Republic of Korea Abstract Cryptography has always been a core component of security domain. Different security services such as confidentiality, integrity, availability, authentication, non-repudiation and access control, are provided by a number of cryptographic algorithms including block ciphers, stream ciphers and hash functions. Though the algorithms are public and cryptographic strength depends on the usage of the keys, the ciphertext analysis using different functions and operations used in the algorithms can lead to the path of revealing a key completely or partially. It is hard to find any survey till date which identifies different operations and functions used in cryptography. In this paper, we have categorized our survey of cryptographic functions and operations in the algorithms in three categories: block ciphers, stream ciphers and cryptanalysis attacks which are executable in different parts of the algorithms. This survey will help the budding researchers in the society of crypto for identifying different operations and functions in cryptographic algorithms. Keywords: cryptography; block; stream; cipher; plaintext; ciphertext; functions; research problems 1. Introduction Cryptography [1] in the previous time was analogous to encryption where the main task was to convert the readable message to an unreadable format.
    [Show full text]