Breaching Simple Security
Breaching Simple Security
I did tell you it wasn't secure, right? 🤔
Complexity, an illusion of security
In encryption, complexity can give us a false sense of security. In the previous example, I mentioned the possibility of patterns emerging from the technique, but I’m sure when you looked at the encrypted text, those patterns were not at all obvious, so perhaps you didn’t feel like there was anything to be concerned about.
The effort required to crack those patterns looks like the realm of savant mathematicians and quantum computing geniuses. And didn’t you read somewhere that your clever 8-digit Pa$$W0Rd would take like 1000 years to crack??
Oftentimes we hear about the massive computing resources needed to churn through billions of possible password combinations and that makes us feel secure, however we mustn’t forget the enormous role that the “human element” contributes towards reducing security.
With the previous demo, if a user’s Password was shorter than their Secret, we repeated the password’s characters until we had enough to pair with the characters in their Secret. For long secrets, the password could be repeated many times, creating patterns which when paired with the predictability of human behavior, opens up an enormous vulnerability.
Let’s switch hats for a moment, and start to think like a hacker
on In cybersecurity,
we know that it’s very important
not to divulge your password.
What may be unclear
is that with Simple Security,
it’s just as important
to not divulge the Secret itself.
Even a small part of it.
In cybersecurity,
we know that it’s very important
not to divulge your password.
What may be unclear
is that with Simple Security,
it’s just as important
to not divulge the Secret itself.
Even a small part of it.
For each character: Secret + Password = EncryptedRemember how we generated the encrypted text?
What if, instead of guessing the Password, we tried to guess the Secret?
For each character: Encrypted- Secret = Password Let’s think about how that’d work
The opposite of an addition is a subtraction, so let’s see what happens if we were to reverse the above calculations, starting with the encrypted text because as a hacker that’s all that’s available to us in this doc.
Step By Step Guide
Let’s run through that in a bit more detail, and see how we go.
Step #1. Let’s make an educated guess...
Encrypted Text. GdQ[>(3Q!p/??5NZN>0\edi>\+ap8@],=~ju}-/csGuessed Secret. Username(we'll focus on the orange text with the same number of chars as the word "Username" which we expect is the start of the user's Secret text)Use these to walk through the steps 👇
Step 1
2
3
4
5
If we put ourselves into our target’s shoes, let’s think what kind of info they’d store in an entry they’ve titled “Netflix Logins”. An educated guess would be that their secret could start with the word Username.
It’s just a guess, but considering we know they’ve stored account login information, it’s at least a good place to start. If this didn’t work out, we could try Email or Netflix or Account and we’d probably get lucky pretty quickly.
1 of 1
Well that’s not ideal...
As you can see, even though the final ciphertext looked like total gibberish, using the password as the encryption key is a surefire way to get your information compromised.
I have a few ideas about how we can strengthen the security, so our next demo will run through those.
Want to print your doc?
This is not the way.
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
CtrlP
) instead.