70 Chapter 3 ■ Cryptography
TA B LE 3 .1 Cracking times for 40- and 56-bit keysBudget 40-bit key 56-bit keyRegular User 1 week 40 yearsSmall Business 12 minutes 556 daysCorporation 24 seconds 19 daysLarge Multinational 0.005 seconds 6 minutesGovernment 0.0002 seconds 12 secondsIn addition to a brute-force attack, other methods designed to recover a key include:Ciphertext-only Attack The attacker has some sample of ciphertext but lacks the cor-
responding plaintext or the key. The goal is to find the corresponding plaintext in order to
determine how the mechanism works. Ciphertext-only attacks tend to be the least success-
ful based on the fact that the attacker has very limited knowledge at the outset.Known Plaintext Attack The attacker possesses the plaintext and ciphertext of one or
more messages. The attacker will then use this acquired information to determine the key
in use. This attack shares many similarities with brute-force attacks.Chosen Plaintext Attack The attacker is able to generate the corresponding ciphertext
to deliberately chosen plaintext. Essentially, the attacker can “feed” information into the
encryption system and observe the output. The attacker may not know the algorithm or the
secret key in use.Chosen Ciphertext Attack The attacker is able to decrypt a deliberately chosen ciphertext
into the corresponding plaintext. Essentially, the attacker can “feed” information into the
decryption system and observe the output. The attacker may not know the algorithm or the
secret key in use.Another type of successful attack involves not even cracking the key but simply record-
ing some traffic and replaying it later. This type of attack requires that the attacker record
network traffic through sniffing and then retransmit the information later or extract the
key from the traffic.
Another related attack is the man-in-the-middle (MITM) attack, which is carried out
when the attacker gets between two users with the goal of intercepting and modifying
packets. Consider that in any situation in which attackers can insert themselves in the com-
munications path between two users, the possibility exists that the information can be
intercepted and modified.
Do not forget that social engineering can be effective in attacking cryptographic systems.
End users must be trained to protect sensitive items such as private cryptographic keys from
unauthorized disclosure. Attackers are successful if they have obtained cryptographic keys,
no matter how the task was accomplished. If they can decrypt sensitive information, it is
“game over” for the defender. Social engineering attacks can take many forms, including