LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-20-2003, 05:23 AM   #1
mymojo
Member
 
Registered: Oct 2003
Distribution: Slackware 9.1
Posts: 176

Rep: Reputation: 30
Encryption - Public Keys - How secure?


I believe there is a brute force method against public keys - i.e running dictionary words through the same key and then comparing them with encrypted text.

Is this a really big security problem?
 
Old 10-20-2003, 09:35 AM   #2
stickman
Senior Member
 
Registered: Sep 2002
Location: Nashville, TN
Posts: 1,552

Rep: Reputation: 53
Dictionary and sequential attacks are going to be a problem for almost any password or encryption system. The trick is to use a sufficiently strong passphrase to secure your key. "password1" will probably not last very long against this type of attack while "Th!s !s My p@55w0rd!" would probably last quite a bit longer.
 
Old 10-20-2003, 09:48 AM   #3
frieza
Senior Member
 
Registered: Feb 2002
Location: harvard, il
Distribution: Ubuntu 11.4,DD-WRT micro plus ssh,lfs-6.6,Fedora 15,Fedora 16
Posts: 3,111

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
yeah, but i thought public keys were only able to ENcrypt, the idea of being public is anyone with ehe public key can encrypt it, then a completely different algorithm,the private key, decrypted it, and without the private key it would take ridiculously long to brute force (depending on the level of encryption of couse)
 
Old 10-20-2003, 02:44 PM   #4
iainr
Member
 
Registered: Nov 2002
Location: England
Distribution: Ubuntu 9.04
Posts: 631

Rep: Reputation: 30
frieza is right. To decrypt something requires the private key. It is mathematically unfeasable (at present) to derive the private key from the public key so an attacker having your public key is not a security risk.

If someone has the private key, they are able to decrypt anything which has been encrypted with the public key. This is why protecting private keys is important and public keys can be put in directories that anyone can access.

Its very important that you protect your private keys. There are two main ways to do this. You can protect it physically (e.g. keep it on a floppy disk, or make sure no one can hack into the computer where its stored). You can also protect it by further encrypting it with a symmetric cypher where a passphrase is the key. This is what is happening when you are prompted for a passphrase in PGP, for example. The passphrase is the key allowing the private key to be decrypted.

If someone has your private key they can indeed run a brute force dictionary attack. The protection against this is to stop people getting your private key and to pick a passphrase that is resistent to dictionary attacks.
 
Old 10-20-2003, 11:56 PM   #5
mymojo
Member
 
Registered: Oct 2003
Distribution: Slackware 9.1
Posts: 176

Original Poster
Rep: Reputation: 30
I think you misunderstand.

What they do is encrypt normal words through your public key, then compare that to the already encrypted version.

For example:

let "credit card" = "uu77y"

say the encrypted message is:

4a sid asom uu77y

what they do is use your public key to encrypt a keyword (e.g, "credit card")

then they get the same result, uu77y. then they do a find and replace or whatever to track down the use of it and replace it with the real word.

eg. 4a sid asom credit card

given the very small vocabulary we use commonly, it wouldn't be too hard to get the gist of a message using this technique

hope that clears things up

Last edited by mymojo; 10-20-2003 at 11:58 PM.
 
Old 10-21-2003, 12:46 AM   #6
frieza
Senior Member
 
Registered: Feb 2002
Location: harvard, il
Distribution: Ubuntu 11.4,DD-WRT micro plus ssh,lfs-6.6,Fedora 15,Fedora 16
Posts: 3,111

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
your scenereo does not sound practical, but i don't see anyway of stoping them from doing it except for perhaps finding a software program or perhaps simply changin settings? that allows a maximum number of attemps before breaking the connection and temporarily denying connection attempts from that ip
 
Old 10-21-2003, 02:21 AM   #7
iainr
Member
 
Registered: Nov 2002
Location: England
Distribution: Ubuntu 9.04
Posts: 631

Rep: Reputation: 30
Quote:
Originally posted by mymojo
I think you misunderstand.

What they do is encrypt normal words through your public key, then compare that to the already encrypted version.

For example:

let "credit card" = "uu77y"

say the encrypted message is:

4a sid asom uu77y

This will absolutely not work with any sort of modern cryptography - certainly not with anything developed in the last 30-40 years, including public/private key. Modern ciphers encrypt the whole message, not a letter or word at a time. Changing just one letter in your message changes the entire ciphertext.

The only way for an attacker to do this attack is to guess your entire message down to the last capital letter and comma. There is no way to guess a bit of a message at a time.

If you encrypt just the words "credit card", then separetely encrypt "My credit card" you will see the cypher text is quite different.

Iain.
 
Old 10-21-2003, 07:01 AM   #8
mymojo
Member
 
Registered: Oct 2003
Distribution: Slackware 9.1
Posts: 176

Original Poster
Rep: Reputation: 30
That restores my faith!

Thanks.
 
Old 10-21-2003, 09:09 AM   #9
stickman
Senior Member
 
Registered: Sep 2002
Location: Nashville, TN
Posts: 1,552

Rep: Reputation: 53
Luckily modern cryptosystems have evolved beyond using simple character substitution.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Encryption and Keys The Godfather Linux - Networking 6 09-03-2005 01:04 AM
YUM requires public keys, how do I get public keys? GNUROCKS Linux - Newbie 3 05-29-2005 09:50 AM
SSH Public Keys Problems Temujin_12 Linux - Security 4 02-23-2005 01:43 PM
gpg encryption for signing keys synapse Mandriva 1 01-22-2004 11:10 AM
Help with SSH and public/private keys stodge Linux - Security 5 05-14-2003 02:22 PM


All times are GMT -5. The time now is 09:40 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration