38 adding the next large bit, and looking at the output. Some assumptions in cracking things this way are that he must be able to identify the output as cracked when it actually is. If the clear text were English text, then it shouldnt be too hard, but what if the input data was another crypted message? This would ensure that all brute force outputs would look like garbage, even in the event of a successful crack. Another assumption is that there is time enough to spend cycling through all possible keys. If the encryption algorithm is slow, it may take a second or so to calculate the cipher; if there are several billion combinations for the key, the amount of time needed to crack the code would be between 50 and 100 years. We are not that patient, and figure that no one else is either.

2.4.2.6 Password guessers and dictionary attacks

If you are not familiar with Crack, the most common of the tools available to the would-be break-in artist, establish a way to check your own passwords by using it. Although we covered the DES encryption algorithm in detail previously in this chapter, we will present a short discussion on password cracking. Crack is available from http:www.atstake.com . Most computers use the DES algorithm to protect the passwords on the authentication system. Unix systems, which account for the bulk of the Internet-based systems, are the largest installed base of DES authentication units. Simply put, DES takes a users clear text password, like the example password MucH007, and converts it into a 13-character pile of seeming gibberish, such as HnX2a4gLaMv3k. It is mathematically difficult to divine the original password from the encrypted one using brute force. So password-guessing programs dont try every possible string; they reduce the number of tries to a more feasible level by guessing what sorts of passwords people are likely to use. The Crack password-guessing program uses a dictionary of common words in several languages, including a ton of proper nouns such as peoples names and places, and tries them as the password. This is why you hear your system administrator trying to persuade you to use something uncommon or something unnatural as a password. Simple passwords are almost equivalent to having no password at all.

2.4.2.7 Social engineering

Dont think that all threats come from the online front. One of the most traditional cracks is simply to call a person and ask them questions. Or, send them a survey, ripe with personal queries, and a 20.00 bill, for their trouble. You would be amazed at what people will tell you. This is how system attackers might get potential material for assisting them in piecing together password attempts. As we discussed earlier, a brute force hack of a password may take months on a fairly significant machine, yet by reducing the total combinations to just real words found in a dictionary, in turn reducing the time spent on cracking that user to about 10 to 15 minutes, you can see where using personal information can drive guessing even complex passwords down to a trivial amount of time. Semi-public data such as phone numbers, birthdays, license plates, girlfriends, and favorites movies, music, stores, etc., can provide valuable resources to a password cracker. Social engineering can come in many forms, and is generally regarded as the easiest and most successful attack. Remember, even your 1024-bit RSA private key is protected by a passphrase or password that could be easily socially engineered.