1.4.7 Weak Keys
An attack based on weak keys takes advantage of weak keys used to protect encrypted information, or weak passwords for user authentication. If an attacker can break a key, he can gain access to whatever that key is protecting be it data, a logon credential, etc.
The term weak keys usually relates directly to secure protocols, such as IPSec or SSL. As mentioned in 1.4.5, these secure protocols use cryptography and a key exchange protocol known as IKE to create a secure connection between 2 hosts using session keys. As discussed in chapter 4, a host must decide on a mathematical algorithm to use for encryption of secure sessions, such as DES, 3DES or RC4. 40-bit key lengths, and indeed 56bit DES are not considered secure, and modern hardware is allowing attackers (and researchers) to break these encryption algorithms quicker all the time. Unfortunately due to the legacy from old export laws from the USA restricting the export of strong encryption, a significant proportion of servers (especially web servers) still use these weak keys.
Weak keys may also include those using only a subset of the permitted characters, or using predictable contents as the key (such as the name of the resource being protected).
The obvious prevention technique here involves using strong encryption algorithms and strong keys, and combining this type of authentication with others. More will be said about this in the chapter on Cryptography.
Much of the rest of this domain overlaps with Domain 4 Cryptography. It appears to be definitional in Domain 1, and more How based in Domain 4.
Home - Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.