Like this CertiGuide? Get it in PDF format!
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Also available: 300-question Security+ practice test!
Get It Here!

Custom Search







Table Of Contents  CertiGuide to Security+
 9  Chapter 1:  General Security Concepts (Domain 1.0; 30%)
      9  1.4  Attacks

Previous Topic/Section
1.4.6  TCP/IP Hijacking
Previous Page
Pages in Current Topic/Section
1
Next Page
1.4.8  Mathematical
Next Topic/Section

1.4.7  Weak Keys

An attack based on weak keys takes advantage of weak keys used to protect encrypted information, or weak passwords for user authentication. If an attacker can “break” a key, he can gain access to whatever that key is protecting – be it data, a logon credential, etc.

The term “weak keys” usually relates directly to secure protocols, such as IPSec or SSL. As mentioned in 1.4.5, these secure protocols use cryptography and a key exchange protocol known as IKE to create a secure connection between 2 hosts using session keys. As discussed in chapter 4, a host must “decide” on a mathematical algorithm to use for encryption of secure sessions, such as DES, 3DES or RC4. 40-bit key lengths, and indeed 56bit DES are not considered secure, and modern hardware is allowing attackers (and researchers) to break these encryption algorithms quicker all the time. Unfortunately due to the legacy from old export laws from the USA restricting the export of strong encryption, a significant proportion of servers (especially web servers) still use these weak keys.

Weak keys may also include those using only a subset of the permitted characters, or using predictable contents as the key (such as the name of the resource being protected).

Weak Keys81

The weak key attack takes advantage of the weakness of keys being used to protect encrypted information, including network sessions and password resources. The shorter the key length, the easier it is to break the encryption on a piece of data.


The obvious prevention technique here involves using strong encryption algorithms and strong keys, and combining this type of authentication with others. More will be said about this in the chapter on Cryptography.

Much of the rest of this domain overlaps with Domain 4 Cryptography. It appears to be definitional in Domain 1, and more “How” based in Domain 4.

Stronger Keys = Increased Data Privacy

Do you use encryption to protect files or VPN connections? How strong are the keys used to do so? If they’re only 40 or 56 bit keys, research alternatives that use stronger keys.



 __________________

81. http://www.eweek.com/article2/0,3959,899796,00.asp

Previous Topic/Section
1.4.6  TCP/IP Hijacking
Previous Page
Pages in Current Topic/Section
1
Next Page
1.4.8  Mathematical
Next Topic/Section

If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $



Home - Table Of Contents - Contact Us

CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.