CertiGuide to Security+  9  Chapter 1:  General Security Concepts (Domain 1.0; 30%)       9  1.4  Attacks

1.4.7  Weak Keys 1 1.4.9  Social Engineering

The short story on mathematical attacks is that a key data set with fewer possible combinations is more likely to produce a weaker key. (See 1.4.11.1). Popular belief states that 40-bit encryption is weak, and 128-bit is strong. The idea is that the longer the key, the more possible combinations will need to be tried, to find the correct key value by brute force. This is only a general statement⁸², as you will see when you look at WEP in 802.11.

Key length is only part of the story. Another part of the story involves the total number of possible key values. For instance, if a cracker knows that a key consists of 4 bytes, each of which holds a number between 1 and 10 (instead of a number between 0 and 255, the minimum and maximum values which can be held in a byte), that key is much weaker than a 4-byte key in which each byte can hold a number between 0 and 255.

Why is this? The number of possible key values is smaller. There are only 10x10x10x10 (10,000) possible key values for the first key, and 255x255x255x255 (4.2 billion) possible key values for the second key, making the second one much more difficult to discover through “brute force” attacks than the first. “Brute force” attacks are discussed in more detail in section 1.4.11.1.

Similarly, randomness of the key is important as well. Even 256-bit encryption is pretty useless if the key uses a simple pattern an attacker can figure out, such as 1,2,3,4,5,6 ....

Another type of mathematical attack has less to do with predicting the key than it does with finding a way around the problem of not having it. For instance, it may be possible to “break” some encryption algorithms by finding a way to reverse them without discovering the original key (for instance, by finding patterns in how encrypted text is generated).

1.4.7  Weak Keys 1 1.4.9  Social Engineering