CAPEC

Common Attack Pattern Enumeration and Classification
Common Attack Pattern Enumeration and Classification

A Community Knowledge Resource for Building Secure Software

Home > CAPEC List > Individual CAPEC Dictionary Definition (Release 1.1)   View the CAPEC List

Individual CAPEC Dictionary Definition (Release 1.1)
Individual CAPEC Dictionary Definition (Release 1.1)

Encryption Brute Forcing
Attack Pattern ID
Pattern Abstraction: Standard

20

Typical Severity

Low

Description

Summary


An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext.

Attack Execution Flow

  1. Determine the ciphertext and the encryption algorithm.

  2. Perform an exhaustive brute force search of the keyspace, producing candidate plaintexts and observing if they make sense.

Attack Prerequisites

Ciphertext is known.

Encryption algorithm and key size are known.

Typical Likelihood of Exploit

Low

Methods of Attack
  • Brute Force
Examples-Instances

Description


In 1997 the original DES challenge used distributed net computing to brute force the encryption key and decrypt the ciphertext to obtain the original plaintext.  Each machine was given its own section of the keyspace to cover.  The ciphertext was decrypted in 96 days.

Attacker Skill or Knowledge Required

Low: Brute forcing encryption does not require much skill.

Resources Required

A powerful enough computer for the job with sufficient CPU, RAM and HD. Exact requirements will depend on the size of the brute force job and the time requirement for completion. Some brute forcing jobs may require grid or distributed computing (e.g. DES Challenge). On average, for a binary key of size N, 2^(N/2) trials will be needed to find the key that would decrypt the ciphertext to obtain the original plaintext. Obviously as N gets large the brute force approach becomes infeasible.

Indicators-Warnings of Attack

None. This attack happens offline.

Solutions and Mitigations

Use commonly accepted algorithms and recommended key sizes. The key size used will depend on how important it is to keep the data confidential and for how long.

In theory a brute force attack performing an exhausitve keyspace search will always succeed, so the goal is to have computational security. Moore's law needs to be taken into account that suggests that computing resources double every eighteen months.

Attack Motivation-Consequences
  • Information Leakage
Context Description


Typically cryptography, if done right, will rarely be the weakest link in the system.  Problems begin when people either decide to play cryptographers themselves and roll out custom crypto, use key sizes that are too small, develop their own cryptographic protocols (or misuse existing cryptographic protocols).  There are some other things that can be done wrong, such as not using good sources of randomness when generating encryption keys and initialization vector values.

Related Weaknesses
CWE-IDWeakness NameWeakness Relationship Type
326Weak EncryptionTargeted
Related Attack Patterns
IDNameRelationship TypeRelationship Description
49Password Brute ForcingMore Detailed
Source
Submission(s)
SubmitterOrganizationDateComment
Eugene LebanidzeCigital, Inc2007-02-26
Modification(s)
ModifierOrganizationDateComment
Sean BarnumCigital, Inc2007-03-01Review and revision of content
Richard StruseVOXEM, Inc2007-03-26Review and feedback leading to changes in Description, Resources Required and Context Description
Sean BarnumCigital, Inc2007-04-13Modified pattern content according to review and feedback
Back to top
 

CAPEC is sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security.

Vision and Technical Leadership provided by Cigital, Inc.

This Web site is hosted by The MITRE Corporation.
Copyright 2008, The MITRE Corporation.

Contact capec@mitre.org for more information.
Page Last Updated: April 18, 2008
Privacy policy
Terms of use
Contact us