Home > CAPEC List > CAPEC-20: Encryption Brute Forcing (Version 2.9)  

CAPEC-20: Encryption Brute Forcing

Encryption Brute Forcing
Definition in a New Window Definition in a New Window
Attack Pattern ID: 20
Abstraction: Standard
Status: Draft
Completeness: Complete
Presentation Filter:
+ Summary

An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext.

+ Attack Execution Flow
  1. Determine the ciphertext and the encryption algorithm.

  1. Perform an exhaustive brute force search of the key space, producing candidate plaintexts and observing if they make sense.

+ Attack Prerequisites
  • Ciphertext is known.

  • Encryption algorithm and key size are known.

+ Typical Severity


+ Typical Likelihood of Exploit

Likelihood: Low

+ Methods of Attack
  • Brute Force
+ Examples-Instances


In 1997 the original DES challenge used distributed net computing to brute force the encryption key and decrypt the ciphertext to obtain the original plaintext. Each machine was given its own section of the key space to cover. The ciphertext was decrypted in 96 days.

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Low

Brute forcing encryption does not require much skill.

+ Resources Required

A powerful enough computer for the job with sufficient CPU, RAM and HD. Exact requirements will depend on the size of the brute force job and the time requirement for completion. Some brute forcing jobs may require grid or distributed computing (e.g. DES Challenge).

On average, for a binary key of size N, 2^(N/2) trials will be needed to find the key that would decrypt the ciphertext to obtain the original plaintext.

Obviously as N gets large the brute force approach becomes infeasible.

+ Indicators-Warnings of Attack

None. This attack happens offline.

+ Solutions and Mitigations

Use commonly accepted algorithms and recommended key sizes. The key size used will depend on how important it is to keep the data confidential and for how long.

In theory a brute force attack performing an exhaustive key space search will always succeed, so the goal is to have computational security. Moore's law needs to be taken into account that suggests that computing resources double every eighteen months.

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Read application data
+ Content History
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team

More information is available — Please select a different filter.
Page Last Updated or Reviewed: December 07, 2015