Register
Task 5: PRNG with Weak Seeds As a hacker, you have discovered a potential target Jack who always uses passwords with 4 decimal numbers. Also, you know Jack did some cryptography training and he always
94.6k views
2 votes
Task 5: PRNG with Weak Seeds As a hacker, you have discovered a potential target Jack who always uses passwords with 4 decimal numbers. Also, you know Jack did some cryptography training and he always use AES-128 to encrypt important information. One day, you captured a ciphertext encrypted using $ openssl enc -aes-128-cbc -e -in credit_card.txt -out top_secret.txt -pbkdf2 # Encryption key and IV are generated using pbkdf2 as a PRNG and the encryption password is used as the seed That is, you captured top_secret.txt and you know it was generated from the above command. You did some research and knew pbkdf2 is a highly secure PRNG. How can you recover credit_card.txt without a brute-force attack to AES-128-cbc? Explain your idea.

User Shenanigator
by
7.4k points

1 Answer

3 votes

Final answer:

To potentially decipher the encrypted file without brute-forcing AES-128-cbc, the simplicity of Jack's 4-digit password can be exploited by testing all 10,000 potential combinations, which is a manageable number for today's computational resources.

Step-by-step explanation:

The student's question discusses the potential vulnerability in password-based encryption using AES-128-cbc with PBKDF2 (Password-Based Key Derivation Function 2) as a PRNG (Pseudo-Random Number Generator). Given that Jack uses a consistently simple password pattern and the captured ciphertext was encrypted using his password as the seed for PBKDF2 and AES, there could be a method to recover credit_card.txt without brute-forcing AES-128-cbc encryption, which would be virtually infeasible.

One potential method to recover the plaintext is to take advantage of the weak password policies used by Jack. If Jack's passwords are predictably simple 4-digit numbers, there are only 10,000 possible passwords (0000 to 9999). Instead of brute-forcing the AES encryption, you could attempt to brute-force the PBKDF2 generated keys by trying each of Jack's potential passwords. This is more feasible because you are only testing 10,000 combinations. PBKDF2 will generate the same key and initialization vector (IV) for the same password input, so once you've found the correct password, the derived key and IV can be used to decrypt the ciphertext.

User Jackarms
by
7.5k points
Ask a Question
Welcome to QAmmunity.org, where you can ask questions and receive answers from other members of our community.

9.4m questions

12.1m answers

Other Questions

“What does it mean when we “rework” copyrighted material?”
The book shows how to add and subtract binary and decimal numbers. However, other numbering systems are also very popular when dealing with computers. The octal (base 8) numbering system is one of these.
Seven basic internal components found in a computer tower
Please help me ! All you do is just put it it all in your own words ! Please this is for my reported card!i don't know how to put it in my own words because my English is not that good!
describe an advance in technology that makes life more enjoyable. what discoveries contribute to this technology?
Link Copied!