Weak Encryption – CompTIA Security+ SY0-501 – 6.1

Not all encryption is equally secure. In this video, you’ll learn what makes an encryption method strong or weak.

<< Previous Video: Randomizing Cryptography Next: Cryptographic Keys >>

When you start comparing different kinds of cryptography, you’ll find that some we refer to as strong cryptography, and others might be considered weak cryptography. We make these broad assertions based on how easy or difficult it might be to be able to brute force or access information that might be encrypted with these particular ciphers. The reality is that everything could potentially be brute forced. If we’re able to run through every possible key for a particular cipher, then you will eventually find the key that matches the one that originally encrypted that data.

The goal of most security professionals is to use an encryption method that has a key that is so long that it would be impractical to go through every possible iteration. Sometimes it’s not about the length of time it would take to brute force that particular key. But instead, is the cipher itself secure. If we can find an algorithm that doesn’t have any type of shortcoming or cryptographic vulnerability, then we can consider that particular algorithm to be strong.

There are many algorithms we use today that we consider to be strong. But some, like the wired equivalent privacy that we used to use on wireless networks, had cryptographic vulnerabilities. And those design flaws meant that we had to reassign that to be a weak form of cryptography. An example of strong cryptography might be algorithms that we continue to use and continue to perform research against but still have not found any cryptographic vulnerabilities.

PGP, or Pretty Good Privacy, is a good example of that. And the AES, the Advanced Encryption Standard, is another. An example of weak algorithms might be the previously referenced wired equivalent privacy or the algorithm DES, which is the Data Encryption Standard. That older version has 56-bit keys. And those smaller key sizes are able to be easily brute forced.

When you have these smaller keys that are susceptible to brute force attacks, it’s difficult to consider using them. Since it’s so easy to eventually find the key, you may not want to use it in normal operation. But what if you were able to make that smaller key functionally much larger? An example of this might be hashing a password, and then hashing the hash of the password, and maybe hashing the hash of the hash of the password, and so on.

We refer to this as key stretching or key strengthening when you use the key multiple times in order to make the entire process more difficult to brute force. Imagine the attacker then that needed to reverse this process. They would perform a brute force of the last hash.

And then they’d have to perform another brute force of the hash and then another brute force of that hash until they got back to the original value. This means that, although the original key was relatively small, the bad guys now have to spend much more time during the brute force process, turning this relatively weak key into one that’s much stronger.