How is Encryption Cracked?

Encryption is a technique where plainly-readable information is scrambled according to a particular method. You can then send this information to someone with the knowledge that only the eyes meant to see your info will.

There is, however, no such thing as a perfect security system. No matter how advanced. There will always be a few vectors of attack. When it comes to the various types of encryption, there are actually quite a few. Most of them are still very difficult to pull off. However, difficult is not the same as impossible. Here is how encryption is cracked.

Find a Weakness in the Algorithm

The most fundamental way to defeat a particular encryption algorithm is to find a weakness in it. There are always people trying to poke holes in existing encryption algorithms. They are continually looking for exploits.

Luckily, most of the time these people are the good guys. They’re security researchers. People who proactively look at ways to defeat the encryption methods currently in use. The idea is to beat criminals who are trying the same thing to the goal. Then the holes can be plugged before any actual damage is done.

Weaknesses in algorithms usually revolve around any quirk of the math that makes the output of the process predictable. Especially in a way the creators did not foresee. These exploits are then turned into an attack. This has happened many times before. Which is why most encryption protocols are not on version one anymore.

Attack the Random Number Generator

In general, encryption algorithms make use of randomness to create keys or for other key components of the algorithm. When it comes to key generation, it’s of course incredibly important not to create the same key twice. Some attacks, however, aim to mess with the random number generator, so that it issues the same random number for key generation twice in a row. This means that a second copy of the key is given away to a third party. This third party can then decrypt all of the communications between legitimate users.

In recent history the most infamous attack is KRACK. This exploit is aimed at the almost-universal WPA2 protocol used in our WiFi systems. Thanks to a flaw found in the random number generator modern WiFi encryption uses, it’s possible to trick the system into issuing the same key twice. In symmetric encryption setup where there is only one key for both encryption and decryption, that’s very bad news indeed.

Discover a Back Door

A back door is a security bypass that exists in an otherwise secure system. It provides a way to get around the normal authentication method you would need to access encrypted data.

For example, if you're smartphone is encrypted no one without the passcode should be able to unlock your information. However, if the manufacturer builds a secret bypass into their product, they can still get at your private stuff.

The companies who make stuff for us are actually strongly motivated to protect our privacy. They want our money after all. When these backdoors exist with the knowledge of the company, it's usually because of government interference. Alternatively, it's possible that a spy might insert malicious changes to a product.

This is one of the reasons Open Source ciphers provide peace of mind to the internet community. If there were any backdoors in the code, everyone would know.

The issue of backdoors remains a contentious one. Should governments have the power to bypass the encryption of a person for any reason at all? Arguments along the lines of national security and curbing things like terror attacks don't weigh up well enough for me personally.

Be the Man in the Middle

With digital encryption on the web, you can be assured that only you and the other computer (usually the server) can understand any of the data sent back and forth between you.

What if you weren't actually connected to the server you thought? Imagine someone pretending to be the server and establishing a secure connection with you. They receive all the info you want to send to the server. Then that computer also connects to the real server and pretends to be you. They pass all the information to the proper destination. Which means both you and the real server see nothing wrong. However, because the information is being encrypted by this third-party, all info is visible to them. They can easily steal things like credit card information or other sensitive data.

Even worse, the attacker can manipulate the information going both ways. Perhaps changing a password or email address to suit their own purposes. This is what's known as a man-in-the-middle attack.  Don't mind the name; you don't have to be a man to pull it off!

These sorts of attacks are only really feasible with symmetric key encryption systems. WiFi is a good example of this. If an unknown third-party has a copy of the decryption key, they can act as the middleman. On the wider web, asymmetric public key encryption has essentially solved this issue.

Target Human-generated Passwords

When keys are generated by sophisticated encryption protocols, they don't mess around. These days keys that are 2048-bits in length aren't that uncommon. Although web encryption 256-bit keys are standard and more than powerful enough. Trying to break that code is for all practical purposes impossible, as I shall explain in the next section.

Human-generated keys, such as your email password, are an entirely different story. When a person comes up with a password (which acts as the encryption key), they don't use amazing math to come up with a 256-character, maximum randomness string. No, they usually do something that they'd remember easily. Unfortunately, this means that if hackers can get their hands on the stored and encrypted copy of a password, they can try different combinations until the lock opens.

However, thanks to all the possible characters passwords can use, it still takes an impractical amount of time to crack each password. However, since human passwords are not completely random, hackers can use something called a dictionary attack. This tries common word combinations as well as known variations. So if you think you're smart because your password is "p@$$w0RD", you're in for a nasty surprise.

Since most people practice such poor password practices, this is one of the most successful approaches. That is if you can steal those encrypted passwords in the first place!

The good news is that you don't have to use weak passwords. You can either craft a strong password yourself, or you can get generated passwords and use them with a password manager.

Using Brute Force

As you've just read above, passwords can be cracked (in theory) if you have unlimited tries and just keep guessing. The same goes for any encryption key. Once you have a copy of some encrypted material, you can try one key combination after another until you hit the right one.

This "brute force" method is the most basic and straightforward attack against encryption. It also has virtually no chance of working, since encryption today is designed specifically to combat brute force attacks. Industry standard encryption uses keys that are so long and complex, that it would take literally more computing power and time than we will ever have to break them.

So the brute force method may not be a viable attack. But it is the golden standard to determine whether a given encryption algorithm has been compromised. In other words, if there is any way to crack a form of encryption faster than brute force, it is considered compromised. That doesn't always mean that it will be dropped. Faster is a relative term. If you shave a few centuries off the brute force time, that doesn't make it practical.

The Battle is Won. The War Rages On

For all intents and purposes, the state of encryption today is clearly on the side of privacy and security. The defeat of properly implemented encryption is virtually unheard of. When breaches occur, it's usually human error or social engineering.

That doesn't mean that things will never change. Although conventional computers have very little hope of ever being fast enough to break modern encryption in usable time spans, new technologies such as quantum computing may be able to do it in time. For now, however, we can enjoy the privacy and security with little to worry us.