tags:

views:

95

answers:

3
Q: 

Cracking a secure key

Another simple question from silly old me.

We keep hearing big numbers being thrown around, for example the key:

234234-234WEF-ER334AS-3535FWF

Would take 20 billion gabizillion years for anyone to crack.

Could someone explain how you even know when you have cracked it? If you have permutated a trillion combinations how do you know if you have passed the correct one? Surely you would have to test it on the live system which wouldn't be able to handle that many requests so fast, and a half brained system admin would notice the attack.

I keep seeing competitions to 'crack the key ############', how are you meant to know when you have a solution? You magically come accros the english phrase "Ha you wont find me!" or something?

What am I missing?

+1  A: 

how are you meant to know when you have a solution?

When the program/algorithm/system/whatever validating the key accepts it.

Depending on what they are trying to crack, the attacker can do the validation him/herself.

NullUserException  2010-08-25 16:46:21
So if there is some network you are trying to crack you can't do it then basically?
Tom Gullen  2010-08-25 16:47:13
+4  A: 

If you are talking about public key cryptography you can tell when you have cracked the key if you have access to the public key (and you often do - it's typically made public, hence its name). This means you can do the attack offline and you can easily verify that you have found the private key by performing decrypt(encrypt(message)) for a message of your choice and check that you get the correct result back.

You can also often verify the result mathematically. For example with the RSA algorithm if you can factorize the number in the public key then you can prove that you have found the correct private key because the prime factors are used in the generation of the private key.

Mark Byers  2010-08-25 16:47:06
+2  A: 

the key picking process has two steps:

  1. Pick next key (bruteforce or dictionary)
  2. Validate, if failed goto 1

If you are cracking remote application owner can prevent picking by limiting validations in some way. (3 attempts, then pause for example). If you are cracking something local, like encrypted rar file then owner can make picking hard by making validation heavy operation, like encode it several times.

Andrey  2010-08-25 16:52:12

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security