2 cissp ® Official Study Guide Eighth Edition

Download 19,3 Mb.

Pdf ko'rish

bet	602/881
Sana	08.04.2023
Hajmi	19,3 Mb.
	#925879

1 ... 598 599 600 601 602 603 604 605 ... 881

Bog'liq
(CISSP) Mike Chapple, James Michael Stewart, Darril Gibson - CISSP Official Study Guide-Sybex (2018)

Birthday Attack
A
birthday attack
focuses on fi nding collisions. Its name comes from a statistical phe-
nomenon known as the birthday paradox. The birthday paradox states that if there are
23 people in a room, there is a 50 percent chance that any two of them will have the
same birthday. This is not the same year, but instead the same month and day, such as
March 30.
With February 29 in a leap year, there are only 366 possible days in a year. With 367
people in a room, you have a 100 percent chance of getting at least two people with the
same birthdays. Reduce this to only 23 people in the room, and you still have a 50 percent
chance that any two have the same birthday.
This is similar to fi nding any two passwords with the same hash. If a hashing function
could only create 366 different hashes, then an attacker with a sample of only 23 hashes
has a 50 percent chance of discovering two passwords that create the same hash. Hashing
algorithms can create many more than 366 different hashes, but the point is that the birth-
day attack method doesn’t need all possible hashes to see a match.

646
Chapter 14
■
Controlling and Monitoring Access
From another perspective, imagine that you are one of the people in the room and you
want to fi nd someone else with the same birthday as you. In this example, you’ll need
253 people in the room to reach the same 50 percent probability of fi nding someone else
with the same birthday.
Similarly, it is possible for some tools to come up with another password that creates
the same hash of a given hash. For example, if you know that the hash of the administrator
account password is 1A5C7G, some tools can identify a password that will create the same
hash of 1A5C7G. It isn’t necessarily the same password, but if it can create the same hash,
it is just as effective as the original password.
You can reduce the success of birthday attacks by using hashing algorithms with enough
bits to make collisions computationally infeasible, and by using salts (discussed in the
“Rainbow Table Attacks” section next). There was a time when security experts considered
MD5 (using 128 bits) to be collision free. However, computing power continues to improve,
and MD5 is not collision free. SHA-3 (short for Secure Hash Algorithm version 3) can use
as many as 512 bits and is considered safe against birthday attacks and collisions—at least
for now. Computing power continues to improve, so at some point, SHA-3 will be replaced
with another hashing algorithm with longer hashes and/or stronger cryptology methods
used to create the hash.

Download 19,3 Mb.

Do'stlaringiz bilan baham:

1 ... 598 599 600 601 602 603 604 605 ... 881