Cryptanalysis is the study of ciphertext, ciphers and cryptosystems with the aim

of understanding how they work and finding and improving techniques for
defeating or weakening them. For example, cryptanalysts seek to decrypt
ciphertexts without knowledge of the plaintext source, encryption key or the
algorithm used to encrypt it; cryptanalysts also target secure hashing, digital
signatures and other cryptographic algorithms.

How does cryptanalysis work?

While the objective of cryptanalysis is to find weaknesses in or otherwise
defeat cryptographic algorithms, cryptanalysts' research results are used by
cryptographers to improve and strengthen or replace flawed algorithms. Both
cryptanalysis, which focuses on deciphering encrypted data, and cryptography,
which focuses on creating and improving encryption ciphers and other
algorithms, are aspects of cryptology, the mathematical study of codes, ciphers
and related algorithms.

Researchers may discover methods of attack that completely break an

encryption algorithm, which means that ciphertext encrypted with that
algorithm can be decrypted trivially without access to the encryption key. More
often, cryptanalytic results uncover weaknesses in the design or implementation
of the algorithm, which can reduce the number of keys that need to be tried on
the target ciphertext.

For example, a cipher with a 128 bit encryption key can have 2 128 (or
340,282,366,920,938,463,463,374,607,431,768,211,456) unique keys; on
average, a brute force attack against that cipher will succeed only after trying
half of those unique keys. If cryptanalysis of the cipher reveals an attack that
can reduce the number of trials needed to 2 40 (or just 1,099,511,627,776)
different keys, then the algorithm has been weakened significantly, to the point
that a brute-force attack would be practical with commercial off-the-shelf
systems.

Who uses cryptanalysis?

Cryptanalysis is practiced by a broad range of organizations, including
governments aiming to decipher other nations' confidential communications;
companies developing security products that employ cryptanalysts to test their
security features; and hackers, crackers, independent researchers and
academicians who search for weaknesses in cryptographic protocols and
algorithms.

It is this constant battle between cryptographers trying to secure information

and cryptanalysts trying to break cryptosystems that moves the entire body of
cryptology knowledge forward.

Cryptanalysis techniques and attacks

There are many different types of cryptanalysis attacks and techniques, which
vary depending on how much information the analyst has about the ciphertext
being analyzed. Some cryptanalytic methods include:

 In a ciphertext-only attack, the attacker only has access to one or more

encrypted messages but knows nothing about the plaintext data, the
encryption algorithm being used or any data about the cryptographic
key being used. This is the type of challenge that intelligence agencies
often face when they have intercepted encrypted communications
from an opponent.
 In a known plaintext attack, the analyst may have access to some or all
of the plaintext of the ciphertext; the analyst's goal in this case is to
discover the key used to encrypt the message and decrypt the
message. Once the key is discovered, an attacker can decrypt all
messages that had been encrypted using that key. Linear cryptanalysis
is a type of known plaintext attack that uses a linear approximation to
describe how a block cipher Known plaintext attacks depend on the
attacker being able to discover or guess some or all of an encrypted
message, or even the format of the original plaintext. For example, if
the attacker is aware that a particular message is addressed to or about
a particular person, that person's name may be a suitable known
plaintext.
 In a chosen plaintext attack, the analyst either knows the encryption
algorithm or has access to the device used to do the encryption. The
analyst can encrypt the chosen plaintext with the targeted algorithm to
derive information about the key.
 A differential cryptanalysis attack is a type of chosen plaintext attack
on block ciphers that analyzes pairs of plaintexts rather than single
plaintexts, so the analyst can determine how the targeted algorithm
works when it encounters different types of data.
 Integral cryptanalysis attacks are similar to differential cryptanalysis
attacks, but instead of pairs of plaintexts, it uses sets of plaintexts in
which part of the plaintext is kept constant but the rest of the plaintext
is modified. This attack can be especially useful when applied to
block ciphers that are based on substitution-permutation networks.
 A side-channel attack depends on information collected from the
physical system being used to encrypt or decrypt. Successful side-
channel attacks use data that is neither the ciphertext resulting from
the encryption process nor the plaintext to be encrypted, but rather
may be related to the amount of time it takes for a system to respond
to specific queries, the amount of power consumed by the encrypting
system, or electromagnetic radiation emitted by the encrypting
system.
 A dictionary attack is a technique typically used against password
files and exploits the human tendency to use passwords based on
natural words or easily guessed sequences of letters or numbers. The
dictionary attack works by encrypting all the words in a dictionary and
then checking whether the resulting hash matches an encrypted
password stored in the SAM file format or other password file.
 Man-in-the-middle attacks occur when cryptanalysts find ways to
insert themselves into the communication channel between two parties
who wish to exchange their keys for secure communication via
asymmetric or public key infrastructure The attacker then performs a
key exchange with each party, with the original parties believing they
 are exchanging keys with each other. The two parties then end up
using keys that are known to the attacker.

Other types of cryptanalytic attacks can include techniques for convincing

individuals to reveal their passwords or encryption keys, developing Trojan
horse programs that steal secret keys from victims' computers and send them
back to the cryptanalyst, or tricking a victim into using a weakened
cryptosystem.

Side-channel attacks have also been known as timing or differential power

analysis. These attacks came to wide notice in the late 1990s when
cryptographer Paul Kocher was publishing results of his research into timing
attacks and differential power analysis attacks on Diffie-Hellman, RSA, Digital
Signature Standard (DSS) and other cryptosystems, especially against
implementations on smart cards.

Tools for cryptanalysis

Because cryptanalysis is primarily a mathematical subject, the tools for doing
cryptanalysis are in many cases described in academic research papers.
However, there are many tools and other resources available for those interested
in learning more about doing cryptanalysis. Some of them include:

 CrypTool is an open source project that produces e-learning programs

and a web portal for learning about cryptanalysis and cryptographic
algorithms.
 Cryptol is a domain-specific language originally designed to be used
by the National Security Agency specifying cryptographic algorithms.
Cryptol is published under an open source license and available for
public use. Cryptol makes it possible for users to monitor how
algorithms operate in software programs written to specify the
algorithms or ciphers. Cryptol can be used to deal with cryptographic
routines rather than with entire cryptographic suites.
 CryptoBench is a program that can be used to do cryptanalysis of
ciphertext generated with many common algorithms. It can encrypt or
 decrypt with 29 different symmetric encryption algorithms; encrypt,
decrypt, sign and verify with six different public key algorithms; and
generate 14 different kinds of cryptrographic hashes as well as two
different types of checksum.
 Ganzúa (meaning picklock or skeleton key in Spanish) is an open
source cryptanalysis tool used for classical polyalphabetic and
monoalphabetic ciphers. Ganzúa lets users define nearly completely
arbitrary cipher and plain alphabets, allowing for the proper
cryptanalysis of cryptograms obtained from non-English text. A Java
application, Ganzúa can run on Windows, Mac OS X or Linux.

Cryptanalysts commonly use many other data security tools including network
sniffers and password cracking software, though it is not unusual for
cryptanalytic researchers to create their own custom tools for specific tasks and
challenges.

Requirements and responsibilities for cryptanalysts

A cryptanalyst's duties may include developing algorithms, ciphers and security
systems to encrypt sensitive information and data as well as analyzing and
decrypting different types of hidden information, including encrypted data,
cipher texts and telecommunications protocols, in cryptographic security
systems.

Government agencies as well as private sector companies hire cryptanalysts to

ensure their networks are secure and sensitive data transmitted through their
computer networks is encrypted.

Other duties that cryptanalysts may be responsible for include:

 Protecting critical information from being intercepted copied,

modified or deleted.
 Evaluating, analyzing and targeting weaknesses in cryptographic
security systems and algorithms.
 Designing security systems to prevent vulnerabilities.
  Developing mathematical and statistical models to analyze data and
solve security problems.
 Testing computational models for accuracy and reliability.
 Investigating, researching and testing new cryptology theories and
applications.
 Searching for weaknesses in communication lines.
 Ensuring financial data is encrypted and accessible only to authorized
users.
 Ensuring message transmission data isn't hacked or altered in transit.
 Decoding cryptic messages and coding systems for military, law
enforcement and other government agencies.
 Developing new methods to encrypt data as well as new methods to
encode messages to conceal sensitive data.
Description

Static Code Analysis (also known as Source Code Analysis) is usually

performed as part of a Code Review (also known as white-box testing) and is
carried out at the Implementation phase of a Security Development Lifecycle
(SDL). Static Code Analysis commonly refers to the running of Static Code
Analysis tools that attempt to highlight possible vulnerabilities within ‘static’
(non-running) source code by using techniques such as Taint Analysis and Data
Flow Analysis.

Ideally, such tools would automatically find security flaws with a high degree of
confidence that what is found is indeed a flaw. However, this is beyond the state
of the art for many types of application security flaws. Thus, such tools
frequently serve as aids for an analyst to help them zero in on security relevant
portions of code so they can find flaws more efficiently, rather than a tool that
simply finds flaws automatically.

Some tools are starting to move into the Integrated Development Environment
(IDE). For the types of problems that can be detected during the software
development phase itself, this is a powerful phase within the development
lifecycle to employ such tools, as it provides immediate feedback to the
developer on issues they might be introducing into the code during code
development itself. This immediate feedback is very useful as compared to
finding vulnerabilities much later in the development cycle.

The UK Defense Standard 00-55 requires that Static Code Analysis be used on
all ‘safety related software in defense equipment’.[0]

Techniques

There are various techniques to analyze static source code for potential
vulnerabilities that maybe combined into one solution. These techniques are
often derived from compiler technologies.

Data Flow Analysis

Data flow analysis is used to collect run-time (dynamic) information about data
in software while it is in a static state (Wögerer, 2005).

There are three common terms used in data flow analysis, basic block (the
code), Control Flow Analysis (the flow of data) and Control Flow Path (the path
the data takes):

Basic block: A sequence of consecutive instructions where control enters at the

beginning of a block, control leaves at the end of a block and the block cannot
halt or branch out except at its end (Wögerer, 2005).

Example PHP basic block:

$a = 0;
$b = 1;

if ($a == $b)
{ # start of block
echo “a and b are the same”;
} # end of block
else
{ # start of block
echo “a and b are different”;
} # end of block
Control Flow Graph (CFG)

An abstract graph representation of software by use of nodes that represent

basic blocks. A node in a graph represents a block; directed edges are used to
represent jumps (paths) from one block to another. If a node only has an exit
edge, this is known as an ‘entry’ block, if a node only has a entry edge, this is
know as an ‘exit’ block (Wögerer, 2005).

Example Control Flow Graph; ‘node 1’ represents the entry block and ‘node 6’
represents the exit block.

Taint Analysis

Taint Analysis attempts to identify variables that have been ‘tainted’ with user
controllable input and traces them to possible vulnerable functions also known
as a ‘sink’. If the tainted variable gets passed to a sink without first being
sanitized it is flagged as a vulnerability.

Some programming languages such as Perl and Ruby have Taint Checking built
into them and enabled in certain situations such as accepting data via CGI.

Lexical Analysis

Lexical Analysis converts source code syntax into ‘tokens’ of information in an

attempt to abstract the source code and make it easier to manipulate (Sotirov,
2005).

Pre-tokenised PHP source code:

<?php $name = "Ryan"; ?>

Post tokenised PHP source code:

T_OPEN_TAG
T_VARIABLE
=
T_CONSTANT_ENCAPSED_STRING
;
T_CLOSE_TAG
Strengths and Weaknesses
Strengths

 Scales Well (Can be run on lots of software, and can be repeatedly (like in
nightly builds))
 For things that such tools can automatically find with high confidence,
such as buffer overflows, SQL Injection Flaws, etc. they are great.

Weaknesses

 Many types of security vulnerabilities are very difficult to find

automatically, such as authentication problems, access control issues,
insecure use of cryptography, etc. The current state of the art only allows
such tools to automatically find a relatively small percentage of
application security flaws. Tools of this type are getting better, however.
 High numbers of false positives.
 Frequently can’t find configuration issues, since they are not represented
in the code.
 Difficult to ‘prove’ that an identified security issue is an actual
vulnerability.
 Many of these tools have difficulty analyzing code that can’t be
compiled. Analysts frequently can’t compile code because they don’t
have the right libraries, all the compilation instructions, all the code, etc.

Limitations
False Positives

A static code analysis tool will often produce false positive results where the
tool reports a possible vulnerability that in fact is not. This often occurs because
the tool cannot be sure of the integrity and security of data as it flows through
the application from input to output.

False positive results might be reported when analysing an application that

interacts with closed source components or external systems because without
the source code it is impossible to trace the flow of data in the external system
and hence ensure the integrity and security of the data.

False Negatives

The use of static code analysis tools can also result in false negative results
where vulnerabilities result but the tool does not report them. This might occur
if a new vulnerability is discovered in an external component or if the analysis
tool has no knowledge of the runtime environment and whether it is configured
securely.

What is Cyber Defense?

Cyber defense used to be a concern for large companies and
government agencies, not the average person. But now there is a
new breed of hackers, those who target an individual’s smartphone,
credit card payments, and personal data, stored by small to medium-
sized companies.

Cyber defense is all about giving an entity the ability to thwart cyber
attacks on-the-go through cyber security . It involves all processes and
practices that will defend a network, its data, and nodes from
unauthorized access or manipulation. The most common cyber
defense activities include:

 Installing or maintaining hardware and software infrastructure

that deters hackers
 Analyzing, identifying and patching system vulnerabilities
 Real time implementation of solutions aimed at diffusing zero-
hour attacks
 Recovering from partially or fully successful cyber attacks

Cyber Security and Businesses

Businesses aren’t interested in how you will handle their cyber

security, as long as critical data and systems retain their credibility.
The weight behind security increases as the sensitivity of data and
level of risk increases. A business gathering data including physical
addresses will need less security than one that processes credit card
payments.

While such data is an incentive to hackers, it doesn’t necessarily

mean that someone will try to professionally break through the firewall
and protection to get that data. In most cases, hackers will walk off if
they encounter even the slightest resistance--there are easier targets
to be had.

This gives cyber security a deterrent approach. All your client will
need is assurance that he or she can conduct business without
worrying about the ever-growing cyber threats.
Common Roles in Cyber Security:

Since cyber security is so broad a field, most departments will have a

variety of experts whose combined skills result in formidable cyber
security. Depending on the size and scope of the business, a team
might consist of:

Information Security Analysts

These professionals work to protect important data from hackers.
They may be in charge of creating and implementing policies or
strategies to make cyber attacks difficult or impossible, ensure
compliance to the policies, and train corporate employees on cyber
security.

Lead Software Security Engineers

These experts analyze corporate software and lead teams of security
developers tasked with creating custom patches to plug any
vulnerabilities.

Chief Information Security Officers

CISOs handle the development, implementation, and maintenance of
the security processes needed to protect an entity from risks and
threats.

Security Architects
Security architects analyze existing protective measures and
recommend better ways to protect systems. The security architect
might take things a step farther and design software, hardware, and
policies needed to implement the proposed security system.

Penetration Testers
Penetration testers are "white hat hackers," who simulate real hacks
with the sole purpose of identifying vulnerabilities in a security
system.

Forensics Experts
Forensic experts come in when systems fail and hackers gain access
to critical data. The forensic expert will identify how the intruders
made their way in and use this data to track down the perpetrators or
recommenced future system patches.