Home > encryption > How can I do a brute force (ciphertext only) attack on an CBC-encrypted message?

# How can I do a brute force (ciphertext only) attack on an CBC-encrypted message?

April 17Hits:1

Given a CBC ciphertext and IV, how can I find the encryption key?

We are limited with an 8 chars key, each char in the range of [a..h], so I can generate every possible key (these are only $8^8 = 2^{24}$ (about 4 million) different possible keys).

How would I go about finding the correct one though?

If (you suspect that) the (plaintext of the) encrypted data is ASCII text, you can check if the high bit of each decrypted byte is zero. As long as you have more than 24 bytes of data to check, the odds of that happening by chance are pretty low (given that you have a 24-bit keyspace).

UTF-8 text is also pretty easy to detect, since all bytes that do have the high bit set can only occur in a very distinctive pattern.

More generally, if you decrypt something with the wrong key, the output will look random, and thus all bytes (and all sequences of n bytes) will appear on average about equally often. If you get output that deviates significantly from this (where significance can be measured e.g. using Pearson's χ2 test), it will most likely be the correct plaintext.

For small amounts of data, it may be useful to apply this test not only to the full bytes but also to their highest and/or two (and maybe even three) highest bits. This will detect byte values that cluster together (as e.g. letters and numbers do in ASCII), even if there are not enough bytes in the data to get many exact repeats. You can also try looking at the differences between two successive byte values (modulo 256) to detect correlations. All these (and many other variations of them) should be uniformly distributed for random data, whereas many of them will show distinct deviations from uniformity for most kinds of non-random data.

In addition to the plaintext analysis given in detail by Ilmari, a first step after trial-decrypting is to check the padding mode.

As you are using a block cipher in CBC-mode, the size of the plaintext must be brought to a multiple of the block size. This is done by a padding mode. A common padding mode (being uniquely reversible) is PKCS#5-padding: Append as many bytes as necessary to come to a full multiple of the block size, but at least one, and have all these bytes have the same value, namely the number of appended bytes.

When decrypting, you then can check if the last $n$ bytes all have the same value $n$. For a wrong key, in about $\frac1{256}$ of all cases this will end with $1$, in $\frac{1}{256·256}$ of all cases it will end with $2,2$, and so on, and then you'll have to check the rest of the decrypted plaintext to see if it is plausible (see the answer from Ilmari for details). In all other cases you know immediately that the key is wrong. (Of course, this only useful if you know (or can guess) the padding scheme.)

Note that with CBC, you can decrypt the last block without decrypting all the other blocks - just do Decrypt(key, last block) ⊕ before-last block to get the plaintext.

## Related Articles

• ### How can I do a brute force (ciphertext only) attack on an CBC-encrypted message?April 17

Given a CBC ciphertext and IV, how can I find the encryption key? We are limited with an 8 chars key, each char in the range of [a..h], so I can generate every possible key (these are only $8^8 = 2^{24}$ (about 4 million) different possible keys). Ho

• ### Why are brute-force password-cracking attacks not automatically detected and thwarted?June 26

Why doesn't software automatically detect password-cracking attacks, and thwart them? Long version: Suppose that someone tries a brute-force password-cracking attack on some program XYZ that requires password authentication. My understanding is that

• ### Calculating amount of time for brute forcing ciphertext depending on the size of the keyJanuary 17

I am a graphic design student and for my information graphic project I have chosen the topic of the history of encryption and how the security level developed over the centuries. It's basically an information graphic to make people like me aware of e

• ### How effective are firewall rate limiting rules for slowing down brute force and DOS attacks?November 19

I am investigating methods to slow down the rate at which attackers can make brute force attempts against my webserver's SSH and HTTP services. I have come across many articles as well as the iptables-extensions man page which suggest limiting the nu

• ### How to brute force partial passphrase of a FileVault 2 encrypted drive?January 14

I'd like to recover a lost private key for a FileVault 2 encrypted drive I own. I know several characters of the passphrase. I'm confident that brute forcing the remaining keyspace by fuzzing several parts of the password is tractable. Before I inves

• ### Does brute force attack use the program that created the ciphertext?September 27

I've read several articles about brute force cryptanalytic attacks, but none explicitly say what algorithm is being run for each attempt, nor what criteria is used to declare an attempt a success or a failure. If one is to try every possible every po

• ### How does a brute force attack actually determine it has succeeded? March 19

Possible Duplicate: If someone breaks encryption, how do they know they're successful? First off, this is not about cracking hashed passwords. I know that a brute-force or dictionary attack knows it cracked the password when it gets in. However, if a

• ### Why can an encrypted private key be brute forced?April 11

When using SSH keys to authenticate to a server for remote access, why is it possible to devise the true key and therefore the passphrase from an encrypted private key, without checking each guess of the passphrase against the server to see if it aut

• ### Brute Forcing Domain ControllerMarch 21

I have a MS-Server2K3 domain controller that also serves as a Exchange server. Due to recent network speed loss and issues I began looking at event logs and noticed an exceptionally large number of faulure audits wich is an obvious dictionary attack

• ### Where to target when doing a Brute Force attack on an extended mac OS drive?July 28

I forgot the new password to my external hard drive (Mac OS Extended Journal Encrypted). I know. Stupid. I got my hands on John the Ripper and I know some parameters that will help narrow down the possible passwords. I just have no idea what file I'm

• ### How were weak passwords brute forced in github?November 21

Github faced a brute force password-guessing attack recently that involved "nearly 40K unique IP addresses". Passwords were also "stored properly" using bcrypt, (salt + hashed). Given that bcrypt generates a random salt per password an

• ### Is 80 bits of key size considered safe against brute force attacks?February 3

I came across KATAN Family of Ciphers for small domain input blocks . They cipher arbitrary block lengths 32,48,64 but their key size 80 bits only. Is 80 bits of key size considered safe with against brute force attacks , with current state of art pr

• ### Is it possible to encrypt a file so that it can not be brute forced? April 2

Is there any program or method that allows encryption that can not be brute forced or is it just that any encrypted file can be decrypted by brute force? --------------Solutions------------- The only encryption scheme that is theoretically impossible

• ### wp.getUsersBlogs XMLRPC Brute Force Attack/VulnerabilityJuly 7

After the holiday weekend, one of the larger sites I manage had a brute force attack on it. The attacker was attempting to use the wp.getUsersBlogs function and a list of popular usernames and passwords. A quick bit of research shows me that after a

• ### Temporarily save failed logins password hashes for using against brute force attackAugust 31

My question is about online brute force attacks, that try to authenticate in the website. 1) For the first case if the requests are coming from the same ip, I think this are relatively easy as after some failed attempts we can block the ip for some t

• ### What are the differences between dictionary attack and brute force attack?September 19

Can someone explain the major differences between a Brute force attack and a Dictionary attack. Does the term rainbow table has any relation with these? --------------Solutions------------- Similarities Both a dictionary and brute force attack are gu

• ### Is there any defense against Brute-Force done on a local encrypted file?October 29

Let me start off by saying I don't know very much about encryption, hashing, cracking, etc. I'm just a typical computer enthusiasts, programmer and researcher with many questions. So, I've discovered that there's a thing called "Distributed Cracking&

• ### Prevent brute force attacks on web publishing loginsJuly 16

Presumably, if someone tries to brute force into your website's control panel at your web host's site - they will be throttled/locked-out etc. But what about the web publishing logins (Web-Deploy, FTP, ...)? How do we prevent anyone brute forcing tho

• ### Difference between brute-force and dictionary-based in the mitigation process of the IPSsAugust 30

I am working with Bro IDS and CIF ( cyber threat intelligence) using the Intel framework I am testing. How can I mitigate brute-force and dictionary-based attacks? I found that the mitigation with regard to brute-force takes more time compared to dic

• ### Should I be worried about brute-forcing passwords that encrypts AES?November 3

I am building an application that needs to locally store sensitive data, that is encrypted using the sha256 of a password provided by the user. It uses AES for encryption. I am worried that some users may choose to use a weak password, that could be