Cryptanalytic Attacks

Every Cipher Has an Adversary

In the previous module, we covered how to select and manage cryptographic solutions. This module covers the other side: how attackers try to break them. Understanding cryptanalytic attacks matters for two reasons. First, the exam tests whether you can identify the attack type from a scenario description. Second, and more practically, understanding the attack tells you what countermeasure to select.

An attack does not need to break the algorithm to succeed. It only needs to find the weakest point — and that point is usually the implementation, the key management, or the human.

CISSP exam objective 3.7 covers understanding cryptanalytic attacks. The exam does not expect you to perform these attacks. It expects you to recognize them by their characteristics and know what defense applies.

Attacks Against Keys

Brute Force Attack

A brute force attack tries every possible key until the correct one is found. If the key space is large enough, this becomes computationally infeasible within any reasonable timeframe.

• What it targets — Short key lengths and weak passwords
• How it works — Systematically tests every possible combination
• Countermeasure — Use sufficiently long keys (AES-256 has 2²⁵⁶ possible keys, making brute force impractical with current technology). For passwords, enforce length and complexity requirements plus account lockout policies.
• Time factor — A 56-bit DES key can be brute-forced in hours. A 128-bit AES key would take longer than the age of the universe with current computing power.

Dictionary Attack

Instead of trying every possible combination, a dictionary attack tries a list of likely passwords or passphrases — common words, known leaked passwords, and predictable patterns.

• What it targets — Weak, predictable passwords
• How it works — Runs through a precompiled wordlist, often with common substitutions (p@ssw0rd, Summer2025!)
• Countermeasure — Enforce minimum password length (long passphrases beat complex short passwords), require multi-factor authentication, use salted hashing for stored passwords, and implement account lockout after failed attempts

Rainbow Table Attack

A rainbow table is a precomputed lookup table that maps hash values back to their plaintext inputs. Instead of hashing every possible password at attack time, the attacker does the computation in advance and stores the results.

• What it targets — Unsalted password hashes
• How it works — The attacker obtains hashed passwords (from a database breach, for example) and looks them up in the rainbow table to find matches
• Countermeasure — Salting. A salt is a random value added to each password before hashing. Because each user gets a unique salt, precomputed tables are useless — the attacker would need a separate rainbow table for every possible salt value. Modern password hashing functions (bcrypt, scrypt, Argon2) include salting automatically.

Attacks Against Hash Functions

Birthday Attack

The birthday attack exploits the mathematics of the birthday paradox: in a group of just 23 people, there is a 50% chance that two share a birthday. Applied to cryptography, it means finding hash collisions is easier than finding a specific hash match.

• What it targets — Hash functions with insufficient output length, particularly for digital signatures
• How it works — The attacker generates many variations of two documents (one legitimate, one malicious) until both produce the same hash. If the legitimate document is signed, the signature also validates the malicious document.
• Countermeasure — Use hash functions with output lengths that make collision finding computationally infeasible. SHA-256 (256-bit output) provides 128 bits of collision resistance, which is considered sufficient. MD5 (128-bit output, 64 bits of collision resistance) is trivially broken by birthday attacks.

Collision Attack

A collision occurs when two different inputs produce the same hash output. While conceptually related to the birthday attack, a collision attack specifically aims to find any two inputs that collide — not necessarily ones useful for a particular forgery.

• What it targets — Weak hash algorithms (MD5, SHA-1)
• Real-world impact — Researchers demonstrated a practical SHA-1 collision in 2017, accelerating its deprecation. MD5 collisions have been trivial since the mid-2000s.
• Countermeasure — Migrate to SHA-256 or SHA-3

Attacks Against the Encryption Process

Known Plaintext Attack (KPA)

The attacker possesses both the plaintext and its corresponding ciphertext, and uses these pairs to deduce the encryption key or algorithm details.

• What it targets — Algorithms where knowledge of plaintext-ciphertext pairs reveals key information
• How it works — Standardized headers in file formats, protocols, or messages provide known plaintext. A PDF file always starts with “%PDF”, for example. If the attacker knows the first few bytes of plaintext and has the corresponding ciphertext, they can work backward toward the key.
• Countermeasure — Strong algorithms (AES) are designed to resist known plaintext attacks. Using random initialization vectors (IVs) ensures that identical plaintexts produce different ciphertexts each time.

Chosen Plaintext Attack (CPA)

The attacker can submit arbitrary plaintext to the encryption system and observe the resulting ciphertext. This gives the attacker more control than a known plaintext attack.

• What it targets — Systems where the attacker can influence or inject data that gets encrypted
• How it works — The attacker submits carefully crafted inputs and analyzes the encrypted outputs to discover patterns that reveal the key or algorithm behavior
• Countermeasure — Algorithms should be resistant to chosen plaintext attacks by design. Randomized padding schemes and IVs prevent the same plaintext from producing the same ciphertext.

Chosen Ciphertext Attack (CCA)

The attacker can submit arbitrary ciphertext to the decryption system and observe the resulting plaintext (or error messages about it).

• What it targets — Systems that reveal information through error messages or timing differences during decryption
• How it works — The attacker sends modified ciphertext and observes how the system responds. Different error messages for “invalid padding” versus “invalid data” leak information about the decryption process. The padding oracle attack against older TLS implementations is a well-known example.
• Countermeasure — Return generic error messages that do not distinguish between decryption failure reasons. Use authenticated encryption modes (AES-GCM) that verify integrity before attempting decryption.

Attacks Against Implementation

Side-Channel Attacks

Side-channel attacks do not target the algorithm’s mathematical properties. They target the physical implementation — the hardware and software running the algorithm.

• Timing attacks — Measure how long cryptographic operations take. If comparing a password hash takes different amounts of time depending on how many characters match, the attacker can determine the correct hash one character at a time. Countermeasure: Constant-time comparison functions.
• Power analysis — Monitor the electrical power consumption of a device during cryptographic operations. Different operations consume different amounts of power, potentially revealing the key being processed. Countermeasure: Power consumption masking, noise injection, hardware shielding.
• Electromagnetic emanation — Capture electromagnetic radiation from the processor during cryptographic computations. Similar to power analysis but at a distance. Countermeasure: TEMPEST shielding, Faraday cages.
• Cache timing attacks — Observe CPU cache behavior during cryptographic operations. Access patterns to cached memory can reveal which portions of the key are being used. Countermeasure: Cache-resistant algorithm implementations, constant-time code.

The key insight about side-channel attacks is that the algorithm itself may be mathematically perfect, but the physical implementation leaks information through observable behavior. This is why the CISSP distinguishes between attacking the algorithm and attacking the implementation.

Meet-in-the-Middle Attack

This attack targets double encryption. If a message is encrypted with key K1 and then encrypted again with key K2, an attacker can encrypt from the plaintext side with all possible K1 values and decrypt from the ciphertext side with all possible K2 values, looking for a match in the middle.

• What it targets — Double encryption (two sequential applications of the same algorithm with different keys)
• Why it matters — This attack is the reason 2DES was never adopted. Double DES with two 56-bit keys does not provide 112 bits of security — the meet-in-the-middle attack reduces it to effectively 57 bits. This is also why 3DES uses three rounds: to defeat this attack.
• Countermeasure — Use triple encryption (3DES) or algorithms that are not vulnerable to this attack (AES with adequate key length)

Frequency Analysis

Frequency analysis examines the distribution of characters or patterns in ciphertext to identify the underlying plaintext. In English, the letter “e” is the most common, followed by “t”, “a”, and “o”. If these frequency patterns are preserved in the ciphertext, the cipher can be broken.

• What it targets — Simple substitution ciphers and any encryption that preserves frequency patterns
• Historical significance — This was the primary attack against classical ciphers (Caesar, Vigenere). It does not work against modern symmetric algorithms because AES and similar ciphers do not preserve frequency distributions.
• Countermeasure — Modern block and stream ciphers eliminate frequency patterns through diffusion and confusion properties

Social Engineering vs. Cryptanalytic Attacks

A critical distinction the CISSP draws: it is almost always easier to attack the person than the algorithm. Social engineering attacks against cryptographic systems include:

• Phishing for passwords or private keys — No amount of encryption strength matters if the user hands over their credentials
• Shoulder surfing during key entry — Observing someone enter a passphrase or PIN
• Insider threats — An administrator with access to key material can bypass cryptographic controls entirely
• Rubber hose cryptanalysis — Coercing the key holder to reveal the key (the name is dark humor — threatening physical harm is cheaper than breaking AES-256)

When an exam scenario describes an attacker who obtained encrypted data and the decryption key through a phishing attack, the failure is in the human layer, not the cryptographic layer. The countermeasure is security awareness training, multi-factor authentication, and separation of duties for key management — not a stronger algorithm.

Implementation Attacks vs. Algorithm Attacks

This distinction appears regularly on the exam:

• Algorithm attacks — Target mathematical weaknesses in the cipher itself. Examples: brute force, birthday attack, frequency analysis. Defense: use stronger algorithms with longer keys and larger output sizes.
• Implementation attacks — Target how the algorithm is coded or deployed. Examples: side-channel attacks, padding oracle, poor random number generation. Defense: use validated cryptographic libraries, constant-time operations, and follow implementation best practices.

Many real-world cryptographic failures are implementation attacks. The Heartbleed vulnerability in OpenSSL, for instance, had nothing to do with the strength of the TLS algorithms — it was a buffer over-read bug in the implementation that leaked private key material from server memory.

Pattern Recognition

Cryptanalytic attack questions follow these patterns:

• “The attacker has a stolen password database with unsalted hashes” — Rainbow table attack. The countermeasure is salting.
• “The attacker measured the time it takes for the server to respond” — Timing attack (side-channel). The countermeasure is constant-time comparison.
• “Two different documents produce the same hash” — Collision / birthday attack. The countermeasure is a stronger hash function (SHA-256+).
• “The attacker knows the file format starts with a standard header” — Known plaintext attack. The countermeasure is random IVs and strong algorithms.
• “The attacker can submit data to the system for encryption” — Chosen plaintext attack.
• “The error message reveals whether the padding was valid” — Chosen ciphertext / padding oracle attack. The countermeasure is authenticated encryption and generic error messages.

Trap Patterns

Watch for these wrong answers:

• “Use a longer key to prevent side-channel attacks” — Side-channel attacks bypass the algorithm entirely. A longer key does not help if the attacker is reading power consumption. The fix is in the implementation, not the key length.
• “Encrypt the password hashes to prevent rainbow table attacks” — Salting, not encryption, is the standard defense. Encrypting hashes adds complexity without addressing the root problem (identical passwords produce identical hashes without salting).
• “The algorithm has been broken” (when the scenario describes an implementation flaw) — A buffer overflow in the encryption software is not a weakness in AES. Distinguish between algorithm weaknesses and implementation bugs.
• “Brute force is always impractical” — Brute force is impractical against properly sized keys. Against short keys (DES 56-bit) or weak passwords, it is very practical with modern hardware.

Scenario Practice

Question 1

After a data breach, an organization discovers that attackers obtained their password database. The passwords were hashed using SHA-256 but without salts. Within hours, the attackers posted thousands of cracked passwords online.

Which attack was MOST likely used, and what should the organization implement to prevent this in the future?

A. Brute force attack — implement longer password requirements
B. Rainbow table attack — implement salted password hashing using bcrypt or Argon2
C. Dictionary attack — implement account lockout policies
D. Birthday attack — migrate to SHA-3 for password hashing

Question 2

A security researcher discovers that a smart card’s cryptographic operations take slightly different amounts of time depending on the bits of the private key being processed. By collecting thousands of measurements, the researcher extracts the full private key without any cryptographic weakness in the algorithm itself.

What type of attack is this?

A. Known plaintext attack
B. Chosen ciphertext attack
C. Timing side-channel attack
D. Meet-in-the-middle attack

Question 3

An attacker intercepts encrypted network traffic between two offices. The traffic uses a proprietary encryption protocol that the attacker suspects is a simple substitution cipher. The attacker notices that certain byte sequences appear far more frequently than others in the ciphertext.

Which attack would be MOST effective against this encryption?

A. Brute force attack on the encryption key
B. Birthday attack against the cipher’s hash function
C. Frequency analysis of the ciphertext patterns
D. Power analysis of the encrypting hardware

Key Takeaway

For every cryptanalytic attack on the CISSP, remember three things: what it targets, how to recognize it in a scenario, and what stops it.

• Short keys and weak passwords → brute force and dictionary attacks → longer keys, MFA, lockout
• Unsalted hashes → rainbow tables → salt with bcrypt/Argon2
• Weak hash algorithms → birthday/collision attacks → SHA-256 or SHA-3
• Known or chosen plaintext → algorithm analysis → strong algorithms with random IVs
• Physical implementation leaks → side-channel attacks → constant-time code, hardware shielding
• Human weakness → social engineering → training, MFA, separation of duties

The algorithm is rarely the weakest link. Look at the implementation, the key management, and the people first.