What is true about cryptanalysis?

I'm currently preparing for my ISSAP and here's one of the practice questions that I've got:

Which statement is NOT true of cryptanalysis?
A) It is used to test the strength of an algorithm

It is a tool used to develop a secure cryptosystem
C) It is used to forge coded signals that will be accepted as authentic
D) It is a process of attempting reverse engineering of a cryptosystem

IMO, B is clearly the answer, however, test question creator thinks that it is A.

Why it is B? Because cryptanalysis is not a tool. Tool is a specific software or hardware implementation of an idea (in this case an idea on how to weaken the algorithm). And cryptanalysis is not a specific implementation, it is more general stuff, all the ways and ideas on how to weaken the algorithm.

Why is is not A? Because one of the goals of a cryptanalysis is to break or weaken the algorithm, i.e. test if the algorithm as strong as advertised or there are hidden weaknesses in it that cryptanalysis is aimed to uncover.

Plz advise.

Find more posts tagged with

Comments

TheFORCE

gespenstern wrote: »

I'm currently preparing for my ISSAP and here's one of the practice questions that I've got:

Which statement is NOT true of cryptanalysis?
A) It is used to test the strength of an algorithm
It is a tool used to develop a secure cryptosystem
C) It is used to forge coded signals that will be accepted as authentic
D) It is a process of attempting reverse engineering of a cryptosystem

IMO, B is clearly the answer, however, test question creator thinks that it is A.

Why it is B? Because cryptanalysis is not a tool. Tool is a specific software or hardware implementation of an idea (in this case an idea on how to weaken the algorithm). And cryptanalysis is not a specific implementation, it is more general stuff, all the ways and ideas on how to weaken the algorithm.

Why is is not A? Because one of the goals of a cryptanalysis is to break or weaken the algorithm, i.e. test if the algorithm as strong as advertised or there are hidden weaknesses in it that cryptanalysis is aimed to uncover.

Plz advise.

The correct answer is A. Don't get to hang up on the word "tool" it is used to confuse you. Think of word tool as a process or procedure you need to follow.
Cryptanalysis itself is not used to break or weaken the algorithm a cryptosystem is using but to uncover the algorithm and the method used, it is the analysis of the algorithm not the implementation of how to break it.

Also, on your responses of explanation you are contradicting yourself. You say cryptanalysis is not an implementation but then on the 2nd response you say the goal is to break or weaken. Those are contradictory statements.
Cryptanalysis is not used to test to strength of the algorithm.

gespenstern

Well, I'm not exactly satisfied with this explanation and i'll break it down below.

TheFORCE wrote: »

The correct answer is A. Don't get to hang up on the word "tool" it is used to confuse you. Think of word tool as a process or procedure you need to follow.

Why would I not pay attention to this word if it was purposely put there by the author? Tool in cybersecurity has a pretty clear meaning and it is hardly a "knowledge" in any form, not a "process" or set of processes, not a set of "methods", but implementation of knowledge or process or method, in a form of a software or hardware. Therefore, cryptanalysis is hardly a tool. This word theoretically can be used, but I'd say rarely and hardly appropriately.

Later on, B goes to state that cryptanalysis helps to develop a secure cryptosystem, which is ambiguous to say the least. It's the same as saying that hacking helps to develop a secure cryptosystem. Yes, it kinda does, but not in a sense of technical strengthening the system, but oppositely, by uncovering weaknesses and flaws; and that acquired knowledge about weaknesses can be used to build a new system not affected by this flaw or weakness. Again, technically, strictly speaking, cryptanalysis isn't used to develop a secure cryptosystem, it is used to develop tools to break it (=find weaknesses and flaws in a cryptosystem).

TheFORCE wrote: »

Cryptanalysis itself is not used to break or weaken the algorithm a cryptosystem is using but to uncover the algorithm and the method used, it is the analysis of the algorithm not the implementation of how to break it.

How about proving this?

My point is, more than often algorithms are flawed, because they are designed by humans, and humans are fundamentally flawed creatures. And cryptanalysis is aimed to discover those flaws or weaknesses using various approaches.

I didn't use proper wording in the main message of the topic by saying that cryptanalysis seeks to weaken the algorithm used, more precisely, it seeks to discover/uncover existing weaknesses and flaws in algorithm used. This process is known as "breaking" an algorithm.

Several quotes on word usage:

"While DES was designed with resistance to differential cryptanalysis in mind, other contemporary ciphers proved to be vulnerable. An early target for the attack was the FEAL block cipher. The original proposed version with four rounds (FEAL-4) can be broken using only eight chosen plaintexts..."

"Modern cryptography is heavily based on mathematical theory and computer science practice; cryptographic algorithms are designed around computational hardness assumptions, making such algorithms hard to break in practice by any adversary."

"Cryptanalysis is a process of finding weaknesses in cryptographic algorithms and using these weaknesses to decipher the ciphertext without knowing the secret key (instance deduction)"

"While monoalphabetic substitution ciphers are resilient to blind brute force, they can be broken easily with nothing more..."

TheFORCE wrote: »

Also, on your responses of explanation you are contradicting yourself. You say cryptanalysis is not an implementation but then on the 2nd response you say the goal is to break or weaken. Those are contradictory statements.
Cryptanalysis is not used to test to strength of the algorithm.

Why are those contradictory? Cryptanalysis is not a tool, but it USES tools to achieve its goals. Or, tools can be developed to achieve cryptanalysis' goals.

And what is an attempt to break or find a weakness in an algorithm if it's not testing this algorithm? It is exactly testing of an algorithm strength, just like pentesting is a testing of a strength of a security system.

gespenstern

Just have found a good example of wording, so it's not even a poor wording on my part since it's used by gurus:

"The next ten years of cryptanalysis will probably not break AES, but may weaken AES’s security enough that a new standard block cipher will have to be developed"

An overview of cryptanalysis research for the Advanced Encryption Standard (PDF Download Available)

i.e. cryptanalysis goal is to discover weaknesses and flaws in a security cryptographic system (both its algorithm and its algorithm implementation) and ultimately break it, but wording "discover weaknesses in a security system" sometimes shortened to "weaken a security system" which isn't perfect, but still used.

TheFORCE

This is one of questions where they try to trick you. Again look at what the question is asking. Emphasis on the word "not". So essentially ask the question "which statements are True. Then you will see that B,C,and D are true but A is noy true. Cryptanalysis is "not" used to "test" the strength of an algorithm. It is used to uncover the algorithm.

beads

gespenstern wrote: »

Just have found a good example of wording, so it's not even a poor wording on my part since it's used by gurus:

"The next ten years of cryptanalysis will probably not break AES, but may weaken AES’s security enough that a new standard block cipher will have to be developed"

An overview of cryptanalysis research for the Advanced Encryption Standard (PDF Download Available)

i.e. cryptanalysis goal is to discover weaknesses and flaws in a security cryptographic system (both its algorithm and its algorithm implementation) and ultimately break it, but wording "discover weaknesses in a security system" sometimes shortened to "weaken a security system" which isn't perfect, but still used.

Whomever came up with the statement involving the statement: "next 10 years..." has been about to be taken out back and shot. So that opinion should never have seen the light of day. Working on a crypto timeline from adoption to breakage. Thus far the original DES holds the record at a mere 15 years not to mention once thought "unbreakable" as well. Today the average is closer to seven years if not less.

Cryptanalysis - Analyzing Cryptography. A process not a tool or group of tools. The answer is B. The question is a negative response:

It is NOT a tool used to develop a secure cryptosystem. The system is built alredy - final. Analysis won't rebuild the tool but test its strength, possibly forge packets or reverse engineer what is seen.

- b/eads

gespenstern

Thanks beads, I knew I can rely on your expertise! Now I can sleep well

JDMurray

This exam item is an example of "choose the LEAST correct answer." Cryptanalysis can be used as a process to engineer better cryptosystems--by finding weaknesses in existing algorithms and their implementations and fixing them. However, that is not a specific purpose cryptanalysis was created for.

As to the "strength" of a cryptographic algorithm, wouldn't you say the ability of the algorithm (or its implementation) to resist cryptanalysis part of its strength?

TheFORCE

JDMurray wrote: »

This exam item is an example of "choose the LEAST correct answer." Cryptanalysis can be used as a process to engineer better cryptosystems--by finding weaknesses in existing algorithms and their implementations and fixing them. However, that is not a specific purpose cryptanalysis was created for.

As to the "strength" of a cryptographic algorithm, wouldn't you say the ability of the algorithm (or its implementation) to resist cryptanalysis part of its strength?

So which answer would you pick JD?
We have all read stories, i am sure, where the inventors of the most popular cryptosystems say that the algorithm should be public knowledge and that what is the most important is the actual key and not the algorithm itself.

JDMurray

I initially read all of the answer options as being correct, so I applied the "choose the least correct answer" method and arrived at B. Developing stronger crypto algorithms is something cryptanalysis can be used for, but that's not what cryptanalysis was originally created to do.

The philosophical idea that "crypto algorithms should be public knowledge" pertains the design of cryptosystems and has nothing to do with reverse-engineering cryptosystems (i.e., cryptanalysis).