Threat, Vulnerabilities and Mitigations: Indicators of Cryptographic Attacks

Question 1

What are the signs of a downgrade attack?

Answer 1

Downgrade attacks

A downgrade attack attempts to cause a connection, protocol, or cryptographic algorithm to revert to an older version:

Catch ssh connection with Wireshark

Refer to the key exchange:

nmap –script=ssl-poodle 192.168.202.133

Indicators of compromise (IoCs):

Logs

Network traffic

Note: Both logs and network traffic might reveal multiple attempts to downgrade a protocol.

URL doesn’t have https

Warnings or errors connecting to secure sites and/or services.

Question 2

What are the signs of Collision and Birthday Attacks?

Answer 2

Collision and birthday attacks

A collision attack exploits values that repeat among elements. Different inputs can result in the same output:

Different inputs that results in the same output

https://www.mscs.dal.ca/~selinger/md5collision/hello

https://www.mscs.dal.ca/~selinger/md5collision/erase

md5sum hello

md5sum erase

A birthday attack is a collision attack that is based on the birthday problem as follows:

A room with 23 people will have a 50% chance of two people with a matching birthday.

With 75 people, the odds increase to 99.9%.

Question 3

Indicators of Compromise attack?

Answer 3

Indicators of compromise attacks:

Referred to as IoCs, they provide evidence of attacks:

Unintended duplication or substitution of data:

Hash collision attacks can lead to unintended duplication or substitution of data without detection.

Malicious activity around systems that rely on hash functions, such as those that use:

Digital certificates.

Certificate authorities.

Password hashes.

Secure communication protocols.

Note: If these systems show indications of malicious activity, they might have been compromised via a hash collision attack.