I came across this post about the brute force attack in Luke’s group and respectfully disagree with the suggested answer “C. using a rainbow table to compare known hashes to unknown hashes.” Instead, I suggest option “D. repeatedly guessing a user’s password until the correct one is found” BEST describes a brute-force attack.
Attack against System and Password File/Repository
When a rainbow table is employed, it almost limits the context to attacking a hashed password file/repository. However, an attacker can initiate a brute force attack to manually or automatically attempt user passwords against a system or crack the password file/repository without the support of a dictionary or rainbow table. In other words, a brute force password attack can be applied to a system or the password file/repository no matter how passwords are stored.
Brute Force Password Attack
The passwords typically can be stored in the following format:
- Raw value (Plaintext)
- Encrypted value (Ciphertext)
- Hashed value (a rainbow table is applicable to this format only)
- Salted value
The brute force attack applies to all four formats above, while a rainbow table is applicable to hashed passwords only.
The Definition of Attack
Moreover, Option C is not an attack at all but a technical description of the hash matching process without any expression of security risk exposure.
An attack is “an attempt to gain unauthorized access to system services, resources, or information, or an attempt to compromise system integrity, availability, or confidentiality.” (NIST SP 800-82 Rev. 2)
- A brute-force attack is an “attack on a cryptosystem that employs an exhaustive search of a set of keys, passwords or other data.” (ISO/IEC 11770-4:2017)
- An exhaustive attack, aka brute-force attack, is a “trial-and-error attempt to violate computer security by trying possible values of passwords or keys.” (ISO/IEC 2382:2015)
- A brute force password attack is “a method of accessing an obstructed device by attempting multiple combinations of numeric/alphanumeric passwords.” (NIST SP 800-101 Rev. 1)
- A brute force attack is “in cryptography, an attack that involves trying all possible combinations to find a match.” (NISTIR 8053)
- A dictionary attack (on a password-based system) is an “attack on a cryptosystem that employs a search of a given list of passwords. A dictionary attack on a password-based system can use a stored list of specific password values or a stored list of words from a natural language dictionary.” (ISO/IEC 11770-4:2017)
- Salt is a “random variable incorporated as secondary input to a one-way or encryption function that is used to derive password verification data.” (ISO/IEC 11770-4:2017)
- An attack is “an attempt to gain unauthorized access to system services, resources, or information, or an attempt to compromise system integrity, availability, or confidentiality.” (NIST SP 800-82 Rev. 2)