0 / 10 flipped
Birthday Attack
Tap to reveal
A cryptographic attack exploiting the birthday paradox probability to find hash collisions. Named after the fact that only 23 people are needed in a room before there's a 50% chance two share a birthday β far fewer than intuition suggests, because any two people can match (not just one specific pair). In crypto: for a hash producing N possible outputs, a collision search requires only approximately βN attempts. This means a 128-bit hash offers only 64-bit collision resistance. Defense: use a large hash output size β SHA-256 provides 128-bit collision resistance; SHA-512 provides 256-bit. The larger the output, the harder the birthday attack.
Hash Collision
Tap to reveal
When two different plaintext inputs produce the exact same hash digest output:
hash(A) = hash(B) where A β B. Hash functions are designed to make this computationally infeasible β different inputs should always yield different digests. When a collision is found, the hash function's collision resistance has failed. Security impact: in digital signatures, a collision allows substituting a fraudulent document for a legitimate one while keeping the valid signature intact. MD5 (2004 practical collision) and SHA-1 (2017 SHAttered attack) both have demonstrated practical collisions. SHA-256 and SHA-3 do not.MD5 β Key Facts
Tap to reveal
Message Digest Algorithm 5. 128-bit output. First published April 1992. Collision vulnerabilities identified 1996; practical collisions demonstrated 2004. December 2008: researchers used MD5 collisions to forge a TLS certificate that appeared legitimately signed by RapidSSL CA β the CA never signed it; the hash collision allowed the forgery without the CA's private key. MD5 is forbidden in any security-critical context (digital signatures, certificate signing, authentication). The 2008 incident is the exam's canonical demonstration of why hash collision resistance matters for PKI trust.
Downgrade Attack
Tap to reveal
An attack that forces two communicating parties to use a weaker cryptographic protocol or algorithm than either would choose by interfering with the protocol negotiation. Does not break the stronger protocol β prevents it from being used. Once on a weaker protocol, the attacker either reads traffic directly (SSL stripping β plaintext HTTP) or exploits known weaknesses in the weaker protocol (POODLE β SSL 3.0 padding oracle). Requires an on-path attacker to interfere with the negotiation. Defense: eliminate the fallback target β disable legacy protocols; implement HSTS; use TLS_FALLBACK_SCSV. If there's nothing to downgrade to, there's nothing to exploit.
SSL Stripping
Tap to reveal
An on-path downgrade attack that intercepts the server's HTTPβHTTPS redirect before it reaches the victim's browser. The victim's browser never learns HTTPS is available; continues using HTTP for the entire session. The attacker maintains an HTTP connection with the victim (reads everything in plaintext) while maintaining an HTTPS connection with the server (appears legitimate). Victim sends credentials over HTTP β attacker captures them. No certificate error is displayed β the victim simply doesn't know HTTPS exists. Key defense: HSTS β the browser stores "always use HTTPS for this domain" and refuses to send the initial HTTP request that SSL stripping requires.
POODLE
Tap to reveal
Padding Oracle On Downgraded Legacy Encryption. 2014 (CVE-2014-3566). Two-phase attack: (1) Downgrade β on-path attacker interferes with TLS handshake causing failures; client falls back to SSL 3.0 fallback; (2) Padding oracle β SSL 3.0's CBC mode encryption has a padding implementation flaw; attacker sends modified ciphertext blocks to the server; server's accept/reject response leaks plaintext information byte-by-byte. Result: attacker recovers session cookies without knowing the TLS key. Defense: disable SSL 3.0 on the server β no fallback target means no downgrade is possible. Modern browsers removed SSL 3.0 support entirely in response to POODLE.
HSTS β HTTP Strict Transport Security
Tap to reveal
A web security header that instructs the browser to refuse HTTP connections to the domain entirely β HTTPS only β for a specified duration. Header:
Strict-Transport-Security: max-age=31536000. After a browser stores the HSTS policy for a domain, it will not send the initial HTTP request that SSL stripping requires β the request is automatically upgraded to HTTPS before transmission. HSTS preloading goes further: browsers ship with a built-in list of HSTS domains, protecting even first-time visitors before they've ever received the HSTS header. The primary defense against SSL stripping. Requires no attacker interaction to be effective β the browser enforces it locally.Algorithm Attack vs. Implementation Attack
Tap to reveal
Algorithm attack: targets a mathematical weakness in the cryptographic design itself. Works against any correct implementation of the algorithm. Birthday attacks against MD5 are algorithm attacks β MD5's collision vulnerability is in its mathematical structure, not in any specific software that uses it. Defense: choose a stronger algorithm (SHA-256 instead of MD5). Implementation attack: targets how a correct algorithm is deployed, configured, or negotiated. TLS 1.3 is not broken β but if SSL 3.0 fallback is allowed (enabling POODLE) or HTTPS redirect can be stripped (enabling SSL stripping), the deployment is vulnerable. Defense: correct configuration (disable legacy protocols, implement HSTS). Exam tip: downgrade attacks and SSL stripping = implementation. Birthday attacks = algorithm.
Padding Oracle Attack
Tap to reveal
A cryptographic attack against CBC (Cipher Block Chaining) mode encryption that exploits the server's behavior when it receives incorrectly padded ciphertext. In CBC mode, plaintext is padded to fill the last block; the server checks this padding after decryption. If the server gives different responses for "bad padding" vs. "bad content but valid padding" β an oracle β the attacker can deduce plaintext bytes by sending modified ciphertext and watching responses. POODLE exploited a padding oracle in SSL 3.0's CBC implementation. Approximately 256 modified requests are needed per byte of plaintext. Defense: use authenticated encryption (AES-GCM) which detects any tampering before decryption β no padding oracle signal is generated.
Cryptographic Attack Defense Summary
Tap to reveal
Against birthday attacks: large hash output size β SHA-256 (128-bit collision resistance) or SHA-3; retire MD5 and SHA-1 from all security-critical use. Against SSL stripping: HSTS header + HSTS preloading β browser refuses HTTP connections to the domain entirely. Against POODLE / TLS downgrade: disable SSL 3.0, TLS 1.0, and TLS 1.1 server-side β remove the fallback target. Against all downgrade attacks: TLS_FALLBACK_SCSV extension signals fallback attempts to the server; server rejects if higher versions are supported. Universal principle: eliminate the weaker option so downgrade has no destination; use algorithms with sufficient output size so collisions are computationally infeasible.