Chapter 52 Β· Tricks

Cryptographic Attacks β€” Exam Tricks

Common misconceptions, distractor patterns, and the performance task.

Trick 1 Β· The Birthday Name Is Misleading

A birthday attack has nothing to do with birthdays or birthday-based passwords.

The name comes from the birthday paradox β€” a probability observation that only 23 people are needed in a room before there is a 50% chance that any two of them share a birthday. The key insight is "any two" rather than one specific target.

Applied to cryptography: finding any two inputs that produce the same hash is far easier than finding a specific input that produces a target hash, because you are searching for a match within a growing set of pairs. For a hash with N possible outputs, this takes approximately √N attempts β€” not N.

Exam distractor: "A birthday attack targets a user's account by guessing passwords derived from their date of birth."
Correct: A birthday attack is a mathematical probability exploit used to find hash collisions. It has no connection to passwords, usernames, or dates of birth. The birthday paradox is simply the source of the name for the underlying probability principle.
Trick 2 Β· SSL Stripping Does Not Touch the Server's Private Key

SSL stripping does not require, steal, or bypass the server's TLS private key.

SSL stripping works by preventing a TLS connection from being established in the first place. The attacker intercepts the server's 301 redirect to HTTPS before it reaches the victim's browser. The victim's browser never learns that HTTPS exists for this domain β€” it continues communicating over HTTP.

Because there is no TLS session between the victim and the attacker, no certificate is presented, no key is needed, and no decryption occurs. The victim's credentials arrive in plaintext because TLS was never negotiated β€” not because it was broken.

Exam distractor: "SSL stripping works by stealing the server's TLS private key to decrypt the HTTPS session" or "SSL stripping requires a fraudulent certificate to intercept HTTPS traffic."
Correct: SSL stripping prevents HTTPS from being used at all. No certificate, no private key, no TLS decryption. The attack operates entirely at the HTTP layer between the victim and the attacker. The attacker connects to the server via HTTPS β€” the victim never does.
Trick 3 Β· POODLE Is Both a Downgrade Attack AND a Padding Oracle Attack

Labeling POODLE as only a downgrade attack misses the exploitation phase.

POODLE has two required phases that must both be present. Phase 1 (downgrade) forces the TLS negotiation to SSL 3.0 by injecting errors. Phase 2 (padding oracle) exploits a flaw in SSL 3.0's CBC mode padding to recover plaintext byte-by-byte. Neither phase alone constitutes a complete attack.

When the exam asks how to defend against POODLE, the correct answer addresses the downgrade: disable SSL 3.0 on the server. Without a fallback target, Phase 1 fails and Phase 2 is never reached. The defense targets the prerequisite.

Exam distractor: "POODLE is classified exclusively as a downgrade attack" or "POODLE exploits a padding oracle in TLS 1.2."
Correct: POODLE = downgrade (prerequisite) + padding oracle (exploitation). The padding oracle is in SSL 3.0 specifically β€” TLS 1.2/1.3 do not have this weakness. The defense is disabling SSL 3.0, which removes the downgrade target and makes the padding oracle unreachable.
Trick 4 Β· MD5 Is Not Universally Forbidden

MD5 is broken for collision resistance β€” but remains acceptable for non-security integrity verification.

MD5 must not be used in any context requiring collision resistance: digital signatures, certificate signing, authentication tokens, password hashing, or anything where an attacker could engineer two inputs with the same hash for fraudulent purposes.

However, MD5 remains acceptable for file download checksums where both parties are trusted and the goal is detecting accidental corruption, not adversarial substitution. This distinction matters because exam questions sometimes present "retire MD5 from all uses" as the correct answer β€” it is only correct in security-critical contexts.

Exam distractor: "MD5 must be immediately replaced in all applications, including non-security file integrity verification, because it is cryptographically broken."
Correct: MD5 is forbidden in security-critical contexts (digital signatures, PKI, authentication). It is still acceptable for non-adversarial integrity checks (e.g., verifying a downloaded ISO against a checksum posted by the vendor). The exam primarily focuses on the security-critical restriction, particularly for certificate signing and digital signatures.

Performance Task

You are a security consultant engaged to assess a mid-sized financial services firm's cryptographic posture. Your review produces the following three findings. For each finding, identify the attack it enables, classify it as an algorithm attack or an implementation attack, and recommend the specific remediation.

Finding 1

The firm's document management system generates digital signatures over contracts and compliance records using MD5 as the hash algorithm before encrypting with RSA-2048. The system has been in production since 2009 and handles legally binding documents.

Questions: What attack does this enable? Is this an algorithm or implementation attack? What is the specific remediation?

Click to reveal answer

Attack enabled: Birthday attack / hash collision attack. An adversary who can engineer two documents with the same MD5 hash can have the firm sign a legitimate document and then substitute the fraudulent one β€” the RSA signature remains valid over the fraudulent document because both share the same MD5 hash.

Classification: Algorithm attack. The vulnerability is in MD5's mathematical structure β€” its collision resistance is broken. No matter how correctly MD5 is implemented, practical collisions can be generated. The RSA key strength (2048-bit) is irrelevant; the attack targets the hash, not the asymmetric cipher.

Remediation: Replace MD5 with SHA-256 in the signature algorithm (use SHA-256withRSA). SHA-256 provides 128-bit collision resistance β€” computationally infeasible with current technology. Existing MD5-signed documents should be re-signed with SHA-256 where legally required.

Finding 2

The firm's customer portal runs TLS 1.2 as its preferred protocol, but still advertises SSL 3.0, TLS 1.0, and TLS 1.1 in its server hello for backward compatibility with legacy browser clients. The portal handles customer authentication and account access.

Questions: What attacks does this enable? Is this an algorithm or implementation attack? What is the specific remediation?

Click to reveal answer

Attacks enabled: POODLE (specifically targets SSL 3.0 fallback) and TLS downgrade attacks (any on-path attacker who can cause TLS 1.2/1.1/1.0 handshake failures can force fallback to SSL 3.0's CBC padding oracle). Once on SSL 3.0, the attacker can recover session cookies byte-by-byte using approximately 256 modified ciphertext requests per byte.

Classification: Implementation attack. TLS 1.2 is not broken β€” the vulnerability arises from the implementation allowing fallback to SSL 3.0. The deployment is vulnerable, not the algorithm. If SSL 3.0 were disabled, TLS 1.2 would remain secure.

Remediation: Disable SSL 3.0, TLS 1.0, and TLS 1.1 in the server configuration β€” support only TLS 1.2 (with strong cipher suites) and TLS 1.3. Configure TLS_FALLBACK_SCSV so any remaining fallback attempt causes the server to reject the downgraded handshake. Removing the legacy protocol support eliminates the fallback target; without a fallback destination, the downgrade has nowhere to land.

Finding 3

The customer portal serves all pages over HTTPS, and the server is configured to redirect HTTP requests to HTTPS with a 301 status code. There is no HSTS header present in any server responses. An analyst demonstrates that the portal's credentials can be captured on a shared Wi-Fi network by an on-path attacker.

Questions: What attack does this enable? Why is the 301 redirect insufficient? What specific controls would remediate the risk?

Click to reveal answer

Attack enabled: SSL stripping. An on-path attacker (ARP poisoning on the shared Wi-Fi) intercepts the 301 redirect before it reaches the victim's browser. The victim's browser never receives the redirect, never learns HTTPS is available, and sends credentials over plaintext HTTP. The attacker holds an HTTPS session with the server. No browser warning appears because no TLS session was attempted.

Why the 301 redirect is insufficient: The 301 redirect is a server response β€” it travels across the network before reaching the browser, meaning an on-path attacker can intercept and drop it. The browser only knows to use HTTPS when it has already received the redirect. SSL stripping prevents that delivery.

Remediation: (1) Add the HSTS header to all HTTPS responses: Strict-Transport-Security: max-age=31536000; includeSubDomains. After the browser stores this policy, it will refuse to send any HTTP request to the domain β€” the initial HTTP request SSL stripping requires is never sent. (2) Submit the domain to the HSTS preload list so first-time visitors are also protected before they have ever visited the site. HSTS preloading ships the policy in the browser, eliminating the "first visit" attack window.