Cryptanalytic Attacks for CISSP Domain 3 | SkillAssess
cisspSecurity Architecture and Engineering· 11 min read· 16 May 2026
Cryptanalytic Attacks: Brute Force, Side-Channel, Pass-the-Hash, and Ransomware
Cryptanalysis is the art of attacking cryptographic systems to recover plaintext, discover keys, or forge authenticated messages without authorised access to the key. The CISSP exam tests cryptanalytic attacks at two levels: classic attacks against the mathematical properties of cryptographic algorithms, and implementation attacks that exploit how cryptography is deployed rather than the algorithm itself. Understanding this distinction is critical — the exam explicitly tests it.
Classic Cryptanalytic Attacks
Classic attacks are theoretical attacks against the mathematical structure of cryptographic algorithms. The attacker has access to some combination of ciphertext, plaintext, or the ability to interact with an encryption oracle.
Brute force attack (exhaustive key search) involves systematically trying every possible key until the correct one is found. The feasibility of a brute force attack depends entirely on key length. A 56-bit DES key can be bruted in hours with modern hardware. A 128-bit AES key has 2^128 possible values — far beyond the computational capacity of any foreseeable classical computer. Quantum computers running Grover's algorithm reduce the effective security of symmetric keys by half, making 256-bit keys the recommendation for quantum resistance.
Ciphertext-only attack: the attacker has only ciphertext and must work from it alone. This is the most limited attack scenario. Historical ciphers (Caesar cipher, Vigenère) were vulnerable to ciphertext-only attacks through frequency analysis. Modern algorithms are designed to be secure even under ciphertext-only conditions.
Known-plaintext attack: the attacker has one or more pairs of plaintext and the corresponding ciphertext. This gives the attacker more information to work with when trying to derive the key. WEP (the deprecated Wi-Fi encryption standard) was vulnerable to known-plaintext attacks.
Chosen-plaintext attack: the attacker can choose arbitrary plaintexts and observe the resulting ciphertexts. This is a more powerful attack because the attacker can probe the algorithm with specific inputs to gain information about the key. Some modes of operation for block ciphers (ECB mode in particular) are vulnerable to chosen-plaintext attacks.
Chosen-ciphertext attack: the attacker can choose arbitrary ciphertexts and observe the corresponding plaintexts. RSA without proper padding (PKCS#1 v1.5 without OAEP) was historically vulnerable to chosen-ciphertext attacks. Modern RSA implementations use OAEP (Optimal Asymmetric Encryption Padding) to prevent this.
Birthday attack: exploits the mathematical birthday paradox to find collisions in hash functions. If a hash function produces an n-bit output, an attacker can expect to find two inputs that produce the same hash output (a collision) after approximately 2^(n/2) operations — far fewer than brute-forcing the full n-bit space. This is why hash functions used for digital signatures must have large output sizes (SHA-256 provides 128-bit collision resistance; SHA-512 provides 256-bit).
Rainbow table attack: uses precomputed tables of hash values to reverse hash functions. Rather than brute-forcing a hash at attack time, rainbow tables trade computation time for storage space. The defence is password salting — adding a unique random value (salt) to each password before hashing so that rainbow tables (computed without the salt) are useless.
Side-channel attacks do not attack the algorithm itself — they attack information leaked by the physical implementation of the algorithm. This is the critical distinction: a side-channel attack exploits how cryptography is deployed, not the cryptographic mathematics.
Timing attacks exploit variations in the time taken to perform cryptographic operations. If an RSA decryption operation takes slightly different amounts of time depending on the private key bits being processed, an attacker who can measure many decryption timings can statistically infer the private key. The defence is constant-time implementations that take the same time regardless of the input.
Power analysis attacks measure the power consumption of a device performing cryptographic operations. Different operations consume different amounts of power, and by analysing power consumption over many operations (differential power analysis), an attacker can statistically derive the key. This is particularly relevant for smart cards, hardware tokens, and IoT devices.
Fault injection attacks deliberately introduce errors into a device — through voltage spikes, clock glitches, or laser pulses — to cause the cryptographic computation to produce incorrect results. By comparing correct and faulty outputs, attackers can derive key material. Hardware security modules (HSMs) and tamper-resistant devices defend against fault injection.
Electromagnetic analysis attacks capture electromagnetic emissions from a device performing cryptographic operations and analyse them to derive key information. Similar in principle to power analysis.
For the exam: side-channel attacks are implementation attacks. The algorithm is not broken — the physical or software implementation leaks information that enables key recovery. The distinction between algorithm attacks and implementation attacks appears directly in exam questions.
Pass-the-Hash and Kerberos Exploitation
Pass-the-hash (PtH) is an attack technique that exploits the way Windows authentication works. When a user authenticates to Windows, their password is never stored in plaintext — instead, the NTLM hash of the password is stored. Windows authentication protocols allow authentication using the hash directly, without knowing the underlying password. An attacker who compromises a system and extracts the NTLM hashes from memory (using tools like Mimikatz) can use those hashes to authenticate to other systems on the network without ever knowing the user's password.
The defence against pass-the-hash includes: implementing Credential Guard (which uses virtualisation to protect credential hashes in memory), using network authentication protocols that do not accept hash-based authentication (Kerberos with strong authentication policies), and limiting local administrator accounts (which provide the hashes most valuable for lateral movement).
Kerberos is the authentication protocol used in Active Directory environments. While more secure than NTLM, Kerberos is also subject to specific attacks. The Golden Ticket attack exploits the Kerberos Ticket Granting Ticket (TGT) system: by compromising the KRBTGT account (the Kerberos key distribution centre's service account), an attacker can forge TGTs for any user in the domain, including non-existent accounts, with any privileges and any expiry date. A Golden Ticket remains valid until the KRBTGT account password is rotated (twice, due to how Kerberos key rollover works).
The Silver Ticket attack is a lower-privilege variation: rather than forging a TGT, the attacker forges a service ticket for a specific service, without involving the KDC. Silver Tickets are harder to detect because they do not touch the domain controller.
For the exam: pass-the-hash exploits NTLM authentication by using captured hashes instead of passwords. Kerberos Golden Ticket exploits the KRBTGT account to forge universal domain access.
Man-in-the-Middle Attacks and PKI Defence
A man-in-the-middle (MITM) attack intercepts communications between two parties who believe they are communicating directly with each other. The attacker can read, modify, and inject messages. Against unencrypted communications, MITM is trivially easy. Against encrypted communications, the attacker must also defeat the cryptographic trust mechanism.
PKI defends against MITM attacks by binding public keys to verified identities through CA-signed certificates. When a browser connects to a web server, it receives the server's certificate. If the certificate is valid, not revoked, and signed by a trusted CA, the browser trusts that the public key belongs to the claimed domain. An MITM attacker cannot present a valid certificate for a domain they do not control (without compromising a CA — which has happened in cases like DigiNotar and Symantec).
Certificate pinning is an additional defence: applications hardcode the expected certificate or public key for specific domains, refusing to connect if a different certificate is presented. This defeats even a compromised CA but creates operational challenges for certificate renewal.
Ransomware as a Cryptographic Attack on Availability
Ransomware encrypts a victim's data using strong symmetric cryptography (typically AES-256) and demands payment for the decryption key. The attacker holds the decryption key and the victim cannot recover their data without it (assuming no backups and no key escrow).
From a cryptographic perspective, ransomware is a correct use of encryption — the algorithm is working as designed. The attack is not against the cryptographic algorithm but against the victim's operational availability. From a CIA triad perspective, ransomware primarily attacks availability (the victim cannot access their data) but also has confidentiality implications (modern ransomware often exfiltrates data before encrypting it for double extortion).
The defences against ransomware are operational, not cryptographic: comprehensive backups with tested recovery procedures, network segmentation to limit spread, endpoint detection and response to detect ransomware behaviour before encryption completes, and privileged access management to limit the blast radius of a compromised account.
Exam Tip
Implementation attacks exploit how crypto is deployed, not the algorithm itself. When an exam question describes an attack that uses timing measurements, power consumption analysis, or error induction to recover a key, the answer is a side-channel or implementation attack. This is distinct from attacks on the algorithm (brute force, chosen-plaintext). Also: ransomware is primarily an availability attack, not a confidentiality attack, even though it uses encryption.
// PRACTICE_THIS_DOMAIN
Test your knowledge on Security Architecture and Engineering
AI-generated practice questions mapped to this domain. Get instant explanations and track your progress.