Black-bag cryptanalysis
Encyclopedia
In cryptography
, black-bag cryptanalysis is a euphemism
for the acquisition of cryptographic secrets via burglary
, or the covert installation of keystroke logging
or trojan horse
software/hardware on target computers or ancillary devices. It is even possible to monitor the electromagnetic emissions of computer displays
or keyboards from a distance of 20 metres (or more), and thereby decode what has been typed. This could be done by surveillance technicians, or via some form of bug
concealed somewhere in the room. Although sophisticated technology is often used, black bag cryptanalysis can also be as simple as the process of copying a password which someone has unwisely written down on a piece of paper and left inside their desk drawer.
Regardless of the technique used, such methods are intended to capture highly sensitive information e.g. cryptographic keys, key-rings, password
s or unencrypted plaintext. The required information is usually copied without removing or destroying it, so capture often takes place without the victim(s) realising it has occurred. Black-bag cryptanalysis is in contrast to a mathematical or technical cryptanalytic attack
. The term refers to the black bag of equipment that a burglar would carry or a black bag operation.
The case of United States v. Scarfo highlighted one instance in which FBI agents using a "sneak and peek" search warrant placed a keystroke logger on an alleged criminal gang leader.
As with rubber-hose cryptanalysis
, this is technically not a form of cryptanalysis; the term is used sardonically. However, given the free availability of very high strength cryptographic systems, this type of attack is a much more serious threat to most users than mathematical attacks. It is often much easier to attempt to circumvent cryptographic systems (e.g. steal the password) rather than attack them directly.
Cryptography
Cryptography is the practice and study of techniques for secure communication in the presence of third parties...
, black-bag cryptanalysis is a euphemism
Euphemism
A euphemism is the substitution of a mild, inoffensive, relatively uncontroversial phrase for another more frank expression that might offend or otherwise suggest something unpleasant to the audience...
for the acquisition of cryptographic secrets via burglary
Burglary
Burglary is a crime, the essence of which is illicit entry into a building for the purposes of committing an offense. Usually that offense will be theft, but most jurisdictions specify others which fall within the ambit of burglary...
, or the covert installation of keystroke logging
Keystroke logging
Keystroke logging is the action of tracking the keys struck on a keyboard, typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored...
or trojan horse
Trojan horse (computing)
A Trojan horse, or Trojan, is software that appears to perform a desirable function for the user prior to run or install, but steals information or harms the system. The term is derived from the Trojan Horse story in Greek mythology.-Malware:A destructive program that masquerades as a benign...
software/hardware on target computers or ancillary devices. It is even possible to monitor the electromagnetic emissions of computer displays
Van Eck phreaking
Van Eck phreaking is the process of eavesdropping on the contents of a CRT- or LC-Display by detecting its electromagnetic emissions. It is named after Dutch computer researcher Wim van Eck, who in 1985 published the first paper on it, including proof of concept.Phreaking is the process of...
or keyboards from a distance of 20 metres (or more), and thereby decode what has been typed. This could be done by surveillance technicians, or via some form of bug
Covert listening device
A covert listening device, more commonly known as a bug or a wire, is usually a combination of a miniature radio transmitter with a microphone. The use of bugs, called bugging, is a common technique in surveillance, espionage and in police investigations.A bug does not have to be a device...
concealed somewhere in the room. Although sophisticated technology is often used, black bag cryptanalysis can also be as simple as the process of copying a password which someone has unwisely written down on a piece of paper and left inside their desk drawer.
Regardless of the technique used, such methods are intended to capture highly sensitive information e.g. cryptographic keys, key-rings, password
Password
A password is a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource . The password should be kept secret from those not allowed access....
s or unencrypted plaintext. The required information is usually copied without removing or destroying it, so capture often takes place without the victim(s) realising it has occurred. Black-bag cryptanalysis is in contrast to a mathematical or technical cryptanalytic attack
Cryptanalysis
Cryptanalysis is the study of methods for obtaining the meaning of encrypted information, without access to the secret information that is normally required to do so. Typically, this involves knowing how the system works and finding a secret key...
. The term refers to the black bag of equipment that a burglar would carry or a black bag operation.
The case of United States v. Scarfo highlighted one instance in which FBI agents using a "sneak and peek" search warrant placed a keystroke logger on an alleged criminal gang leader.
As with rubber-hose cryptanalysis
Rubber-hose cryptanalysis
In cryptography, rubber-hose cryptanalysis is the extraction of cryptographic secrets from a person by coercion or torture, in contrast to a mathematical or technical cryptanalytic attack....
, this is technically not a form of cryptanalysis; the term is used sardonically. However, given the free availability of very high strength cryptographic systems, this type of attack is a much more serious threat to most users than mathematical attacks. It is often much easier to attempt to circumvent cryptographic systems (e.g. steal the password) rather than attack them directly.
See also
- Social engineering
- Black Bag Operation
- Shoulder surfingShoulder surfing (computer security)In computer security, shoulder surfing refers to using direct observation techniques, such as looking over someone's shoulder, to get information...