The known ciphertext attack, or ciphertext only attack (COA) is an attack method used in cryptanalysis when the attacker has access to a given set of ciphertext(s). The attacker does not have access to corresponding cleartext in this method; however, COA is successful when correspdonding plaintext can be determined from a given set of ciphertext. Occasionally, the key used to encrypt the ciphertext can be determined from this attack.
How Do Modern Ciphers Work?
Today’s ciphers are significantly more secure than the classic ciphers. They are engineered to be able to withstand a wide array of attack methods or schemes. One of the common traits with modern ciphers is that attackers “should” be unable to discover the key that is being employed with the cipher-even if he or she has an unlimited amount of cleartext along with corresponding ciphertext. The modern-day ciphers are able to be divided into the following categories:
Public Key Cryptography (PKI)
Public key cryptography is an asymmetric key algorithm. In this scheme, there is a public key used for encryption and a private key used for decryption of the ciphertext. PKI was created in 1976 by Martin Hellman and Whitfield Diffe and represented a significant innovation in the field of cryptography since it significantly alters the process of encrypting and decrypting information. Instead of having to worry about end-users sharing a common, secret key, PKI makes use of two keys. The private key remains a secret and is only held by the person or organization that needs to decrypt information. Each private key has an associated public key that is used to encrypt data. This key does not need to be kept a secret and can even be posted online to share with others.
When discussing the two keys, they are referred to as a “key pair.” The key pair does have a reciprocal relationship so that they can only be used in conjunction with one another and are not related to any other key that has been generated. The pairing of the keys is made possible due to the mathematical relationship between the algorithms used to create the public / private key pairs. One key cannot be used to determine or ascertain what the other key’s identity is. The public key leverages its mathematical complexity and one-way nature to compensate for the fact that it is not kept a secret in order to prevent others from breaking the information stored within the key.
The most significant breakthrough with PKI is the ability to scale the use of secure cryptography. With the ability to allow the public key to become public knowledge, the key management requirements for supporting IT systems is much lower than when relying on a single, shared key. Security programs leverage PKI for authentication, digital signatures, and encryption. Some of the specific applications that use PKI today are: web applications, portals, student or work information systems, VPN connections, firewalls, wireless access points, digital signatures, secure email, electronic document processing, signing XML forms, paperless authorization processes, instant messaging, and encrypting individual email or instant messages.
Private Key Cryptography
Private key cryptography is also referred to as a symmetric key algorithm. In private key systems, the same key is required for both the decryption and encryption of information. The key has to be shared in advance of sending ciphertext to the desired recipient and must be kept secret from others for the security of the system to be maintained. RSA, DES, and AES are three examples of algorithms that leverage private key cryptography.
Symmetric key ciphers can further be sub-divided into stream or block ciphers. Stream ciphers work on cleartext one character or digit at a time from a continuous stream of information. The transformation or encryption of digits will vary throughout the encryption process. In a block cipher, finite groups of data are encrypted or decrypted at one time.
What is Cryptanalysis?
The study of techniques to ascertain the meaning or translation of encrypted data without access to the private or secret information is cryptanalysis. In order conduct a cryptanalysis of a cipher, a working knowledge of the system is required. In a perfect-world, cryptanalysis will result in discovery of the secret key used by the system. Depending on the nature of the cipher, there is a wide-range of cipher attack models available to use to crack a cipher.
Cipher Attack Models
Some of the common cipher attack models used today include: ciphertext only, batch chosen plaintext attack, chosen ciphertext attack, adaptive chosen ciphertext attack, indifferent chosen ciphertext attack, and the related key attack.
Ciphertext Only Attack
The ciphertext only attack requires the cryptanalyst to have access to a collection of codetexts generated by the cipher to attack.
The chosen plaintext attack requires the cryptanalyst to have ciphertexts that corresponds to a random or arbitrary set of plaintexts of the attackers choosing.
Batch Chosen Plaintext Attack
In the batch chosen plaintext attack, the attack selects all plaintexts prior to them getting encrypted and generating the related ciphertext. This attack is also referred to as an unqualified use of the chosen plaintext attack.
Adaptive Chosen Plaintext Attack
In the adaptive chosen plaintext attack, the analyst is able to make a sequence or series of interactive queries. Subsequent plaintexts are able to be selected based on the results from the previous instances of encryption.
Chosen Ciphertext Attack
In a chosen ciphertext attack, the analyst is able to get hold of the cleartext that corresponds to a random set of ciphertexts that he or she has selected.
Adaptive Chosen Ciphertext Attack
In the adaptive chosen ciphertext attack, the attacker is able to change the text input into the cipher based on the results of previous inputs.
Related Key Attack
A related key attack is similar to a chosen plaintext attack except the attack is able to obtain ciphertexts that are encrypted under two different keys. In this attack, the keys are not known; however, the relationship between the keys are known. A good example is two keys that differ by a set number of bits.
Guarding Against Known Ciphertext Attacks
Early ciphertexts commonly underwent analysis using the pen and paper method. Many ciphers were broken using statistical techniques for attacking the ciphertext with frequency analysis being one of the most common techniques. Over the course of time, cryptographers were able to develop statistical techniques to analyze ciphertext. With the invention of mechanical encryption techniques such as the German Enigma system, it became significantly more challenging to conduct a ciphertext only attack of a cipher.
All modern-day cipher systems attempt to protect against the ciphertext only attack. When selecting a cipher model or design today, large amounts of ciphertext are tested against the model to see if there is any statistical vulnerability for the ciphertext for cracking when compared to random text or “noise.” There are a number of cipher systems that did not undergo extensive analysis prior to deployment to the field that are still in use today.
Applications Susceptible to Ciphertext Attacks
The first versions of the PPTP virtual private network software produced by Microsoft are one of these systems. The software used the same RC4 key for both the sending and receiving computer. The newer versions of the software load did solve this problem; however, any time the stream cipher similar to RC4 is used two times with the same key, it is vulnerable to a ciphertext only attack. Another commonly used, but crackable implementation of a weak cipher is WEP (Wired Equivalent Privacy). This protocol is the first security protocol used for WiFi. The standard is crackable by a ciphertext only attack.
Another way that a cipher can be vulnerable to a ciphertext attack is if the key space is not large enough to make a brute force attack impractical. In this case, the attack can simply take existing ciphertext and try all possible keys. When conducting the attack, the resulting plaintext must be distinguished from noise when analyzing the output.
Other current examples typically involve very secure products that allow the end-user to select less-than-optimal password lengths. In these cases, attackers are able to crack the password using only ciphertext and a brute force attack.
What is the Chosen Ciphertext Attack?
The chosen ciphertext attack, or CCA, is an attack model that requires a selected ciphertext and its associated cleartext. The key is not known for this attack. In order to guard against this type of attack, crypto system implementers must try to guard against situations that would allow attackers to decrypte select ciphertexts. Although this seems easy, it can prove difficult in practice since some cryptosystems such as RSA, will use the same means to sign messages as well as decrypt them. This action allows attacks to be successful when hashing is not used on the message before it is signed.
Examples of Chosen Ciphertext Attacks
The chosen ciphertext attack can either be non-adaptive or adaptive in nature (just like the other ciphertext attacks). In the non-adaptive variant, the person conducting the attack will select the ciphertext to decrypt in advance. The cleartext that results from the cipher will not be used to help select the additional ciphertext. In the adaptive variants of the attack, the ciphertext that is run through the cipher is changed based on the results of the previous decryptions.
The lunchtime attack (also known as the midnight attack) is a special version of the chosen ciphertext attack. The attack gets its name from the concept of it being able to be conducted on a targeted individual’s computer while he or she is away from the desk, or at lunch. In this attack, the attacker makes adaptive chosen ciphertext queries in a quick fashion. After conducting the attack, they must be able to attack the system or call the attack off. If successful in being able to make adaptive chosen ciphertext queries, no encrypted messages are able to be hidden from the attacker’s view until they lose the access to conduct the queries. A number of modern attacks have been based on the lunchtime attack ideal over the course of the past two decades.
Adaptive Chosen Ciphertext Attack
The adaptive chosen ciphertext attack is based on the ability to select ciphertexts dynamically before and after a challenge. The one stipulation is that the challenge ciphertext is not able to be queried. The attack is stronger in concept than the classic lunchtime attack and is also referred to as the CCA2 attack. The CCA2 is not encountered in the wild often. Instead, it is more commonly used to prove a given level of security for an application against a chosen ciphertext attack. RSA-OAEP is one example of a system that is proven to be secure against a chosen ciphertext attack.
What is the Known Plaintext Attack?
A complementing method to the known ciphertext attack is the known plaintext attack, or KPA. This attack requires the ability to have examples of both plaintext and the associated ciphertext for the given information. The data is then used to conduct an analysis of the cipher to ascertain the key used for the encryption of the information. Once cracked, the key is then used to decrypt all information secured by the cipher. Many of the classic ciphers are susceptible to this type of attack.