Automating the Development of Chosen Ciphertext Attacks

Total Page:16

File Type:pdf, Size:1020Kb

Automating the Development of Chosen Ciphertext Attacks Automating the Development of Chosen Ciphertext Attacks Gabrielle Beck∗ Maximilian Zinkus∗ Matthew Green Johns Hopkins University Johns Hopkins University Johns Hopkins University [email protected] [email protected] [email protected] Abstract In this work we consider a specific class of vulner- ability: the continued use of unauthenticated symmet- In this work we investigate the problem of automating the ric encryption in many cryptographic systems. While development of adaptive chosen ciphertext attacks on sys- the research community has long noted the threat of tems that contain vulnerable format oracles. Unlike pre- adaptive-chosen ciphertext attacks on malleable en- vious attempts, which simply automate the execution of cryption schemes [17, 18, 56], these concerns gained known attacks, we consider a more challenging problem: practical salience with the discovery of padding ora- to programmatically derive a novel attack strategy, given cle attacks on a number of standard encryption pro- only a machine-readable description of the plaintext veri- tocols [6,7, 13, 22, 30, 40, 51, 52, 73]. Despite repeated fication function and the malleability characteristics of warnings to industry, variants of these attacks continue to the encryption scheme. We present a new set of algo- plague modern systems, including TLS 1.2’s CBC-mode rithms that use SAT and SMT solvers to reason deeply ciphersuite [5,7, 48] and hardware key management to- over the design of the system, producing an automated kens [10, 13]. A generalized variant, the format oracle attack strategy that can entirely decrypt protected mes- attack can be constructed when a decryption oracle leaks sages. Developing our algorithms required us to adapt the result of applying some (arbitrarily complex) format- techniques from a diverse range of research fields, as well checking predicate F to a decrypted plaintext. Format as to explore and develop new ones. We implement our oracles appear even in recent standards such as XML algorithms using existing theory solvers. The result is a encryption [42, 45], Apple’s iMessage [36] and modern practical tool called Delphinium that succeeds against OpenPGP implementations [47, 59]. These attacks likely real-world and contrived format oracles. To our knowl- represent the “tip of the iceberg”: many vulnerable sys- edge, this is the first work to automatically derive such tems may remain undetected, due to the difficulty of complex chosen ciphertext attacks. exploiting non-standard format oracles. 1 Introduction From a constructive viewpoint, format oracle vulnera- bilities seem easy to mitigate: simply mandate that pro- The past decades have seen enormous improvement in tocols use authenticated encryption. Unfortunately, even our understanding of cryptographic protocol design. De- this advice may be insufficient: common authenticated spite these advances, vulnerable protocols remain widely encryption schemes can become insecure due to imple- deployed. In many cases this is a result of continued mentation flaws such as nonce re-use [21, 43, 46]. Setting support for legacy protocols and ciphersuites, such as aside implementation failures, the continued deployment TLS’s CBC-mode ciphers [7, 64], export-grade encryp- of unauthenticated encryption raises an obvious ques- tion [4,9, 19], and legacy email encryption [59]. How- tion: why do these vulnerabilities continue to appear ever, support for legacy protocols does not account for in modern protocols? The answer highlights a discon- the presence of vulnerabilities in more recent protocols nect between the theory and the practice of applied cryp- and systems [36, 42, 47, 72, 74]. tography. In many cases, a vulnerable protocol is not obviously an exploitable protocol. This is particularly ∗These authors contributed equally to the work. true for non-standard format oracles which require en- properties, can we programatically derive a chosen-ciphertext attack that allows us to effi- ciently decrypt arbitrary ciphertexts? Our primary requirement is that the software responsi- ble for developing this attack should require no further assistance from human beings. Moreover, the developed attack must be efficient: ideally it should not require sub- stantially more work (as measured by number of oracle queries and wall-clock execution time) than the equiva- lent attack developed through manual human optimiza- tion. To our knowledge, this work represents the first at- tempt to automate the discovery of novel adaptive cho- sen ciphertext attacks against symmetric format oracles. While our techniques are designed to be general, in prac- Figure 1: Output of a format oracle attack that our algo- tice they are unlikely to succeed against every possible rithms developed against a bitwise padding check ora- format checking function. Instead, in this work we initi- cle F (see §5.2 for a full description). The original bitpad ate a broader investigation by exploring the limits of our ciphertext is a valid 128-bit (random) padded message approach against various real-world and contrived format encrypted using a stream cipher. Each row of the bitmap checking functions. Beyond presenting our techniques, represents a malleation string that was exclusive-ORed our practical contribution of this work is a toolset that with the ciphertext prior to making a decryption query. we name Delphinium, which produces highly-efficient attacks across several such functions. tirely new exploit strategies. As a concrete example, the Relationship to previous automated attack work. Pre- authors of [36] report that Apple did not repair a com- vious work [12, 26, 58] has looked at automatic discovery plex gzip compression format oracle in the iMessage and exploitation of side channel attacks. In this setting, a protocol when the lack of authentication was pointed out; program combines a fixed secret input with many “low” but did mitigate the flaw when a concrete exploit was inputs that are (sometimes adaptively) chosen by an at- demonstrated. Similar flaws in OpenPGP clients [36, 59] tacker, and produces a signal, e.g., modeling a timing and PDF encryption [55] were addressed only when re- result. This setting can be viewed as a special case of searchers developed proof-of-concept exploits. The un- our general model (and vice versa). Like our techniques, fortunate aspect of this strategy is that cryptographers’ several of these works employ SAT solvers and model time is limited, which leads protocol designers to dis- counting techniques. However, beyond these similarities, count the exploitability of real cryptographic flaws. there are fundamental differences that manifest in our Removing the human element. In this work we investi- results: (1) in this work we explore a new approach based gate the feasibility of automating the design and devel- on approximate model counting, and (2) as a result of this opment of adaptive chosen ciphertext attacks on symmet- approach, our results operate over much larger secret do- ric encryption schemes. We stress that our goal is not mains than the cited works. To illustrate the differences, simply to automate the execution of known attacks, as our experimental results succeed on secret (message) do- in previous works [45]. Instead, we seek to develop a mains of several hundred bits in length, with malleation methodology and a set of tools to (1) evaluate if a system strings (“low inputs”) drawn from similarly-sized do- is vulnerable to practical exploitation, and (2) program- mains. By contrast, the cited works operate over smaller matically derive a novel exploit strategy, given only a secret domains that rarely even reach a size of 224. More- description of the target. This removes the expensive over, our format functions are relatively complex. It is human element from attack development. an open question to determine whether the experimen- To emphasize the ambitious nature of our problem, we tal results in the cited works can be scaled using our summarize our motivating research question as follows: techniques. Our contributions. In this work we make the following Given a machine-readable description of a for- contributions: mat checking function F along with a descrip- tion of the encryption scheme’s malleation We propose new, and fully automated algorithms • for developing format oracle attacks on symmetric string”), and produces a new, mauled ciphertext C0. The P encryption (and hybrid encryption) schemes. Our function Maulplain(M;S) M0 computes the equivalent algorithms are designed to work with arbitrary for- malleation over some plaintext,! producing a plaintext (or, mat checking functions, using a machine-readable in some cases, a set of possible plaintexts1). The essen- description of the function and the scheme’s mal- tial property we require from these functions is that the leation features to develop the attack strategy. plaintext malleation function should “predict” the effects of encrypting a plaintext M, mauling the resulting cipher- We design and implement novel attack-development • text, then subsequently decrypting the result. For some techniques that use approximate model counting typical encryption schemes, these functions can be sim- techniques to achieve significantly greater efficiency ple: for example, a simple stream cipher can be realized than previous works. These techniques may be of by defining both functions to be bitwise exclusive-OR. independent interest. However, malleation functions may also implement fea- We show how to implement our technique prac- tures such as truncation
Recommended publications
  • Classical Encryption Techniques
    CPE 542: CRYPTOGRAPHY & NETWORK SECURITY Chapter 2: Classical Encryption Techniques Dr. Lo’ai Tawalbeh Computer Engineering Department Jordan University of Science and Technology Jordan Dr. Lo’ai Tawalbeh Fall 2005 Introduction Basic Terminology • plaintext - the original message • ciphertext - the coded message • key - information used in encryption/decryption, and known only to sender/receiver • encipher (encrypt) - converting plaintext to ciphertext using key • decipher (decrypt) - recovering ciphertext from plaintext using key • cryptography - study of encryption principles/methods/designs • cryptanalysis (code breaking) - the study of principles/ methods of deciphering ciphertext Dr. Lo’ai Tawalbeh Fall 2005 1 Cryptographic Systems Cryptographic Systems are categorized according to: 1. The operation used in transferring plaintext to ciphertext: • Substitution: each element in the plaintext is mapped into another element • Transposition: the elements in the plaintext are re-arranged. 2. The number of keys used: • Symmetric (private- key) : both the sender and receiver use the same key • Asymmetric (public-key) : sender and receiver use different key 3. The way the plaintext is processed : • Block cipher : inputs are processed one block at a time, producing a corresponding output block. • Stream cipher: inputs are processed continuously, producing one element at a time (bit, Dr. Lo’ai Tawalbeh Fall 2005 Cryptographic Systems Symmetric Encryption Model Dr. Lo’ai Tawalbeh Fall 2005 2 Cryptographic Systems Requirements • two requirements for secure use of symmetric encryption: 1. a strong encryption algorithm 2. a secret key known only to sender / receiver •Y = Ek(X), where X: the plaintext, Y: the ciphertext •X = Dk(Y) • assume encryption algorithm is known •implies a secure channel to distribute key Dr.
    [Show full text]
  • Index-Of-Coincidence.Pdf
    The Index of Coincidence William F. Friedman in the 1930s developed the index of coincidence. For a given text X, where X is the sequence of letters x1x2…xn, the index of coincidence IC(X) is defined to be the probability that two randomly selected letters in the ciphertext represent, the same plaintext symbol. For a given ciphertext of length n, let n0, n1, …, n25 be the respective letter counts of A, B, C, . , Z in the ciphertext. Then, the index of coincidence can be computed as 25 ni (ni −1) IC = ∑ i=0 n(n −1) We can also calculate this index for any language source. For some source of letters, let p be the probability of occurrence of the letter a, p be the probability of occurrence of a € b the letter b, and so on. Then the index of coincidence for this source is 25 2 Isource = pa pa + pb pb +…+ pz pz = ∑ pi i=0 We can interpret the index of coincidence as the probability of randomly selecting two identical letters from the source. To see why the index of coincidence gives us useful information, first€ note that the empirical probability of randomly selecting two identical letters from a large English plaintext is approximately 0.065. This implies that an (English) ciphertext having an index of coincidence I of approximately 0.065 is probably associated with a mono-alphabetic substitution cipher, since this statistic will not change if the letters are simply relabeled (which is the effect of encrypting with a simple substitution). The longer and more random a Vigenere cipher keyword is, the more evenly the letters are distributed throughout the ciphertext.
    [Show full text]
  • Assignment 4 Task 1: Frequency Analysis (100 Points)
    Assignment 4 Task 1: Frequency Analysis (100 points) The cryptanalyst can benefit from some inherent characteristics of the plaintext language to launch a statistical attack. For example, we know that the letter E is the most frequently used letter in English text. The cryptanalyst finds the mostly-used character in the ciphertext and assumes that the corresponding plaintext character is E. After finding a few pairs, the analyst can find the key and use it to decrypt the message. To prevent this type of attack, the cipher should hide the characteristics of the language. Table 1 contains frequency of characters in English. Table 1 Frequency of characters in English Cryptogram puzzles are solved for enjoyment and the method used against them is usually some form of frequency analysis. This is the act of using known statistical information and patterns about the plaintext to determine it. In cryptograms, each letter of the alphabet is encrypted to another letter. This table of letter-letter translations is what makes up the key. Because the letters are simply converted and nothing is scrambled, the cipher is left open to this sort of analysis; all we need is that ciphertext. If the attacker knows that the language used is English, for example, there are a great many patterns that can be searched for. Classic frequency analysis involves tallying up each letter in the collected ciphertext and comparing the percentages against the English language averages. If the letter "M" is most common then it is reasonable to guess that "E"-->"M" in the cipher because E is the most common letter in the English language.
    [Show full text]
  • Chap 2. Basic Encryption and Decryption
    Chap 2. Basic Encryption and Decryption H. Lee Kwang Department of Electrical Engineering & Computer Science, KAIST Objectives • Concepts of encryption • Cryptanalysis: how encryption systems are “broken” 2.1 Terminology and Background • Notations – S: sender – R: receiver – T: transmission medium – O: outsider, interceptor, intruder, attacker, or, adversary • S wants to send a message to R – S entrusts the message to T who will deliver it to R – Possible actions of O • block(interrupt), intercept, modify, fabricate • Chapter 1 2.1.1 Terminology • Encryption and Decryption – encryption: a process of encoding a message so that its meaning is not obvious – decryption: the reverse process • encode(encipher) vs. decode(decipher) – encoding: the process of translating entire words or phrases to other words or phrases – enciphering: translating letters or symbols individually – encryption: the group term that covers both encoding and enciphering 2.1.1 Terminology • Plaintext vs. Ciphertext – P(plaintext): the original form of a message – C(ciphertext): the encrypted form • Basic operations – plaintext to ciphertext: encryption: C = E(P) – ciphertext to plaintext: decryption: P = D(C) – requirement: P = D(E(P)) 2.1.1 Terminology • Encryption with key If the encryption algorithm should fall into the interceptor’s – encryption key: KE – decryption key: K hands, future messages can still D be kept secret because the – C = E(K , P) E interceptor will not know the – P = D(KD, E(KE, P)) key value • Keyless Cipher – a cipher that does not require the
    [Show full text]
  • Shift Cipher Substitution Cipher Vigenère Cipher Hill Cipher
    Lecture 2 Classical Cryptosystems Shift cipher Substitution cipher Vigenère cipher Hill cipher 1 Shift Cipher • A Substitution Cipher • The Key Space: – [0 … 25] • Encryption given a key K: – each letter in the plaintext P is replaced with the K’th letter following the corresponding number ( shift right ) • Decryption given K: – shift left • History: K = 3, Caesar’s cipher 2 Shift Cipher • Formally: • Let P=C= K=Z 26 For 0≤K≤25 ek(x) = x+K mod 26 and dk(y) = y-K mod 26 ʚͬ, ͭ ∈ ͔ͦͪ ʛ 3 Shift Cipher: An Example ABCDEFGHIJKLMNOPQRSTUVWXYZ 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 • P = CRYPTOGRAPHYISFUN Note that punctuation is often • K = 11 eliminated • C = NCJAVZRCLASJTDQFY • C → 2; 2+11 mod 26 = 13 → N • R → 17; 17+11 mod 26 = 2 → C • … • N → 13; 13+11 mod 26 = 24 → Y 4 Shift Cipher: Cryptanalysis • Can an attacker find K? – YES: exhaustive search, key space is small (<= 26 possible keys). – Once K is found, very easy to decrypt Exercise 1: decrypt the following ciphertext hphtwwxppelextoytrse Exercise 2: decrypt the following ciphertext jbcrclqrwcrvnbjenbwrwn VERY useful MATLAB functions can be found here: http://www2.math.umd.edu/~lcw/MatlabCode/ 5 General Mono-alphabetical Substitution Cipher • The key space: all possible permutations of Σ = {A, B, C, …, Z} • Encryption, given a key (permutation) π: – each letter X in the plaintext P is replaced with π(X) • Decryption, given a key π: – each letter Y in the ciphertext C is replaced with π-1(Y) • Example ABCDEFGHIJKLMNOPQRSTUVWXYZ πBADCZHWYGOQXSVTRNMSKJI PEFU • BECAUSE AZDBJSZ 6 Strength of the General Substitution Cipher • Exhaustive search is now infeasible – key space size is 26! ≈ 4*10 26 • Dominates the art of secret writing throughout the first millennium A.D.
    [Show full text]
  • Substitution Ciphers
    Foundations of Computer Security Lecture 40: Substitution Ciphers Dr. Bill Young Department of Computer Sciences University of Texas at Austin Lecture 40: 1 Substitution Ciphers Substitution Ciphers A substitution cipher is one in which each symbol of the plaintext is exchanged for another symbol. If this is done uniformly this is called a monoalphabetic cipher or simple substitution cipher. If different substitutions are made depending on where in the plaintext the symbol occurs, this is called a polyalphabetic substitution. Lecture 40: 2 Substitution Ciphers Simple Substitution A simple substitution cipher is an injection (1-1 mapping) of the alphabet into itself or another alphabet. What is the key? A simple substitution is breakable; we could try all k! mappings from the plaintext to ciphertext alphabets. That’s usually not necessary. Redundancies in the plaintext (letter frequencies, digrams, etc.) are reflected in the ciphertext. Not all substitution ciphers are simple substitution ciphers. Lecture 40: 3 Substitution Ciphers Caesar Cipher The Caesar Cipher is a monoalphabetic cipher in which each letter is replaced in the encryption by another letter a fixed “distance” away in the alphabet. For example, A is replaced by C, B by D, ..., Y by A, Z by B, etc. What is the key? What is the size of the keyspace? Is the algorithm strong? Lecture 40: 4 Substitution Ciphers Vigen`ere Cipher The Vigen`ere Cipher is an example of a polyalphabetic cipher, sometimes called a running key cipher because the key is another text. Start with a key string: “monitors to go to the bathroom” and a plaintext to encrypt: “four score and seven years ago.” Align the two texts, possibly removing spaces: plaintext: fours corea ndsev enyea rsago key: monit orsto gotot hebat hroom ciphertext: rcizl qfkxo trlso lrzet yjoua Then use the letter pairs to look up an encryption in a table (called a Vigen`ere Tableau or tabula recta).
    [Show full text]
  • Algorithms and Mechanisms Historical Ciphers
    Algorithms and Mechanisms Cryptography is nothing more than a mathematical framework for discussing the implications of various paranoid delusions — Don Alvarez Historical Ciphers Non-standard hieroglyphics, 1900BC Atbash cipher (Old Testament, reversed Hebrew alphabet, 600BC) Caesar cipher: letter = letter + 3 ‘fish’ ‘ilvk’ rot13: Add 13/swap alphabet halves •Usenet convention used to hide possibly offensive jokes •Applying it twice restores the original text Substitution Ciphers Simple substitution cipher: a=p,b=m,c=f,... •Break via letter frequency analysis Polyalphabetic substitution cipher 1. a = p, b = m, c = f, ... 2. a = l, b = t, c = a, ... 3. a = f, b = x, c = p, ... •Break by decomposing into individual alphabets, then solve as simple substitution One-time Pad (1917) Message s e c r e t 18 5 3 17 5 19 OTP +15 8 1 12 19 5 7 13 4 3 24 24 g m d c x x OTP is unbreakable provided •Pad is never reused (VENONA) •Unpredictable random numbers are used (physical sources, e.g. radioactive decay) One-time Pad (ctd) Used by •Russian spies •The Washington-Moscow “hot line” •CIA covert operations Many snake oil algorithms claim unbreakability by claiming to be a OTP •Pseudo-OTPs give pseudo-security Cipher machines attempted to create approximations to OTPs, first mechanically, then electronically Cipher Machines (~1920) 1. Basic component = wired rotor •Simple substitution 2. Step the rotor after each letter •Polyalphabetic substitution, period = 26 Cipher Machines (ctd) 3. Chain multiple rotors Each rotor steps the next one when a full
    [Show full text]
  • Cryptanalysis of the ``Kindle'' Cipher
    Introduction PC1 Known-plaintext key-recovery Ciphertext only key-recovery Conclusion . Cryptanalysis of the “Kindle” Cipher Alex Biryukov, Gaëtan Leurent, Arnab Roy University of Luxembourg SAC 2012 A. Biryukov, G. Leurent, A. Roy (uni.lu) Cryptanalysis of the “Kindle” Cipher SAC 2012 1 / 22 Introduction PC1 Known-plaintext key-recovery Ciphertext only key-recovery Conclusion . Cryptography: theory and practice In theory In practice ▶ Random Oracle ▶ Algorithms ▶ ▶ Ideal Cipher AES ▶ SHA2 ▶ Perfect source of ▶ RSA randomness ▶ Modes of operation ▶ CBC ▶ OAEP ▶ ... ▶ . Random Number Generators ▶ Hardware RNG ▶ PRNG A. Biryukov, G. Leurent, A. Roy (uni.lu) Cryptanalysis of the “Kindle” Cipher SAC 2012 2 / 22 Introduction PC1 Known-plaintext key-recovery Ciphertext only key-recovery Conclusion . Cryptography in the real world Several examples of flaws in industrial cryptography: ▶ Bad random source ▶ SLL with 16bit entropy (Debian) ▶ ECDSA with fixed k (Sony) ▶ Bad key size ▶ RSA512 (TI) ▶ Export restrictions... ▶ Bad mode of operation ▶ CBCMAC with the RC4 streamcipher (Microsoft) ▶ TEA with DaviesMeyer (Microsoft) ▶ Bad (proprietary) algorithm ▶ A5/1 (GSM) ▶ CSS (DVD forum) ▶ Crypto1 (MIFARE/NXP) ▶ KeeLoq (Microchip) A. Biryukov, G. Leurent, A. Roy (uni.lu) Cryptanalysis of the “Kindle” Cipher SAC 2012 3 / 22 Introduction PC1 Known-plaintext key-recovery Ciphertext only key-recovery Conclusion . Amazon Kindle ▶ Ebook reader by Amazon ▶ Most popular ebook reader (≈ 50% share) ▶ 4 generations, 7 devices ▶ Software reader for 7 OS, plus cloud reader ▶ Several million devices sold ▶ Amazon sells more ebooks than paper books ▶ Uses crypto for DRM (Digital Rights Management) A. Biryukov, G. Leurent, A. Roy (uni.lu) Cryptanalysis of the “Kindle” Cipher SAC 2012 4 / 22 Introduction PC1 Known-plaintext key-recovery Ciphertext only key-recovery Conclusion .
    [Show full text]
  • Hill Cipher Cryptanalysis a Known Plaintext Attack Means That We Know
    Fall 2019 Chris Christensen MAT/CSC 483 Section 9 Hill Cipher Cryptanalysis A known plaintext attack means that we know a bit of ciphertext and the corresponding plaintext – a crib. This is not an unusual situation. Often messages have stereotypical beginnings (e.g., to …, dear …) or stereotypical endings (e.g, stop) or sometimes it is possible (knowing the sender and receiver or knowing what is likely to be the content of the message) to guess a portion of a message. For a 22× Hill cipher, if we know two ciphertext digraphs and the corresponding plaintext digraphs, we can easily determine the key or the key inverse. 1 Example one: Assume that we know that the plaintext of our ciphertext message that begins WBVE is inma. We could either solve for the key or the key inverse; let’s solve for the key inverse. ef23 9 Because WB corresponds to in = , gh2 14 ef22 13 and because VE corresponds to ma = . gh51 These result in two sets of linear congruences modulo 26: 23ef+= 2 9 22ef+= 5 13 and 23gh+= 2 14 22gh+= 5 1 We solve the systems modulo 26 using Mathematica. In[5]:= Solve[23e+2f == 9 && 22e+5f == 13, {e, f}, Modulus -> 26] Out[5]= {{e->1,f->19}} In[6]:= Solve[23g+2h == 14 && 22g+5h == 1, {g, h}, Modulus -> 26] Out[6]= {{g->20,h->11}} 2 Example two: Ciphertext: FAGQQ ILABQ VLJCY QULAU STYTO JSDJJ PODFS ZNLUH KMOW We are assuming that this message was encrypted using a 22× Hill cipher and that we have a crib.
    [Show full text]
  • Ciphertext-Policy Attribute-Based Encryption: an Expressive, Efficient
    Ciphertext-Policy Attribute-Based Encryption: An Expressive, Efficient, and Provably Secure Realization Brent Waters ∗ University of Texas at Austin [email protected] Abstract We present a new methodology for realizing Ciphertext-Policy Attribute Encryption (CP- ABE) under concrete and noninteractive cryptographic assumptions in the standard model. Our solutions allow any encryptor to specify access control in terms of any access formula over the attributes in the system. In our most efficient system, ciphertext size, encryption, and decryption time scales linearly with the complexity of the access formula. The only previous work to achieve these parameters was limited to a proof in the generic group model. We present three constructions within our framework. Our first system is proven selectively secure under a assumption that we call the decisional Parallel Bilinear Diffie-Hellman Exponent (PBDHE) assumption which can be viewed as a generalization of the BDHE assumption. Our next two constructions provide performance tradeoffs to achieve provable security respectively under the (weaker) decisional Bilinear-Diffie-Hellman Exponent and decisional Bilinear Diffie- Hellman assumptions. ∗Supported by NSF CNS-0716199, CNS-0915361, and CNS-0952692, Air Force Office of Scientific Research (AFO SR) under the MURI award for \Collaborative policies and assured information sharing" (Project PRESIDIO), Department of Homeland Security Grant 2006-CS-001-000001-02 (subaward 641), a Google Faculty Research award, and the Alfred P. Sloan Foundation. 1 Introduction Public-Key encryption is a powerful mechanism for protecting the confidentiality of stored and transmitted information. Traditionally, encryption is viewed as a method for a user to share data to a targeted user or device.
    [Show full text]
  • Chapter 13 Attacks on Cryptosystems
    Chapter 13 Attacks on Cryptosystems Up to this point, we have mainly seen how ciphers are implemented. We have seen how symmetric ciphers such as DES and AES use the idea of substitution and permutation to provide security and also how asymmetric systems such as RSA and Diffie Hellman use other methods. What we haven’t really looked at are attacks on cryptographic systems. An understanding of certain attacks will help you to understand the reasons behind the structure of certain algorithms (such as Rijndael) as they are designed to thwart known attacks. Although we are not going to exhaust all possible avenues of attack, we will get an idea of how cryptanalysts go about attacking ciphers. This section is really split up into two classes of attack1: Cryptanalytic attacks and Implementation attacks. The former tries to attack mathematical weaknesses in the algorithms whereas the latter tries to attack the specific implementation of the cipher (such as a smartcard system). The following attacks can refer to either of the two classes (all forms of attack assume the attacker knows the encryption algorithm): • Ciphertext-only attack: In this attack the attacker knows only the ciphertext to be decoded. The attacker will try to find the key or decrypt one or more pieces of ciphertext (only relatively weak algorithms fail to withstand a ciphertext-only attack). • Known plaintext attack: The attacker has a collection of plaintext-ciphertext pairs and is trying to find the key or to decrypt some other ciphertext that has been encrypted with the same key. • Chosen Plaintext attack: This is a known plaintext attack in which the attacker can choose the plaintext to be encrypted and read the corresponding ciphertext.
    [Show full text]
  • Index of Coincidence Can Be Verbally Defined As Follows Number of Pairs of Equal Letters in Ciphertext I =
    Index of Conincidence A. Garsia - 1988 The estimation of period in a substitution cipher. Let us suppose that we are given a ciphertext C1,C2,...,CN which is known to have been encrypted by a Vigenere substitution with keyword of length N p. For convenience let us assume that N is a multiple of p and set M = p . This means that if the original plaintext was X1,X2,...,XN then for each k = 1, 2,...,M the kth block of ciphertext C(k−1)p+1,C(k−1)p+2,...,C(k−1)p+p is obtained from the corresponding kth block of plaintext X(k−1)p+1,X(k−1)p+2,...,X(k−1)p+p (1) by the p substitutions C(k−1)p+j = φj(X(k−1)p+j)(j = 1, 2, ..., p). For a Vigenere cipher each of the substitutions φj circularly shifts the alphabet. In the case of a general periodic substitution cipher each of the φj’s permutes the alphabet in an arbitrary manner. We shall present here a statistic which may be used to estimate the period p of a Vigenere substitution. It may be used as well for the most general periodic substitution cipher provided a sufficiently large ciphertext sample is available. This statistic usually referred to as the index of coincidence can be verbally defined as follows number of pairs of equal letters in ciphertext I = . (2) C the total number of pairs of letters Note that if NA denotes the total number of A’s in the ciphertext then the binomial NA(NA−1) coefficient 2 gives the number of A − A pairs.
    [Show full text]