Attack model

Last updated August 16, 2022

In cryptanalysis, attack models or attack types^[1] are a classification of cryptographic attacks specifying the kind of access a cryptanalyst has to a system under attack when attempting to "break" an encrypted message (also known as ciphertext ) generated by the system. The greater the access the cryptanalyst has to the system, the more useful information they can get to utilize for breaking the cypher.

In cryptography, a sending party uses a cipher to encrypt (transform) a secret plaintext into a ciphertext , which is sent over an insecure communication channel to the receiving party. The receiving party uses an inverse cipher to decrypt the ciphertext to obtain the plaintext. A secret knowledge is required to apply the inverse cipher to the ciphertext. This secret knowledge is usually a short number or string called a key . In a cryptographic attack a third party cryptanalyst analyzes the ciphertext to try to "break" the cipher, to read the plaintext and obtain the key so that future enciphered messages can be read. It is usually assumed that the encryption and decryption algorithms themselves are public knowledge and available to the cryptographer, as this is the case for modern ciphers which are published openly. This assumption is called Kerckhoffs's principle.

Models

Some common attack models are:

Ciphertext-only attack (COA) - in this type of attack it is assumed that the cryptanalyst has access only to the ciphertext, and has no access to the plaintext. This type of attack is the most likely case encountered in real life cryptanalysis, but is the weakest attack because of the cryptanalyst's lack of information. Modern ciphers are required to be very resistant to this type of attack. In fact, a successful cryptanalysis in the COA model usually requires that the cryptanalyst must have some information on the plaintext, such as its distribution, the language in which the plaintexts are written in, standard protocol data or framing which is part of the plaintext, etc.^[2]
- Brute force attack or exhaustive key search - in this attack every possible key is tried until the correct one is found. Every cipher except the unbreakable Information-theoretically secure methods like the one time pad is vulnerable to this method, and as its difficulty does not depend on the cipher but only on the key length - it's not considered a real cryptanalysis of the cipher. If the key has N bits, there are 2^N possible keys to try, so a brute-force attack can recover the cipher in a worst-case time proportional to 2^N and an average time of 2^N-1. This is often used as a standard of comparison for other attacks. Brute-force can be applied in ciphertext-only settings, but the cryptanalyst must have enough information about the plaintext (at least N bits) to allow the identification of the correct key once it is tried.
Known-plaintext attack (KPA) - in this type of attack it is assumed that the cryptanalyst has access to at least a limited number of pairs of plaintext and the corresponding enciphered text. An interesting example dates back to World War II, during which the Allies used known-plaintexts in their successful cryptanalysis of the Enigma machine cipher. The plaintext samples are called "cribs"; the term originated at Bletchley Park, the British World War II decryption operation.^[3]^[4] Very early on cribs were produced from stolen plaintext and intercepted ciphertext, and as such qualify for their classification as a known-plaintext attack. However, as knowledge and experience increased, the known-plaintexts were actually generated mostly through a series of intelligent guesses based on gained experience and logic, and not through a channel providing direct access to these plaintext. Technically the latter attacks are classified as the harder-to-execute ciphertext-only attacks.
Chosen-plaintext attack (CPA) - in this attack the cryptanalyst is able to choose a number of plaintexts to be enciphered and have access to the resulting ciphertext. This allows the analyst to explore whatever areas of the plaintext state space they wish and may allow them to exploit vulnerabilities and nonrandom behavior which appear only with certain plaintexts. In the widely used public-key cryptosystems, the key used to encrypt the plaintext is publicly distributed and anyone may use it, allowing the cryptanalyst to create ciphertext of any plaintext they want. So public-key algorithms must be resistant to all chosen-plaintext attacks.
- Adaptive chosen-plaintext attack (CPA2) - in this attack the analyst can choose a sequence of plaintexts to be encrypted and have access to the ciphertexts. At each step they have the opportunity to analyze the previous results before choosing the next plaintext. This allows them to have more information when choosing plaintexts than if they were required to choose all the plaintexts beforehand as required in the chosen-plaintext attack.
Chosen-ciphertext attack (CCA) - in this attack the analyst can choose arbitrary ciphertext and have access to plaintext decrypted from it. In an actual real life case this would require the analyst to have access to the communication channel and the recipient end.
- Lunchtime attack or midnight attack - In this variant it is assumed the cryptanalyst can only have access to the system for a limited time or a limited number of plaintext-ciphertext pairs, after which he must show progress. The name comes from the common security vulnerability in which an employee signs into their encrypted computer and then leaves it unattended while they go for lunch, allowing an attacker a limited-time access to the system.
- Adaptive chosen-ciphertext attack (CCA2) - in this attack the analyst can choose a series of ciphertexts and see the resulting plaintexts, with the opportunity at each step to analyze the previous ciphertext-plaintext pairs before choosing the next ciphertext.
Open key model attacks - where the attacker has some knowledge about the key for the cipher being attacked.^[5]
- Related-key attack - in this attack the cryptanalyst has access to ciphertext encrypted from the same plaintext using other (unknown) keys which are related to the target key in some mathematically defined way. For example, the analyst might know that the last N bits of the keys are identical. This is relevant because modern computer encryption protocols generate keys automatically, leading to the possibility of relations between them. The Wired Equivalent Privacy (WEP) privacy protocol which was used to protect WiFi internet devices was found to be vulnerable to a related-key attack due to a weakness in RC4.
- Known-key distinguishing attack and chosen-key distinguishing attack, where an attacker can distinguish ciphertext from random along with the knowledge or ability to choose the key.^[5]
Side-channel attack - This is not strictly speaking a cryptanalytic attack, and does not depend on the strength of the cipher. It refers to using other data about the encryption or decryption process to gain information about the message, such as electronic noise produced by encryption machines, sound produced by keystrokes as the plaintext is typed, or measuring how much time various computations take to perform.

Different attack models are used for other cryptographic primitives, or more generally for all kind of security systems. Examples for such attack models are:

Adaptive chosen-message attack for digital signatures.

Related Research Articles

In cryptography, a block cipher is a deterministic algorithm operating on fixed-length groups of bits, called blocks. They are specified elementary components in the design of many cryptographic protocols and are widely used to encrypt large amounts of data, including in data exchange protocols. It uses blocks as an unvarying transformation.

In cryptography, a cipher is an algorithm for performing encryption or decryption—a series of well-defined steps that can be followed as a procedure. An alternative, less common term is encipherment. To encipher or encode is to convert information into cipher or code. In common parlance, "cipher" is synonymous with "code", as they are both a set of steps that encrypt a message; however, the concepts are distinct in cryptography, especially classical cryptography.

Cryptanalysis Study of analyzing information systems in order to discover their hidden aspects

Cryptanalysis refers to the process of analyzing information systems in order to understand hidden aspects of the systems. Cryptanalysis is used to breach cryptographic security systems and gain access to the contents of encrypted messages, even if the cryptographic key is unknown.

The Data Encryption Standard is a symmetric-key algorithm for the encryption of digital data. Although its short key length of 56 bits makes it too insecure for modern applications, it has been highly influential in the advancement of cryptography.

In cryptography, encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can decipher a ciphertext back to plaintext and access the original information. Encryption does not itself prevent interference but denies the intelligible content to a would-be interceptor.

In cryptography, a substitution cipher is a method of encrypting in which units of plaintext are replaced with the ciphertext, in a defined manner, with the help of a key; the "units" may be single letters, pairs of letters, triplets of letters, mixtures of the above, and so forth. The receiver deciphers the text by performing the inverse substitution process to extract the original message.

In cryptography, a transposition cipher is a method of encryption which scrambles the positions of characters (transposition) without changing the characters themselves. Transposition ciphers reorder units of plaintext according to a regular system to produce a ciphertext which is a permutation of the plaintext. They differ from substitution ciphers, which do not change the position of units of plaintext but instead change the units themselves. Despite the difference between transposition and substitution operations, they are often combined, as in historical ciphers like the ADFGVX cipher or complex high-quality encryption methods like the modern Advanced Encryption Standard (AES).

Symmetric-key algorithms are algorithms for cryptography that use the same cryptographic keys for both the encryption of plaintext and the decryption of ciphertext. The keys may be identical, or there may be a simple transformation to go between the two keys. The keys, in practice, represent a shared secret between two or more parties that can be used to maintain a private information link. The requirement that both parties have access to the secret key is one of the main drawbacks of symmetric-key encryption, in comparison to public-key encryption. However, symmetric-key encryption algorithms are usually better for bulk encryption. They have a smaller key size, which means less storage space and faster transmission. Due to this, asymmetric-key encryption is often used to exchange the secret key for symmetric-key encryption.

A chosen-plaintext attack (CPA) is an attack model for cryptanalysis which presumes that the attacker can obtain the ciphertexts for arbitrary plaintexts. The goal of the attack is to gain information that reduces the security of the encryption scheme.

In cryptography, unicity distance is the length of an original ciphertext needed to break the cipher by reducing the number of possible spurious keys to zero in a brute force attack. That is, after trying every possible key, there should be just one decipherment that makes sense, i.e. expected amount of ciphertext needed to determine the key completely, assuming the underlying message has redundancy.

A chosen-ciphertext attack (CCA) is an attack model for cryptanalysis where the cryptanalyst can gather information by obtaining the decryptions of chosen ciphertexts. From these pieces of information the adversary can attempt to recover the hidden secret key used for decryption.

In cryptography, a block cipher mode of operation is an algorithm that uses a block cipher to provide information security such as confidentiality or authenticity. A block cipher by itself is only suitable for the secure cryptographic transformation of one fixed-length group of bits called a block. A mode of operation describes how to repeatedly apply a cipher's single-block operation to securely transform amounts of data larger than a block.

In cryptography, ciphertext or cyphertext is the result of encryption performed on plaintext using an algorithm, called a cipher. Ciphertext is also known as encrypted or encoded information because it contains a form of the original plaintext that is unreadable by a human or computer without the proper cipher to decrypt it. This process prevents the loss of sensitive information via hacking. Decryption, the inverse of encryption, is the process of turning ciphertext into readable plaintext. Ciphertext is not to be confused with codetext because the latter is a result of a code, not a cipher.

Articles related to cryptography include:

The affine cipher is a type of monoalphabetic substitution cipher, where each letter in an alphabet is mapped to its numeric equivalent, encrypted using a simple mathematical function, and converted back to a letter. The formula used means that each letter encrypts to one other letter, and back again, meaning the cipher is essentially a standard substitution cipher with a rule governing which letter goes to which. As such, it has the weaknesses of all substitution ciphers. Each letter is enciphered with the function $(ax + b) mod 26$ , where $b$ is the magnitude of the shift.

In cryptography, a ciphertext-only attack (COA) or known ciphertext attack is an attack model for cryptanalysis where the attacker is assumed to have access only to a set of ciphertexts. While the attacker has no channel providing access to the plaintext prior to encryption, in all practical ciphertext-only attacks, the attacker still has some knowledge of the plaintext. For instance, the attacker might know the language in which the plaintext is written or the expected statistical distribution of characters in the plaintext. Standard protocol data and messages are commonly part of the plaintext in many deployed systems and can usually be guessed or known efficiently as part of a ciphertext-only attack on these systems.

In cryptanalysis, Kasiski examination is a method of attacking polyalphabetic substitution ciphers, such as the Vigenère cipher. It was first published by Friedrich Kasiski in 1863, but seems to have been independently discovered by Charles Babbage as early as 1846.

Multiple encryption is the process of encrypting an already encrypted message one or more times, either using the same or a different algorithm. It is also known as cascade encryption, cascade ciphering, multiple encryption, and superencipherment. Superencryption refers to the outer-level encryption of a multiple encryption.

Cryptography Practice and study of secure communication techniques

Cryptography, or cryptology, is the practice and study of techniques for secure communication in the presence of adversarial behavior. More generally, cryptography is about constructing and analyzing protocols that prevent third parties or the public from reading private messages; various aspects of information security such as data confidentiality, data integrity, authentication, and non-repudiation are central to modern cryptography. Modern cryptography exists at the intersection of the disciplines of mathematics, computer science, electrical engineering, communication science, and physics. Applications of cryptography include electronic commerce, chip-based payment cards, digital currencies, computer passwords, and military communications.

The following outline is provided as an overview of and topical guide to cryptography:

References

↑ Information Security Laboratory (powerpoint)
↑ Bruce Schneier (2000). "Cryptography" . Secrets & Lies: Digital Security in a Networked World (Hardcover ed.). Wiley Computer Publishing Inc. pp. 90–91. ISBN 0-471-25311-1.
↑ Gordon Welchman, The Hut Six Story: Breaking the Enigma Codes, p. 78.
↑ Michael Smith, "How It Began: Bletchley Park Goes to War," in B. Jack Copeland, ed., Colossus: The Secrets of Bletchley Park's Codebreaking Computers.
1 2 Elena Andreeva; Andrey Bogdanov; Bart Mennink (8 July 2014). Towards Understanding the Known-Key Security of Block Ciphers. FSE 2014.

Attack model

Contents

Models

Related Research Articles

References

Further reading