Chosen ciphertext attack

from Wikipedia, the free encyclopedia

This article covers the chosen ciphertext attack on cryptosystems.

The attacker has the temporary opportunity to decrypt ciphertexts of his choice. This can be done by accessing a hardware system through a break-in; however, it also includes access to unforeseen side effects, such as various error messages after successful or unsuccessful decryption. An example of this is Bleichenbacher's attack on PKCS # 1.

With some cryptosystems , such as Rabin , he is then able to determine the secret key with which the secret texts were encrypted from the data pairs obtained .

Example attack on RSA by brute force

The following example shows a selected ciphertext attack on RSA encryption using brute force.

With RSA the public keys are freely accessible. With the help of the public key, any data stream can be encrypted, but not decrypted again. If the same text is encrypted with the same key, the same cipher is always created.

An attacker can exploit this fact. First, the attacker intercepts an encrypted message. Now the attacker begins to systematically encrypt plain text. As soon as the cipher he intercepted matches the one he generated, he has found the plaintext.

Example attack on RSA with social engineering / debugging function

A selected ciphertext attack on RSA encryption with social engineering is shown below as an example . What is important in this attack is that the order of encryption does not matter when decrypting.

  1. PC A sends a message to server B. This is encrypted with B's public key.
  2. The attacker eavesdrop on this encrypted message.
  3. The attacker encrypts this message again with his own public key.
  4. The attacker sends the double-encrypted message to B. B decrypts it internally.
    1. B cannot do anything with this message because it is encrypted again. The message is assessed by B as faulty.
    2. The attacker gets B to send him the decrypted message, for example via social engineering or automatically using a debugging function.
  5. Since the order of the decryption must be irrelevant in this attack, the attacker can now decrypt the message again with his own key, thereby obtaining the plaintext.

Current attacks

DROWN attack
This attack requires that the server still accept connections via the insecure SSLv2 . The attack is used to attack supposedly secure TLS connections . The attacker first reads the securely encrypted data stream. A chosen ciphertext attack is then carried out via the vulnerable SSLv2 interface. This makes it possible to extract the symmetrical key from the securely encrypted data stream, which also makes it vulnerable.

See also

Individual evidence

  1. a b Chosen ciphertext attack In: Applied cryptography , by Wolfgang Ertel.
  2. DROWN attack: SSL protocol from the Stone Age destroys servers heise.de, March 1, 2016.