Cryptanalysis

In archeology, on the other hand, when it comes to the analysis of an old, no longer known script, the terms decoding and deciphering are often used as synonyms .

Methods of cryptanalysis

An important approach in cryptanalysis is to include all available information about the examined method, its parameters and the protected data in the analysis. This information can be public, it can come from plausible assumptions or it can be obtained specifically (e.g. through social engineering ). The type of information available and its control over it is divided into various attack scenarios (see models and statements on security ) and qualify the relevance of the attack or the statement on security.

Before mechanical devices such as the Enigma or computers made it possible for cryptography to scramble messages into pseudo-random sequences, statistics were the most powerful weapon for deciphering messages. As long as a person encrypts the texts by hand, the algorithm used must remain simple enough to implement the message error-free in a reasonable time. These encryption methods can usually be attacked by statistics. It is used to determine the frequency of certain characters and character strings. With the knowledge of the laws of a language, letters and words can be assigned and the plain text can be reconstructed.

Since computers, thanks to their speed and precision, have reduced the statistical ties in an encrypted text to almost zero, new analysis techniques have to be used to uncover the encryption algorithm, exploit a weak point in the algorithm (just as statistics have already used weak points) and reconstruct the key with that the message was encrypted. Complicated mathematical theories and procedures are often used for this purpose, e.g. B. from algebra or stochastics .

Here are some important attack and analysis methods:

• Brute force method : All possible keys are tried out one after the other. If necessary, the order is selected according to the probability. This method is also useful with modern encryption methods, if the use of a relatively weak password can be assumed. Even on commercially available computers (as of 2008), several million keys per second can easily be tried out.
• Dictionary attack: All keys from password collections specially created for this purpose are tried one after the other. If necessary, the order is selected according to the probability. This method is also useful with modern encryption methods if the use of a relatively simple password can be assumed.

It is also possible to try out all possible words. With an active vocabulary of 50,000 words per language, dozens of languages ​​can be tried out within a few seconds, even on standard computers. A single word as a key is therefore very insecure.

Models and statements about safety

When analyzing the security of cryptographic processes and the resulting statements on security, various attack and security models are used as a basis. The quality of a statement about the security of a procedure against certain attackers depends on the assumed targets and the attack scenario.

aims

Statements about the security of a cryptographic process usually relate to specific targets. The possible goals depend on the type of cryptographic method. For all cryptographic processes that use a secret key, the determination of the secret key is the most far-reaching goal of an attack, since it completely undermines the security of the process.

The following targets are also relevant for encryption methods:

• Decryption, d. H. the determination of the plain text.
• The attacker must determine which is the correct plaintext for a ciphertext and two potential plaintexts. If this is not possible efficiently (i.e. in polynomial time ), this property is known as semantic security or ciphertext indistinguishability . Semantic security is considered for both asymmetric and symmetric cryptographic methods . Only probabilistic encryption methods can have this property.
• The attacker tries to change a ciphertext in such a way that the associated new plaintext, which would be obtained if the changed ciphertext were decrypted, has a certain relation (known to the attacker) with the original plaintext. For example, his goal could be to change the ciphertext in such a way that a number given in clear text (e.g. a purchase price) is reduced. An encryption method that is against such attacks secure because an attacker at a manipulation of the ciphertext has no control over the resulting change in plain text, it is called Non-Malleable (to German non Deformable ).
• The attacker tries to generate a valid ciphertext without knowing the corresponding plaintext. If this is not possible efficiently (i.e. in polynomial time ), this property is known as plain text awareness . Only encryption methods in which the ciphertexts have a defined structure (redundancy) can have this property.

In the case of digital signatures and Message Authentication Codes (MAC), one usually considers the goal of generating a signature or a MAC for a new message. If the message can be anything, it is called Existential Forgery . If it must be possible to choose the message freely, this is called selective forgery .

Attack scenarios

In research today, cryptanalysis is mostly applied to methods whose specification is known. This corresponds to Kerckhoffs' principle , according to which the security of a procedure should only be based on the secrecy of the key. The secrecy of the algorithm ( security through obscurity ) prevents an analysis by the professional world and is therefore seen today as rather counterproductive for security. In the past, secret cryptographic procedures were repeatedly uncovered, analyzed and broken (e.g. with GSM , Mifare cards or the encryption of commercial DVDs ). Today, secret procedures are used less often, mainly in the military sector and for the protection of classified information (e.g. chiasmus or dragonfly ), as well as in closed commercial systems, e.g. B. Pay TV , access control (e.g. Mifare) or digital rights management .

A distinction is made between different attack scenarios on an encryption system (sorted by strength):

Ciphertext Only

Sometimes this method is also known as known ciphertext . The attacker knows one or more ciphertexts and tries with their help to infer the plaintext or the key.

Probable plaintext (probable plaintext)

The attacker has ciphertext and has reason to believe that it contains certain phrases or distinctive words that can be used to attempt analysis. The familiar words are called crib .

For example, the Enigma could be cracked with an initial knowledge that at the beginning the key for the rest of the message (encrypted with an unknown daily key ) was sent twice and then the date and the weather report. You could use it to reconstruct the daily key. This method is also called pattern search .

Known Plaintext

The attacker has ciphertext (s) and the associated plaintext (s). Both are used to determine the key.

A current example is the improvement, published in mid-2006, of an attack on the Wired Equivalent Privacy (WEP) protocol that has been known since 2001 , which is used to authenticate and encrypt wireless LANs . The optimized attack takes advantage of the fact that parts of the encrypted message - the headers of the 802.11 protocol - are predictable.

Chosen ciphertext (self-chosen ciphertext)

The attacker has the temporary opportunity to decrypt ciphertexts of his choice. This can be done by accessing a hardware system through a break-in; However, this also includes access to unforeseen side effects, such as various error messages after successful or unsuccessful decryption. An example of this is Bleichenbacher's attack on PKCS # 1.

With some cryptosystems , such as Rabin , he is then able to determine the secret key with which the secret texts were encrypted from the data pairs obtained .

Adaptively Chosen Ciphertext (adaptively chosen ciphertext)

Similar to the previous attack, but the attacker has access to the system for a longer period of time and can select a new crypto text for decryption after each analysis.

Chosen Text (text of your choice)

Combination of Chosen Plaintext and Chosen Ciphertext.

Adaptive Chosen Text (adaptive text of your choice)

Combination of Adaptive Chosen Plaintext and Adaptive Chosen Ciphertext.

See also

• Crib
• Depth (cryptology)
• Kiss (cryptology)
• Rubber hose cryptanalysis

literature

• David Kahn : The Codebreakers: The Comprehensive History of Secret Communication from Ancient Times to the Internet ISBN 978-0-684-83130-5
• Edgar Allan Poe : The Gold Beetle (story from 1843, in which a secret script is systematically deciphered)
• Klaus Schmeh : Code breakers versus code makers. The fascinating story of encryption . Publisher: W3l; 2nd edition, 2007, ISBN 978-3-937137-89-6
• Simon Singh : Secret Messages . ISBN 3-423-33071-6
• Douglas R. Stinson: Cryptography - Theory and Practice . ISBN 1-58488-206-9
• AJ Menezes, PC van Oorschot and SA Vanstone: Handbook of Applied Cryptography
• Mark Stamp and Richard M. Low: Applied Cryptanalysis: Breaking Ciphers in the Real World , 2007, Wiley-Interscience

Web links

• Overview and history of cryptology
• Cryptographic terms
• CrypTool - open source program for cryptography and cryptanalysis

Individual evidence