Can someone please explain - using a simple example - how a chosen ciphertext attack works?
Asked
Active
Viewed 3.4k times
2 Answers
32
In a chosen-ciphertext attack, the attacker is assumed to have a way to trick someone who knows the secret key into decrypting arbitrary message blocks and tell him the result. The attacker can choose some arbitrary nonsense as an "encrypted message" and ask to see the (usually) different nonsense it decrypts to, and he can do this a number of times.
Having this capability obviously already allows the attacker to read an intercepted message, since he can just ask to have it decrypted. But in this attack his goal is more ambitious than that: he wants to deduce what the secret key is, such that he can encrypt messages himself, and also keep decrypting after his access to having things decrypted for him vanishes.
The attack is successful if if an attacker has a significant chance of being able to deduce the key after having "relatively few" blocks decrypted and without doing so much work himself that he could just as well have brute-forced it.
The term "chosen-ciphertext attack" does not in itself say anything about how the attacker chooses the nonsense blocks he asks to have decrypted, or what kind of computations he does in order to recover the key from the responses.
As a concrete example, suppose General A is sending messages to General B using a Vigenère cipher with an unknown key. The enemy is somehow able to intercept a message and replace it with some completely random letters of his own choosing, say NLLCJOVFXXHMLY. General B decrypts this and gets AKRUWNBXKWNEYX which is nonsense. Bemused, and not thinking this nonsense is worth keeping secret, he picks up a non-secure phone and calls General A: "What the hell do you mean with AKRUWNBXKWNEYX? Did they change the key without telling me?" But the enemy is eavesdropping on the line and now knows that NLLCJOVFXXHMLY decrypts to AKRUWNBXKWNEYX. He can then subtract the two sets of nonsense to get MATHMATHMATHMA, and now he knows the key.
(In this example, getting a single message decrypted was enough for the attacker to learn the key. In general one also considers attacks where the attacker needs to query for multiple messages, perhaps using the response to one somehow to construct the next one).
Paŭlo Ebermann
- 22,946
- 7
- 82
- 119
hmakholm left over Monica
- 560
- 4
- 10
8
Another variant (besides the ones explained by Henning) which I also would call chosen-ciphertext attack, is one where the attacker doesn't get the whole plaintext corresponding to its chosen ciphertext, but only a result like "valid" or "not valid", i.e. he has a validation oracle, with some useful definition of "valid". The goal is to decrypt some message captured before.
One example where this is used is the recently discovered weakness in XML encryption, when used for Web services.
For security proofs we usually have some attack model which exactly specifies what the attacker can do, and what its goal is. One example is IND-CCA/IND-CCA2, where the attacker can use an encryption oracle and a decryption oracle, then submits two plaintexts (none of which may have been encrypted before), gets the ciphertext to one of them back and tries to guess which one it was. In the adaptive variant IND-CCA2, the attacker is also allowed to use more decryption oracle calls (other than the challenge ciphertext) after getting the challenge, in non-adaptive case only more encryptions are allowed.
(In general, we want our algorithms/protocols to be secure also in the case of chosen-ciphertext attacks.)
Paŭlo Ebermann
- 22,946
- 7
- 82
- 119