Cryptographic Attacks
Cryptography is easy to implement badly, and doing so can give you a false sense of security.
-
big mistake when implementing cryptography in your applications is to develop your own cryptographic scheme
-
Cryptographic attacks aim to:
- disclose one or several plaintexts associated with known ciphertexts
- forge a tag or a signature without knowledge of the secret key
- recover the secret key
- infer a partial internal state of the cipher
- e.g. a key round used in block cipher or a fragment of keystream of a stream cipher
Malleability is the ability to transform a ciphertext into a different ciphertext that will produce a new and different plaintext when decrypted in the recipient side.
- also is the ability to transform a data, while keeping the same tag or signature, so that the recipient will consider the data authentic, while it is not
- is an undesired property
Types of Attacks
- Cryptanalysis Attacks
- Fault Injection Attacks
- Social Engineering Attacks
Attacks Against Cryptographic Algorithms
Cryptanalysis Attacks
- Categorized according to 2 criteria:
- What information is available to attackers?
- What techniques are used to design the attacks?
Category 1
- a common attack is based on the kind of information available to attackers
- availability of ciphertexts or plaintexts is obtained by:
- intercepting messages in transit
- or accessing storage devices containing encrypted and signed files
- the more information collected, the higher the probability of attack success
Kinds of Attacks
- Ciphertext Only Attack (COA)
- attacker has access to a subset or all ciphertexts
- no access to plaintexts
- attacker tries to:
- disclose some or all plaintexts from known ciphertexts
- or to recover the encryption key
- more likely than known plaintext, but most difficult
- successful if the corresponding plaintexts can be deduced, or the key is recovered
- attacker has access to a subset or all ciphertexts
- Known Plaintext Attack (KPA)
- attacker has access to limited number of pairs of plaintexts and the corresponding ciphertexts
- then using this information to try to ascertain something about the key used
- Different methods (such as linear cryptanalysis) can be used to guide the key search
- Chosen Plaintext Attack (CPA)
- attacker obtains the ciphertexts corresponding to a set of plaintexts of his own choosing
- can allow the attacker to derive the key used and thus decrypt other messages
- assumes attacker has access to a black box (called oracle) which implements or emulates the algorithm to be analyzed
- attacker randomly chooses some plaintexts and queries the oracle to process the plaintexts
- returned results may be a ciphertext or a signature
- then attacker makes use of the collected plaintext-ciphertext pairs in order to
- recover the key
- or generate messages digests without knowing the key
- adaptive CPA is a variant of CPA
- attacker selects the subsequent plaintexts to be processed by the oracle,
- depending on what has be learned from previous queries
- attacker selects the subsequent plaintexts to be processed by the oracle,
- Chosen Ciphertext Attack (CCA)
- assumes that the attacker has access to an oracle
- which implements or emulates the algorithm to be analyzed
- attacker randomly chooses some ciphertexts or message tags and queries the oracle to process them
- returned result may be plaintexts or a signature validation results
- attacker makes use of the collected plaintext–ciphertext pairs to recover the key
- adaptive CCA
- attacker selects the subsequent ciphertexts to be processed by the oracle
- depending on what has been learned from previous queries
- attacker selects the subsequent ciphertexts to be processed by the oracle
- assumes that the attacker has access to an oracle
- Related Key Attack (KRA)
- similar to chosen plaintext attack
- except attacker can obtain ciphertexts encrypted under two different keys
- very useful if you can obtain plaintext and matching ciphertext
- attacker has access to a set of ciphertexts produced for the same plaintext, using two or several unknown keys
- e.g. attacker intercepted the traffic generated in several sessions
- in each session, a new key is used to encrypt a subset of plaintexts known to the attacker
- e.g. attacker intercepted the traffic generated in several sessions
- attacker knows that the keys have some mathematical relationship
- tries to infer the key currently in use from known plaintext-ciphertext pairs and relationships between keys
- is unrealistic against many algorithms because key generation does not yield keys that have linear relationships
- similar to chosen plaintext attack
Category 2
- refers to how the available information is processed to perform attacks
Kinds of Attacks
- Brute Force Attack
- Birthday Attack
- Meet-in-the-Middle Attack
- Man-in-the-Middle Attack (On-Path)
- Dictionary Attack
- Replay Attack
- Bit-Flipping Attack
- Frequency Analysis Attack
Implementation Attacks
Implementation attacks are not performed against the design of cryptographic algorithms but on their implementation.
- difficult to perform
Side-Channel Attacks
- are passive and non-invasive
- hard to detect by attack systems
- exploit the information leakage related to cryptographic device internals through side channels
Kinds
Fault Injection Attacks
Fault injection attacks rely on specialized hardware (e.g. laser beam) to inject faults on devices during the execution of a cryptographic algorithm.
- generally invasive
- attacks
- voltage and clock frequency attacks
- e.g.
- attacker can inject faults to disturb the last round of a block cipher or to erase data currently in use by the algorithm
- then observes the outputs of the device and derives useful information to recover a key or other data
- attacker can inject faults to disturb the last round of a block cipher or to erase data currently in use by the algorithm
Practicality of Cryptanalysis Attacks
- most of these attacks are highly academic
- are performed against weakened versions of cryptographic algorithms
- often involve quite unrealistic assumptions
- availability of an oracle that implements or emulates the algorithm to attack
- some assume the algorithms are not complying with standards
- attacks considered computationally infeasible could become feasible with quantum computers
- e.g. recovery of an RSA private key
Remediation
- Avoid using your own cryptography
- Use well-known, validated algorithms
- E.g., AES, RSA