Factbites
Where results make sense
About us   |   Why use us?   |   Reviews   |   PR   |   Contact us  

Topic: Chosen ciphertext attack


Related Topics
Adaptive chosen plaintext attack
Stream cipher attack
Initialization vector
Running key cipher
Stream cipher
Indian slavery

In the News (Tue 22 Dec 09)
Northern Trust
Marvin Harrison
Peter Chernin
Gary Locke
Match Play
Penelope Cruz
Mickey Rourke
AR Rahman
Danny Boyle
Hugh Jackman

  
  Chosen-ciphertext attack - Wikipedia, the free encyclopedia
A chosen-ciphertext attack (CCA) is an attack model for cryptanalysis in which the cryptanalyst chooses a ciphertext and causes it to be decrypted with an unknown key.
In a non-adaptive chosen-ciphertext attack, known as an indifferent chosen-ciphertext attack ("lunchtime" attack), the adversary has access to the decryption oracle only before she chooses a specific ciphertext to attack.
An adaptive chosen-ciphertext attack ("midnight" attack) extends the previous scenario, by allowing the adversary to use the decryption oracle even after she has selected a specific ciphertext to attack (to make the attack non-trivial, the adversary is prevented from simply decrypting the target ciphertext).
en.wikipedia.org /wiki/Chosen_ciphertext_attack   (610 words)

  
 RSA Security - RSAES-OAEP Dictionary
adaptive chosen ciphertext attack A chosen ciphertext attack where the adversary is allowed to send queries to a decryption oracle before as well as after she is given the challenge ciphertext (except that she is not allowed to ask for the decryption of the challenge ciphertext after she is given it).
decryption oracle An oracle decrypting ciphertexts for an adversary.
indifferent chosen ciphertext attack A chosen ciphertext attack where the adversary is not allowed to send queries to the decryption oracle after she has been given the challenge ciphertext.
www.rsasecurity.com /rsalabs/node.asp?id=2148   (1997 words)

  
 Lexias
A Cryptanalyst can mount an attack of this type in a scenario in which he or she has free use of a piece of decryption hardware, but is unable to extract the decryption key from it.
adaptive-chosen-plaintext - A special case of the chosen-plaintext attack in which the cryptanalyst is able to choose plaintexts dynamically, and alter his or her choices base on the results of previous encryptions.
See algebraic attack, birthday attack, brute force attack, chosen ciphertext attack, chosen plaintext attack, differential cryptanalysis, known plaintext attack, linear cryptanalysis, middleperson attack.
www.lexias.com /2.0/glossary1.html   (447 words)

  
 CRYPTO '98: 18th Annual Cryptology Conference
His attack provides a way to attack ciphers whose round functions are approximately given by low-degree polynomials, improving on earlier work (Jakobsen and Knudsen's interpolation attack) which cryptanalyzes ciphers with round functions that are exactly given by low-degree polynomials.
Their attack does not work on SHA-1, the revised version of SHA, suggesting that the unexplained change in the US standard hash function was a correction of this weakness.
Their attack is related to the differential cryptanalysis of block ciphers, and capitalizes on a lack of diffusion in SHA-0.
www.ieee-security.org /Cipher/ConfReports/conf-rep-crypto98.html   (3137 words)

  
 Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS1 - Bleichenbacher (ResearchIndex)
We show that an RSA private-key operation can be performed if the attacker has access to an oracle that, for any chosen ciphertext, returns only one bit telling whether the ciphertext corresponds to some unknown block of data encrypted using PKCS #1.
Chosen Ciphertext Attacks Against Protocols Based on The RSA Encryption Standard PKCS#1.
Using the Fluhrer, Mantin, and Shamir Attack to Break WEP - Stubblefield, Ioannidis..
citeseer.ist.psu.edu /bleichenbacher98chosen.html   (496 words)

  
 Using Java and Linux to crack the DES challenge LG #46
Known plaintext attack: in this case, both the ciphertext and the plaintext of one or several messages are available for the crytanalist.
Chosen ciphertext attack: for a symmetric cipher it's similar to the chosen plaintext attack.
Chosen key or brute force attack: consists in the exhaustive search of of all the possible keys, decrypting the ciphertext with each one of the keys and trying to obtain a intelligible result.
linuxgazette.net /issue46/serrao.html   (3893 words)

  
 11th Annual USENIX Security Symposium — Technical Paper
Mirroring the side-channel attacks of Bleichenbacher [Ble98] and Manger [Man01] on asymmetric schemes, he showed that symmetric encryption methods are just as vulnerable to side-channel weaknesses when an adversary is able to distinguish between valid and invalid ciphertexts.
Also in [Bel96], an attack (very similar to the attacks in this paper) is described which recovers plaintext bits by sending altered ciphertexts to a TCP peer which then acts as a validity oracle for each packet by either dropping it or returning an ACK for it.
However, each attack we examined depended on the adversary's ability to freely and predictably alter bits of the plaintext via manipulation of the ciphertext, and this ability was granted by each of the symmetric encryption schemes considered.
www.usenix.org /events/sec02/full_papers/black/black_html/index.html   (6117 words)

  
 [No title]
This attack, called the Million Message Attack, allowed the recovery of a single PKCS-1 encrypted block, provided that the Rescorla Informational [Page 1] RFC 3218 Preventing the Million Message Attack on CMS January 2002 attacker could convince the receiver to act as a particular kind of oracle.
Note that a lower cost attack would be to exhaustively search the CEK space by trial-decrypting the content and examining the plaintext to see if it appears reasonable.
The attacker first captures the ciphertext in transit and then uses the recipient as an oracle to recover the plaintext by sending transformed versions of the ciphertext and observing the recipient's response.
www.ietf.org /rfc/rfc3218.txt   (1872 words)

  
 nCipher - Glossary
A special case of the chosen-plaintext attack in which the cryptanalyst is able to choose plaintexts dynamically, and alter his or her choices based on the results of previous encryptions.
An attack where the cryptanalyst may choose the ciphertext to be decrypted.
The ciphertext may be read by anyone who has the key that decrypts (undoes the encryption of) the ciphertext.
www.ncipher.com /company/investor_relations/glossary.php   (4722 words)

  
 Adaptive chosen-ciphertext attack - Wikipedia, the free encyclopedia
An adaptive-chosen-ciphertext attack (abbreviated as CCA2) is an interactive form of chosen-ciphertext attack in which an attacker sends a number of ciphertexts to be decrypted, then uses the results of these decryptions to select subsequent ciphertexts.
It is to be distinguished from an indifferent-chosen-ciphertext attack (CCA1).
Adaptive-chosen-ciphertext attacks were largely considered to be a theoretical concern until 1998, when Daniel Bleichenbacher of Bell Laboratories demonstrated a practical attack against systems using RSA encryption in concert with the PKCS #1 v1 encoding function, including a version of the Secure Socket Layer (SSL) Protocol used by thousands of web servers at the time.
en.wikipedia.org /wiki/Adaptive_chosen_ciphertext_attack   (355 words)

  
 Cryptography
By current cryptographic standards, a good cryptosystem must resist attacks which permit both plaintext and ciphertext to be chosen, and according to any strategy preferred by the cryptanalyst.
While a fair amount of ciphertext might be required in a passive ciphertext-only attack before the key is guessed, a ciphertext-plaintext pair for a single letter reveals the key in any other attack.
To decrypt the ciphertext, the system is inverse iterated the same number of time steps as were used in encryption, recovering the plaintext as a state of the system.
www.santafe.edu /~hag/complex2/node3.html   (2619 words)

  
 Adaptive chosen plaintext and chosen ciphertext attack - Wikipedia, the free encyclopedia
In cryptography, an adaptive chosen plaintext attack and chosen ciphertext attack is one in which the attacker can choose both plaintexts to be encrypted and ciphertexts to be decrypted, and can do so interactively, basing one query on the results of the previous.
It combines the capabilities of an adaptive chosen plaintext and an adaptive chosen ciphertext attack.
Two attacks of this type are the yoyo game and boomerang attacks on block ciphers.
en.wikipedia.org /wiki/Adaptive_chosen_plaintext_and_chosen_ciphertext_attack   (140 words)

  
 ISO - International Organization for Standardization
An encryption algorithm is applied to data (often called plaintext or cleartext) to yield encrypted data (or ciphertext); this process is known as encryption.
Such a scheme should be secure in the sense that no information about the message should be leaked to a (resource-bounded) attacker, even if that attacker mounts a so-called 'chosen ciphertext' attack, in which he may obtain decryptions of other ciphertexts.
This is the strongest type of attack that has been proposed for a public-key encryption scheme.
www.iso.ch /iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=37971   (239 words)

  
 Implementation of Chosen-Ciphertext Attacks Against PGP and GnuPG
ABSTRACT: We recently noted that PGP and other e-mail encryption protocols are, in theory, highly vulnerable to chosen-ciphertext attacks in which the recipient of the e-mail acts as an unwitting "decryption oracle." We argued further that such attacks are quite feasible and therefore represent a serious concern.
Interestingly,the attacks are unsuccessful for largely fortuitous reasons; resistance to these attacks does not seem due to any conscious effort made to prevent them.
Based on our work, we discuss those instances in which chosen-ciphertext attacks do indeed represent an important threat and hence must be taken into account in order to maintain confidentiality.
www.counterpane.com /pgp-attack.html   (240 words)

  
 IBM Research | Research Areas | Security
The ability of a system to react consistently and correctly to situations ranging from benign but unusual events to outright attacks is key to the achievement of the goals of self-protection,self-healing, and self-optimization.
However, prior to the results presented here, there appeared to be no practical threshold cryptosystems in the literature that were provably chosen-ciphertext Securing Threshold Cryptosystems against Chosen Ciphertext Attack (p3 of 233) secure, even in the idealized random oracle model.
The contribution of this paper is to present two very practical threshold cryptosystems, and to prove that they are secure against chosen ciphertext attack in the random oracle model.
www.research.ibm.com /compsci/spotlight/security/papers.html   (726 words)

  
 Kryptographie FAQ: Frage 63: At What Point Does an Attack Become Practical?   (Site not responding. Last check: 2007-10-12)
The cryptanalyst chooses the plaintext to be encrypted and analyzes the plaintext together with the resultant ciphertext to derive the secret key.
A known plaintext attack is more useful to the cryptanalyst than a chosen plaintext attack (with the same amount of data) since the cryptanalyst now requires a certain numbers of plaintexts and their corresponding ciphertexts without specifying the values of the plaintexts.
In such an attack, the cryptanalyst merely intercepts a number of encrypted messages and subsequent analysis somehow reveals the key used for encryption.
www.iks-jena.de /mitarb/lutz/security/cryptfaq/q63.html   (370 words)

  
 US-CERT Vulnerability Note VU#303094
The attack takes advantage of an integrity check feature that is intended to save time by aborting futile and possibly lengthy decryption attempts.
This reduces the viability of the attack against a human user because very few people are willing to attempt to decrypt the same message over 32,000 times.
However, this attack is feasible against server-based implementations of OpenPGP, where it might be possible to make repeated decryption attempts against an automated system without being detected.
www.kb.cert.org /vuls/id/303094   (488 words)

  
 Chosen-Ciphertext Attack   (Site not responding. Last check: 2007-10-12)
A chosen ciphertext attack is an attack on a cryptosystem in which the cryptanalyst chooses ciphertext and causes it to be decrypted with an unknown key.
For a self-synchronizing stream cipher, a chosen ciphertext attack can be useful as the key used to encipher each byte depends on the previous ciphertext.
It is possible to use a chosen ciphertext attack to get an arbitrary message signed with RSA, if messages are signed without hashing.
www.javvin.com /networksecurity/ChosenCiphertextAttack.html   (83 words)

  
 Side-Channel Attacks on Symmetric Encryption Schemes: The Case for Authenticated Encryption
Vaudenay recently demonstrated side-channel attacks on a common encryption scheme, CBC Mode encryption, exploiting a ``valid padding'' oracle [Vau02].
A cryptographic relay is a device which accepts ciphertext under one scheme and outputs ciphertext under another (usually with a different key).
Nor will he be able to combine two ciphertexts to produce a new valid ciphertext.
www.cs.colorado.edu /~jrblack/papers/padding.html   (6099 words)

  
 PGP / GnuPG Chosen Ciphertext Message Disclosure Vulnerability
The weakness is based on a form of chosen ciphertext attack.
A user of the vulnerable software must be enticed into decrypting a modified version of a valid message, which as been prepared by the attacker.
The user must then disclose the results of this decryption to the attack, possibly as the results of social engineering.
www.securityfocus.com /bid/5446/discuss   (189 words)

  
 Security: Case Studies   (Site not responding. Last check: 2007-10-12)
The scheme is quite practical, and is provably secure against adaptive chosen ciphertext attack under standard intractability assumptions.
In this paper, we present and analyze a new public key cryptosystem that is provably secure against adaptive chosen ciphertext attack.
The scheme is quite practical, requiring just a few exponentiations over a group.
www-3.ibm.com /security/library/wp_cryptoprov.shtml   (102 words)

  
 TCS - Formal Methods Forum
However, in many contexts a stronger notion of security is needed, namely, even a more powerful adversary who is allowed to decrypt arbitrary ciphertexts other that the one it is challenged on should be unable to gain any information about the corresponding plaintext.
This type of attack is called a chosen-ciphertext attack (CCA).
The first public-key encryption scheme provably secure against adaptive chosen-ciphertext attack was given in the pioneering work of Dolev, Dwork, and Naor.
www.tcs.hut.fi /Current/TCSF/fm-a2002.shtml   (1632 words)

  
 PGP Flaw Leaves E-mails Vulnerable
The researchers found the flaw in both PGP and GnuPG but noted that the attacks largely failed when data is compressed before encryption.
While the flaw is described as "serious," the researchers found it was very difficult to exploit and urged users of PGP to avoid including full text of messages when replying.
This is important not only for protection against chosen ciphertext attacks -- integrity protection is useless if the user is not warned when it has been violated," the company said.
www.internetnews.com /infra/article.php/1444351   (681 words)

  
 A Chosen Ciphertext Attack against Several E-Mail Encryption Protocols   (Site not responding. Last check: 2007-10-12)
A Chosen Ciphertext Attack against Several E-Mail Encryption Protocols
We point out a potentially serious security hole in these protocols: any encrypted message can be decrypted using a one-message, adaptive chosen-cipertext attack.
Although such attacks have been formalized mainly for theoretical interest, we argue that they are feasible in the networked systems in which these e-mail protocols are used.
www.schneier.com /paper-chotext.html   (141 words)

  
 A Practical Public Key Cryptosystem Provably Secure against Adaptive Chosen Ciphertext Attack - Cramer, Shoup ...
Abstract: A new public key cryptosystem is presented that is provably secure against adaptive chosen ciphertext attack.
A Note on Bounded Chosen Ciphertext Security from Black-box - Semantical Security Ronald
Cramer and V. Shoup, "A Practical Public Key Cryptosystem Provably Secure against Adaptive Chosen Ciphertext Attack", Advances in Cryptology - CRYPTO'98 Proceedings, Lecture Notes in Computer Science Vol.
citeseer.ist.psu.edu /cramer98practical.html   (499 words)

  
 Cryptology
The type of observations on and manipulations of the cryptosystem which are allowed the cryptanalyst determine the mode of attack.
Again, cryptology has progressed to the point where cryptosystems susceptible to a known-plaintext attack hold little interest.
The reader unfamiliar with these concepts should take a moment to consider the cryptanalysis of the so-called Caesar cipher, reputed to have been used by Caesar to communicate with his troops.
www.santafe.edu /~hag/crypto/node3.html   (683 words)

  
 ISS X-Force Database: openpgp-information-disclosure(19312): OpenPGP CFB mode information disclosure
A remote attacker could use a ciphertext attack against the cipher feedback (CFB) mode using the quick check feature to obtain sensitive information in plain text.
Cryptology ePrint Archive: Report 2005/033, An Attack on CFB Mode Encryption As Used By OpenPGP at http://eprint.iacr.org/2005/033.
SecurityTracker Alert ID: 1013166, OpenPGP CFB Mode Is Subject to Adaptive Chosen-Plaintext Attacks at http://www.securitytracker.com/alerts/2005/Feb/1013166.html.
xforce.iss.net /xforce/xfdb/19312   (364 words)

  
 OpenPGP Cipher Feedback Mode Chosen-Ciphertext Partial Plaintext Retrieval Vulnerability
OpenPGP is reported prone to a vulnerability that may theoretically allow attackers to retrieve partial plaintexts from encrypted OpenPGP messages.
It is reported that a proof of concept chosen-ciphertext attack method has been developed that exploits a flaw in OpenPGP to retrieve partial plaintexts from OpenPGP messages encrypted with symmetric encryption.
The attack is also limited in the amount of information that can be disclosed from an encrypted message.
www.securityfocus.com /bid/12529/discuss   (158 words)

Try your search on: Qwika (all wikis)

Factbites
  About us   |   Why use us?   |   Reviews   |   Press   |   Contact us  
Copyright © 2005-2007 www.factbites.com Usage implies agreement with terms.