Editing Ciphertext-only attack (section)

===Examples===
*Early versions of [[Microsoft]]'s [[Point-to-point tunneling protocol|PPTP]] [[virtual private network]] software used the same [[RC4]] key for the sender and the receiver (later versions had other problems). In any case where a stream cipher like RC4 is used twice with the same key, it is open to ciphertext-only attack. ''See:'' [[stream cipher attack]]
* [[Wired Equivalent Privacy]] (WEP), the first security protocol for [[Wi-Fi]], proved vulnerable to several attacks, most of them ciphertext-only.
* GSM's [[A5/1]] and [[A5/2]]
* Some modern cipher designs have later been shown to be vulnerable to ciphertext-only attacks. For example, [[Akelarre (cipher)|Akelarre]].
* A cipher whose key space is too small is subject to [[brute force attack]] with access to nothing but ciphertext by simply trying all possible keys. All that is needed is some way to distinguish valid plaintext from random noise, which is easily done for natural languages when the ciphertext is longer than the [[unicity distance]]. One example is [[Data Encryption Standard|DES]], which only has 56-bit keys. All too common current examples are commercial security products that derive keys for otherwise impregnable ciphers like [[Advanced Encryption Standard|AES]] from a user-selected [[password]]. Since users rarely employ passwords with anything close to the [[Information entropy | entropy]] of the cipher's key space, such systems are often quite easy to break in practice using only ciphertext. The 40-bit [[Content Scramble System|CSS]] cipher used to encrypt [[DVD]] video discs can always be broken with this method, as all that is needed is to look for [[MPEG-2]] video data.