Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Ciphertext-only attack
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
{{Short description|Attack model in cryptanalysis}} {{multiple| {{no footnotes|date=May 2016}} {{refimprove|date=May 2016}} }} In [[cryptography]], a '''ciphertext-only attack''' ('''COA''') or '''known ciphertext attack''' is an [[attack model]] for [[cryptanalysis]] where the attacker is assumed to have access only to a set of [[ciphertext]]s. While the attacker has no channel providing access to the plaintext prior to encryption, in all practical ciphertext-only attacks, the attacker still has some knowledge of the plaintext. For instance, the attacker might know the language in which the plaintext is written or the expected statistical distribution of characters in the plaintext. Standard protocol data and messages are commonly part of the plaintext in many deployed systems, and can usually be guessed or known efficiently as part of a ciphertext-only attack on these systems. ==Attack== The attack is completely successful if the corresponding [[plaintext]]s can be deduced, or even better, the [[key (cryptography)|key]]. The ability to obtain any information at all about the underlying plaintext beyond what was pre-known to the attacker is still considered a success. For example, if an adversary is sending ciphertext continuously to maintain [[traffic-flow security]], it would be very useful to be able to distinguish real messages from nulls. Even making an informed guess of the existence of real messages would facilitate [[traffic analysis]]. In the [[history of cryptography]], early ciphers, implemented using pen-and-paper, were routinely broken using ciphertexts alone. Cryptographers developed statistical techniques for attacking ciphertext, such as [[frequency analysis (cryptanalysis)|frequency analysis]]. Mechanical encryption devices such as [[Enigma (machine)|Enigma]] made these attacks much more difficult (although, historically, Polish cryptographers were able to mount a successful ciphertext-only [[cryptanalysis of the Enigma]] by exploiting an insecure protocol for indicating the message settings). More advanced ciphertext-only attacks on the Enigma were mounted in [[Bletchley Park]] during [[World War II]], by intelligently guessing plaintexts corresponding to intercepted ciphertexts. ==Modern== Every modern [[cipher]] attempts to provide protection against ciphertext-only attacks. The vetting process for a new cipher design standard usually takes many years and includes exhaustive testing of large quantities of ciphertext for any statistical departure from random noise. ''See:'' [[Advanced Encryption Standard process]]. Also, the field of [[steganography]] evolved, in part, to develop methods like [[mimic function]]s that allow one piece of data to adopt the statistical profile of another. Nonetheless, poor cipher usage or reliance on home-grown proprietary algorithms that have not been subject to thorough scrutiny has resulted in many computer-age encryption systems that are still subject to ciphertext-only attack. Examples include: ===Examples=== *Early versions of [[Microsoft]]'s [[Point-to-point tunneling protocol|PPTP]] [[virtual private network]] software used the same [[RC4]] key for the sender and the receiver (later versions had other problems). In any case where a stream cipher like RC4 is used twice with the same key, it is open to ciphertext-only attack. ''See:'' [[stream cipher attack]] * [[Wired Equivalent Privacy]] (WEP), the first security protocol for [[Wi-Fi]], proved vulnerable to several attacks, most of them ciphertext-only. * GSM's [[A5/1]] and [[A5/2]] * Some modern cipher designs have later been shown to be vulnerable to ciphertext-only attacks. For example, [[Akelarre (cipher)|Akelarre]]. * A cipher whose key space is too small is subject to [[brute force attack]] with access to nothing but ciphertext by simply trying all possible keys. All that is needed is some way to distinguish valid plaintext from random noise, which is easily done for natural languages when the ciphertext is longer than the [[unicity distance]]. One example is [[Data Encryption Standard|DES]], which only has 56-bit keys. All too common current examples are commercial security products that derive keys for otherwise impregnable ciphers like [[Advanced Encryption Standard|AES]] from a user-selected [[password]]. Since users rarely employ passwords with anything close to the [[Information entropy | entropy]] of the cipher's key space, such systems are often quite easy to break in practice using only ciphertext. The 40-bit [[Content Scramble System|CSS]] cipher used to encrypt [[DVD]] video discs can always be broken with this method, as all that is needed is to look for [[MPEG-2]] video data. ==References== * [[Alex Biryukov]] and Eyal Kushilevitz, From Differential Cryptanalysis to Ciphertext-Only Attacks, [[CRYPTO]] 1998, pp72–88; [[Category:Cryptographic attacks]] {{Attack models in cryptanalysis|state=expanded}}
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)
Pages transcluded onto the current version of this page
(
help
)
:
Template:Attack models in cryptanalysis
(
edit
)
Template:Multiple
(
edit
)
Template:Short description
(
edit
)