Cryptography Reference
In-Depth Information
risk assessment
. If we underestimate an attacker's capabilities then the resulting
security might be inadequate. It thus makes sense to be slightly conservative and
take a 'worst-case' view.
In cryptography there are three standard assumptions that are normally made
concerning an attacker's ability. These are that the attacker knows:
All ciphertexts sent using the cryptosystem
. It is entirely reasonable to assume
that an attacker has access to all the ciphertexts sent using the cryptosystem.
These are not hidden from public view by the encryption process.
Some corresponding pairs of plaintexts and ciphertexts
. At first glance, this
might not seem such an obvious assumption to make, however, there are many
circumstances where an attacker could have access to corresponding pairs of
plaintexts and ciphertexts. Just some possible scenarios are:
• The receiver has been careless in failing to keepdecrypted ciphertexts secret.
• The attacker has intelligently guessed some predictable plaintexts. A good
example is predictable document headers.
• The attacker has been able to influence the choice of plaintexts encrypted
by the sender.
• The attacker has (temporary) access to either the encryption or decryption
device. Note that this does not imply that the attacker knows the encryption
or decryption key. The keys might be embedded in secure hardware and
the attacker only has access to the interface of the machine that conducts
the encryption (decryption) process. Obviously, we assume that the attacker
does not have permanent access to the decryption device, otherwise they
are in a very strong position!
• We are using a public-key cryptosystem where the encryption key is
known to any potential attacker. Thus an attacker can generate pairs of
corresponding plaintexts and ciphertexts at their leisure.
The details of the encryption algorithm
. This is the standard assumption that
sometimes causes the most confusion. We consider this issue in Section 1.5.3.
1.5.2
Theoretical attack models
Simple attacks on cryptosystems have historically been classified using the
following terminology:
ciphertext-only attacks
require the attacker to know the encryption algorithm and
some ciphertext;
known-plaintext attacks
require the attacker to know the encryption algorithm
and some plaintext/ciphertext pairs;
chosen-plaintext attacks
require the attacker to know the encryption algorithm
and some plaintext/ciphertext pairs that correspond to plaintexts chosen by
the attacker.
