Cryptography Reference
In-Depth Information
blocks can easily be manipulated. We demonstrate how a substitution attack could
work in the real world. Imagine the following example of an electronic wire transfer
betweens banks.
Example 5.1. Substitution attack against electronic bank transfer
Let's assume a protocol for wire transfers between banks (Fig. 5.2). There are five
fields which specify a transfer: the sending bank's ID and account number, the re-
ceiving bank's ID and account number, and the amount. We assume now (and this
is a major simplification) that each of the fields has exactly the size of the block
cipher width, e.g., 16 bytes in the case of AES. Furthermore, the encryption key be-
tween the two banks does not change too frequently. Due to the nature of the ECB,
an attacker can exploit the deterministic nature of this mode of operation by simple
substitution of the blocks. The attack details are as follows:
Block #
1
2
3
4
5
Sending
Bank A
Sending
Account #
Receiving
Bank B
Receiving
Account #
Amount
$
Fig. 5.2
Example for a substitution attack against ECB encryption
1. The attacker, Oscar, opens one account at bank A and one at bank B.
2. Oscar taps the encrypted line of the banking communication network.
3. He sends $1.00 transfers from his account at bank A to his account at bank B
repeatedly. He observes the ciphertexts going through the communication net-
work. Even though he cannot decipher the random-looking ciphertext blocks, he
can check for ciphertext blocks that repeat. After a while he can recognize the
five blocks of his own transfer. He now stores blocks 1, 3 and 4 of these transfers.
These are the encrypted versions of the ID numbers of both banks as well as the
encrypted version of his account at bank B.
4. Recall that the two banks do not change the key too frequently. This means that
the same key is used for several other transfers between bank A and B. By com-
paring blocks 1 and 3 of
all
subsequent messages with the ones he has stored,
Oscar recognizes all transfers that are made from some account at bank A to
some account at bank B. He now simply replaces block 4 — which contains the
receiving account number — with the block 4 that he stored before. This block
contains Oscar's account number in encrypted form. As a consequence,
all trans-
fers
from some account of bank A to some account of bank B are redirected to
go into Oscar's B account! Note that bank B now has means of detecting that the
block 4 has been replaced in some of the transfers it receives.
5. Withdraw money from bank B quickly and fly to a country that has a relaxed
attitude about the extradition of white-collar criminals.
What's interesting about this attack is that it works completely without attack-
ing the block cipher itself. So even if we would use AES with a 256-bit key and if
