Chosen-ciphertext attack

From Wikipedia, the free encyclopedia

A chosen-ciphertext attack (CCA) is an attack model for cryptanalysis in which the cryptanalyst chooses a ciphertext and causes it to be decrypted with an unknown key. Specific forms of this attack are sometimes termed "lunchtime" or "midnight" attacks, referring to a scenario in which an attacker gains access to an unattended decryption machine. A device which provides decryptions of chosen ciphertexts (either by accident or by design) is generically referred to as a "decryption oracle".

Clearly, an adversary who can decrypt chosen messages (using some "decryption oracle") can trivially defeat the confidentiality of an encryption scheme. However, chosen-ciphertext attacks can have more significant implications for some cryptosystems. For example, in an extreme case the attacker may be able to recover the scheme's secret decryption key by issuing carefully chosen ciphertexts and analyzing the decrypted results. A successful chosen-ciphertext attack may compromise the security of the scheme even after the decryption oracle becomes unavailable. Alternatively, such an attack may be effective in cases where the decryption oracle cannot be used to directly decrypt target ciphertexts.

A number of otherwise secure schemes can be defeated under chosen-ciphertext attack. For example, the El Gamal cryptosystem is semantically secure under chosen-plaintext attack, but this semantic security can be trivially defeated under a chosen-ciphertext attack. Early versions of RSA padding used in the SSL protocol were vulnerable to a sophisticated adaptive chosen-ciphertext attack which revealed SSL session keys. Chosen-ciphertext attacks can also have implications for some self-synchronizing stream ciphers as well. Designers of tamper-resistant cryptographic smart cards must be particularly cognizant of these attacks, as these devices may be completely under the control of an adversary, who can issue a large number of chosen-ciphertexts in an attempt to recover the hidden secret key.

When a cryptosystem is vulnerable to chosen-ciphertext attack, implementers must be careful to avoid situations in which an adversary might be able to decrypt chosen-ciphertexts (i.e., avoid providing a decryption oracle). This can be more difficult than it appears, as even partially-chosen-ciphertexts can permit subtle attacks. Additionally, some cryptosystems (such as RSA) use the same mechanism to sign messages and to decrypt them. This permits attacks when hashing is not used on the message to be signed. A better approach is to use a cryptosystem which is provably secure under chosen-ciphertext attack, including (among others) RSA-OAEP, Cramer-Shoup and many forms of authenticated symmetric encryption.

In a non-adaptive chosen-ciphertext attack, known as an indifferent chosen-ciphertext attack ("lunchtime" attack), the adversary has access to the decryption oracle only before she chooses a specific ciphertext to attack. As a result, the goal of the attack is to glean enough information to weaken the scheme against a wide variety of target ciphertexts; in the most successful attack scenario, this attack might successfully reveal the secret decryption key and thus completely break the scheme. An adaptive chosen-ciphertext attack ("midnight" attack) extends the previous scenario, by allowing the adversary to use the decryption oracle even after she has selected a specific ciphertext to attack (to make the attack non-trivial, the adversary is prevented from simply decrypting the target ciphertext). The goal of such an attack is simply to gain information, up to and including the decryption of the target ciphertext. These attacks can be mounted against various public-key schemes, including RSA. They can be prevented through the correct use of cryptographic padding or redundancy checks.

[edit] References

Languages