-
Alice and Bob can easily compute KA and KB, respectively, by computing the powers of group elements. Mallory, on the other hand, would have to solve the discrete logarithm problem for computing KA or KB, which is believed to be computationally hard. However, if Alice and Bob do not authenticate each others’ public keys, Mallory […]
-
19.5 Attacks on cryptographic protocols Recall from Chapter 2 Secure Channel and the CIA Triad, that a cryptographic protocol is a distributed algorithm defined by a sequence of steps precisely specifying the actions required of two or more entities to achieve a specific cryptographic goal [117]. Attacks on cryptographic protocols typically do not attack the […]
-
19.5.3 Replay attacks As the name suggests, in a replay attack, Mallory reuses or replays information – typically, a message – that she recorded during a previous protocol run. Mallory can replay the message to the same communication party – for instance, sending Alice a message that was originally sent by Alice herself – or […]
-
19.5.4 Interleaving attacks An interleaving attack is a special type of replay attack where Mallory executes multiple protocol sessions in parallel to compromise the protocol’s security. Interleaving attacks are hard to spot even for seasoned cryptographers, so we’ll use a concrete example to show how such attacks work. Figure 19.12 shows a cryptographic protocol for […]
-
19.5.5 Reflection attacks A reflection attack is a specific type of an interleaving attack where Mallory sends data she received from Bob in one protocol run back to him in another protocol run. Essentially, Mallory reflects the data back to Bob – hence the name of the attack – in an attempt to trick Bob […]
-
19.6 Attacks on encryption schemes If Eve attacks an encryption scheme utilizing available ciphertext, she can try to recover either the plaintext of the encrypted messages or the secret key itself used by the encryption scheme. Recovery of the secret key is typically considered a stronger attack (or, equivalently, a more severe security compromise) than […]
-
19.6.4 Known-plaintext attack In a known-plaintext attack, Eve has access to plaintext-ciphertext pairs, that is, to the ciphertext and the corresponding plaintext. Eve’s goal is to recover the key used to encrypt the plaintexts. The known-plaintext attack has its roots in World War II cryptanalysis. British cryptanalysts at Bletchley Park who broke the German Enigma […]
-
19.6.7 Adaptive chosen-plaintext attack In an adaptive chosen-plaintext attack, Eve may choose the plaintext depending on the ciphertexts received previously from an encryption oracle. Whereas in a chosen-plaintext attack, Eve has to select the plaintexts before the attack begins, in an adaptive chosen-plaintext attack she can choose the plaintext based on the information gathered during […]
-
19.7.1 Birthday attack A birthday attack exploits the probability of collisions in a hash function – a mathematical property of such functions rooted in probability theory – in order to find two messages that have the same hash value. Recall from Chapter 11, Hash Functions and Message Authentication Codes, that a secure cryptographic hash function […]
-
19.7.2 Dictionary attack We already learned that a cryptographic hash function is pre-image resistant. This is just another way of saying that given a hash value h(m), it is computationally infeasible for Eve to find the pre-image m. This property is what password security mechanisms in operating systems rely upon. Recall that modern operating systems […]