19.1 Preliminary remarks

On the most abstract level, a cryptographic protocol such as TLS can be viewed as a cryptographic system, that is, a system that utilizes cryptographic techniques to achieve certain protection goals.

In the present chapter, we will discuss various types of cryptographic attacks. However, we will not consider malware-based attacks (see https://en.wikipedia.org/wiki/Category:Cryptographic_attacks for a list of various attacks) on end systems where cryptographic algorithms are carried out. The reason for this is that we are mainly interested in the security of cryptographic algorithms, but not in the security of the computing platforms they are running on.

Basically, this means the security of cryptographic systems is evaluated based on the assumption that two important conditions are fulfilled:

• There is some kind of secret – maybe shared, as in symmetric key cryptography, or maybe private, as in Diffie-Hellman key exchange – that is unknown to the adversary.
• The intermediate values of a cryptographic algorithm are not known to the adversary. Take, for example, an iterated block cipher such as AES. If the input and the output for each round and the corresponding sub-operations were known, it would be easy for an attacker to determine the secret key.

A sufficiently powerful malware infecting Alice’s computer could essentially read any memory location at any time and thus read any intermediate values. Any subsequent security breaches are not the fault of the cryptographic algorithms used by Alice, however.

Or, to give another example, a malware could see to it that an infected system simply skips (or ignores the result of) a MAC verification step, thereby making it possible for the attacker to send arbitrary code to the victim system and get it executed. Again, this security breach is independent of the underlying MAC algorithm.

19.2 Passive versus active attacks

Arguably, passive and active attacks are the two most fundamental categories describing attacks on cryptography. We already introduced the corresponding attacker models in Section 2.2 of Chapter 2, Secure Channel and the CIA Triad, where we also met two different attackers, Eve (passive) and Mallory (active).

To recap, a passive attack is an attack where the adversary, Eve, is only eavesdropping on a communication between the legitimate parties Alice and Bob. In other words, as illustrated in Figure 19.1, Eve can only read the (hopefully cryptographically protected) communication messages.

Consequently, a passive attack is only a threat to the confidentiality of information exchanged between Alice and Bob. Importantly, Eve cannot manipulate Alice’s or Bob’s messages or inject her own messages.

Figure 19.1: In a passive attack, Eve can observe the communication between Alice and Bob

In contrast, in an active attack, the adversary, Mallory, is not only able to read the communication, but may also delete, add, or manipulate messages. In Figure 19.2, this ability is indicated by the arrow pointing both ways: to Mallory for her ability to read and from Mallory for her ability to manipulate the communication between Alice and Bob.

Figure 19.2: In an active attack, Mallory can also manipulate or inject messages

As a result, in addition to compromising confidentiality, an active attack can also compromise the integrity and authenticity of messages sent and received by Alice and Bob. In practice, message integrity and authenticity are often more important than confidentiality because integrity and authenticity are required for safe operation of any cyber-physical system, whereas confidentiality is not. So, active attacks are not only more powerful but are often more dangerous than passive attacks.