Adaptive chosen-ciphertext attack
This article includes a list of general references, but it lacks sufficient corresponding inline citations. (January 2011) |
An adaptive chosen-ciphertext attack (abbreviated as CCA2) is an interactive form of chosen-ciphertext attack in which an attacker first sends a number of ciphertexts to be decrypted chosen adaptively, and then uses the results to distinguish a target ciphertext without consulting the oracle on the challenge ciphertext. In an adaptive attack, the attacker is further allowed adaptive queries to be asked after the target is revealed (but the target query is disallowed). It is extending the indifferent (non-adaptive) chosen-ciphertext attack (CCA1) where the second stage of adaptive queries is not allowed. Charles Rackoff and Dan Simon defined CCA2 and suggested a system building on the non-adaptive CCA1 definition and system of Moni Naor and Moti Yung (which was the first treatment of chosen ciphertext attack immunity of public key systems).
In certain practical settings, the goal of this attack is to gradually reveal information about an encrypted message, or about the decryption key itself. For public-key systems, adaptive-chosen-ciphertexts are generally applicable only when they have the property of ciphertext malleability — that is, a ciphertext can be modified in specific ways that will have a predictable effect on the decryption of that message.
Practical attacks
Adaptive-chosen-ciphertext attacks were perhaps considered to be a theoretical concern, but not to have been be manifested in practice, until 1998, when
The Bleichenbacher attacks, also known as the million message attack, took advantage of flaws within the PKCS #1 v1.5 padding function to gradually reveal the content of an RSA encrypted message. Under this padding function, padded plaintexts have a fixed format that it should follow. If the decryption device (e.g. SSL-equipped web server) somehow reveals whether the padding is valid, it also serves as an "oracle" that reveals information on the secret key. Finding the whole key requires sending several million test ciphertexts to the target.[2] In practical terms, this means that an SSL session key can be exposed in a reasonable amount of time, perhaps a day or less.
With slight variations, this vulnerability still exists in many modern servers, under the new name "Return Of Bleichenbacher's Oracle Threat" (ROBOT).[3]
Preventing attacks
In order to prevent adaptive-chosen-ciphertext attacks, it is necessary to use an encryption or encoding scheme that limits ciphertext
Mathematical model
In complexity-theoretic cryptography, security against adaptive chosen-ciphertext attacks is commonly modeled using ciphertext indistinguishability (IND-CCA2).
References
- ISBN 978-3-540-64892-5.
- ^ Pornin, Thmoas (2014). "Can you explain Bleichenbacher's CCA attack on PKCS#1 v1.5?". Cryptography Stack Exchange.
- ^ Hanno Böck; Juraj Somorovsky; Craig Young. "ROBOT attack". Retrieved February 27, 2018.
- S2CID 218582909. Retrieved 2009-01-12.
- . Retrieved February 20, 2019.
- ISBN 978-1-4665-7027-6.