Adaptive chosen-ciphertext attack

Encyclopedia

An

in which an attacker sends a number of ciphertext

s to be decrypted, then uses the results of these decryptions to select subsequent ciphertexts. It is to be distinguished from an indifferent chosen-ciphertext attack (CCA1).

The goal of this attack is to gradually reveal information about an encrypted message, or about the decryption key itself. For public-key systems, adaptive-chosen-ciphertexts are generally applicable only when they have the property of ciphertext malleability

— that is, a ciphertext can be modified in specific ways that will have a predictable effect on the decryption of that message.

of Bell Laboratories demonstrated a practical attack against systems using RSA encryption in concert with the PKCS#1 v1

encoding function, including a version of the Secure Socket Layer (SSL) protocol used by thousands of web server

s at the time.

The Bleichenbacher attacks took advantage of flaws within the PKCS #1 function to gradually reveal the content of an RSA encrypted message. Doing this requires sending several million test ciphertexts to the decryption device (e.g., SSL-equipped web server.) In practical terms, this means that an SSL session key can be exposed in a reasonable amount of time, perhaps a day or less.

. A number of encoding schemes have been proposed; the most common standard for RSA encryption is Optimal Asymmetric Encryption Padding

(OAEP). Unlike ad-hoc schemes such as the padding used in the early versions of PKCS#1, OAEP has been proven secure in the random oracle model. OAEP was incorporated into PKCS#1 as of version 2.0 published in 1998 as the now-recommended encoding scheme, with the older scheme still supported but not recommended for new applications.

(IND-CCA2).

**adaptive chosen-ciphertext attack**(abbreviated as**CCA2**) is an interactive form of chosen-ciphertext attackChosen-ciphertext attack

A chosen-ciphertext attack is an attack model for cryptanalysis in which the cryptanalyst gathers information, at least in part, by choosing a ciphertext and obtaining its decryption under an unknown key. In the attack, an adversary has a chance to enter one or more known ciphertexts into the...

in which an attacker sends a number of ciphertext

Ciphertext

In cryptography, ciphertext is the result of encryption performed on plaintext using an algorithm, called a cipher. Ciphertext is also known as encrypted or encoded information because it contains a form of the original plaintext that is unreadable by a human or computer without the proper cipher...

s to be decrypted, then uses the results of these decryptions to select subsequent ciphertexts. It is to be distinguished from an indifferent chosen-ciphertext attack (CCA1).

The goal of this attack is to gradually reveal information about an encrypted message, or about the decryption key itself. For public-key systems, adaptive-chosen-ciphertexts are generally applicable only when they have the property of ciphertext malleability

Malleability (cryptography)

Malleability is a property of some cryptographic algorithms. An encryption algorithm is malleable if it is possible for an adversary to transform a ciphertext into another ciphertext which decrypts to a related plaintext...

— that is, a ciphertext can be modified in specific ways that will have a predictable effect on the decryption of that message.

## Practical attacks

Adaptive-chosen-ciphertext attacks were largely considered to be a theoretical concern until 1998, when Daniel BleichenbacherDaniel Bleichenbacher

Daniel Bleichenbacher is a Swiss cryptographer, previously a researcher at Bell Labs, and currently employed at Google. He received his Ph.D...

of Bell Laboratories demonstrated a practical attack against systems using RSA encryption in concert with the PKCS#1 v1

PKCS1

In cryptography, PKCS#1 is the first of a family of standards called Public-Key Cryptography Standards , published by RSA Laboratories. It provides the basic definitions of and recommendations for implementing the RSA algorithm for public-key cryptography...

encoding function, including a version of the Secure Socket Layer (SSL) protocol used by thousands of web server

Web server

Web server can refer to either the hardware or the software that helps to deliver content that can be accessed through the Internet....

s at the time.

The Bleichenbacher attacks took advantage of flaws within the PKCS #1 function to gradually reveal the content of an RSA encrypted message. Doing this requires sending several million test ciphertexts to the decryption device (e.g., SSL-equipped web server.) In practical terms, this means that an SSL session key can be exposed in a reasonable amount of time, perhaps a day or less.

## Preventing attacks

In order to prevent adaptive-chosen-ciphertext attacks, it is necessary to use an encryption or encoding scheme that limits ciphertext malleabilityMalleability (cryptography)

Malleability is a property of some cryptographic algorithms. An encryption algorithm is malleable if it is possible for an adversary to transform a ciphertext into another ciphertext which decrypts to a related plaintext...

. A number of encoding schemes have been proposed; the most common standard for RSA encryption is Optimal Asymmetric Encryption Padding

Optimal Asymmetric Encryption Padding

In cryptography, Optimal Asymmetric Encryption Padding is a padding scheme often used together with RSA encryption. OAEP was introduced by Bellare and Rogaway....

(OAEP). Unlike ad-hoc schemes such as the padding used in the early versions of PKCS#1, OAEP has been proven secure in the random oracle model. OAEP was incorporated into PKCS#1 as of version 2.0 published in 1998 as the now-recommended encoding scheme, with the older scheme still supported but not recommended for new applications.

## Mathematical model

In complexity-theoretic cryptography, security against adaptive chosen-ciphertext attacks is commonly modeled using ciphertext indistinguishabilityCiphertext indistinguishability

Ciphertext indistinguishability is a property of many encryption schemes. Intuitively, if a cryptosystem possesses the property of indistinguishability, then an adversary will be unable to distinguish pairs of ciphertexts based on the message they encrypt...

(IND-CCA2).