1

I don't understand what the goals are of a Chosen Ciphertext Attack. What I've read from Wikipedia is that it is an attack one can use to obtain the key that the crypto algorithm uses.

However, I think that every file is usually encrypted using a different key. If so, why is the chosen ciphertext attack used ? Maybe I don't quite understand the concept of a key...

I'm no mathematician or cryptoanalyst but a simple curious boy :)

AleksanderCH
  • 6,435
  • 10
  • 29
  • 62
Jhdoe
  • 111
  • 1
  • In general, recovery of a key is not the goal, because the key is just a tool for communication; generally the adversary's goal is to eavesdrop on or disrupt the communication. For example, in World War II, nobody fundamentally cared about what positions some soldier's Enigma rotors were in, as long as they could predict where the air raids were going to be and defend against them! – Squeamish Ossifrage Mar 07 '19 at 16:33

1 Answers1

1

Chosen Ciphertext Attack is typically not used to obtain a key, but rather to obtain plaintext, or partial information about plaintext. Getting at the key is sufficient, but not necessary, to claim success of a CCA attack.

Indistinguishability under Chosen Ciphertext Attack is a theoretical model of attack. The attacker is assumed to be able to obtain decryption of ciphertext s/he chooses, under the key being attacked; and succeeds if s/he manages to gets any kind of information about plaintext corresponding to ciphertext s/he did not previously submit for decryption. Formally, the attacker succeeds if s/he recognizes better than random which of two ciphertexts s/he submited for decryption was selected by a referee, who produce the result of its decryption. Of course, getting at the key allows that.

In the most stringent variant CCA2, the attack is iterative.

That model may seem of theoretical interest only: if the adversary can obtain decryption of ciphertext s/he chooses under the key considered, it may seem that all security is lost. So why care against that?

  • Because we can, at little cost. A simple way to achieve CCA2 security is to use authenticated encryption. Essentially, decryption is forced to fail (and the deciphered plaintext is not released) if the ciphertext was crafted or altered by a party not holding the key.
  • Because CCA2 security does guard against plausible attacks. I'll take the example of efail. The context is hybrid cryptography, where a message is sent symmetrically encrypted using a random message-unique key, itself sent along the message encrypted with the public key of the receiver(s). The receiver of the message (and the email program + extension used for deciphering OpenPGP or S/MIME) is tricked into leaking some of the decryption of altered ciphertext (e.g. by way of accessing an internet server at an URL in the deciphered plaintext). The alterations are focused on the symmetrically-encrypted payload, thus the decryption is carried with the original key.
fgrieu
  • 140,762
  • 12
  • 307
  • 587