Principles of Cryptography
This attack is relevant for cryptographic communication and key
exchange protocols. The idea is that when two parties, A and B,
are exchanging keys for secure communication (e.g., using Diffie-Hellman),
an adversary positions himself between A and B on the
communication line. The adversary then intercepts the signals that
A and B send to each other, and performs a key exchange with A and
B separately. A and B will end up using a different key, each of
which is known to the adversary. The adversary can then decrypt
any communication from A with the key he shares with A, and then
resends the communication to B by encrypting it again with the key
he shares with B. Both A and B will think that they are
communicating securely, but in fact the adversary is hearing
The usual way to prevent the man-in-the-middle attack is to use
a public key cryptosystem capable of providing digital signatures.
For set up, the parties must know each others public keys in
advance. After the shared secret has been generated, the parties
send digital signatures of it to each other. The man-in-the-middle
can attempt to forge these signatures, but fails because he cannot
fake the signatures.
This solution is sufficient in the presence of a way to
securely distribute public keys. One such way is a certificate
hierarchy such as X.509. It is used for example in IPSec.
- Correlation between the secret key and the output of
the cryptosystem is the main source of information to the
cryptanalyst. In the easiest case, the information about the
secret key is directly leaked by the cryptosystem. More
complicated cases require studying the correlation (basically, any
relation that would not be expected on the basis of chance alone)
between the observed (or measured) information about the
cryptosystem and the guessed key information.
For example, in linear (differential) attacks against
block ciphers the cryptanalyst studies the known (chosen)
plaintext and the observed ciphertext. Guessing some of the key
bits of the cryptosystem the analyst determines by correlation
between the plaintext and the ciphertext whether he/she guessed
correctly. This can be repeated, and has many variations.
The differential cryptanalysis introduced by Eli Biham and Adi
Shamir in late 1980's was the first attack that fully utilized
this idea against block ciphers (especially against DES). Later
Mitsuru Matsui came up with linear cryptanalysis which was even
more effective against DES. More recently, new attacks using
similar ideas have been developed.
Perhaps the best introduction to this material is the
proceedings of EUROCRYPT and CRYPTO throughout the 1990's. There
can be found Mitsuru Matsui's discussion of linear cryptanalysis
of DES, and the ideas of truncated differentials by Lars Knudsen
(for example, IDEA cryptanalysis). The book by Eli Biham and Adi
Shamir about the differential cryptanalysis of DES is the
"classical" work on this subject.
The correlation idea is fundamental to cryptography and several
researchers have tried to construct cryptosystems which are
provably secure against such attacks. For example, Knudsen and
Nyberg have studied provable security against differential
- Attack against or using the
underlying hardware: in the last few years as more and more
small mobile crypto devices have come into widespread use, a new
category of attacks has become relevant which aim directly at the
hardware implementation of the cryptosystem.
The attacks use the data from very fine measurements of the
crypto device doing, say, encryption and compute key information
from these measurements. The basic ideas are then closely related
to those in other correlation attacks. For instance, the attacker
guesses some key bits and attempts to verify the correctness of
the guess by studying correlation against his measurements.
Several attacks have been proposed such as using careful
timings of the device, fine measurements of the power consumption,
and radiation patterns. These measurements can be used to obtain
the secret key or other kinds information stored on the device.
This attack is generally independent of the used
cryptographical algorithms and can be applied to any device that
is not explicitly protected against it.
- Faults in cryptosystems can lead to
cryptanalysis and even the discovery of the secret key. The
interest in cryptographical devices lead to the discovery that
some algorithms behaved very badly with the introduction of small
faults in the internal computation.
For example, the usual implementation of RSA private key
operations are very suspectible to fault attacks. It has been
shown that by causing one bit of error at a suitable point can
reveal the factorization of the modulus (i.e. it reveals the
Similar ideas have been applied to a wide range of algorithms
and devices. It is thus necessary that cryptographical devices are
designed to be highly resistant against faults (and against
malicious introduction of faults by cryptanalysts).
There are many other cryptographic attacks and
cryptanalysis techniques. However, these are probably the most
important ones for an application designer. Anyone contemplating to
design a new cryptosystem should have a much deeper understanding of
these issues. Good places to start looking for information are the
excellent books: "Handbook of Applied
Cryptography" by Menezes, van Oorschot, and Vanstone and "Applied
Cryptography" by Schneier.
[INDEX The Previous Page THE END ]
Enigma Story (illustrated)
· secure key generator
· system security
· JS-Crypto info
· JS-CODER/DECODER guide
· Cryptool 1
· Cryptool 2
adapted by Rafal Swiecki, p. eng. email
This document is in the public domain.