CR Essay

Power monitoring attacks—These attacks examine hardware’s varying power consumption during computations. Watching the power input to the CPU during computations reveals information that can be used to determine the algorithm.

Acoustic cryptanalysis—Similar to power monitoring attacks, acoustic cryptanalysis exploits the sound that computations produce. The current that powers hardware produces heat, which is leaked into the atmosphere. The fluctuations of heating and cooling (thermodynamics) produce low-level acoustic noise that can be examined for clues about the underlying system.

Radiation monitoring—Leaked radiation provides plaintext or other information that can be used to launch an attack. Electrical current fluctuations generate electromag- netic radiation waves, which can occur in patterns. The patterns can be recorded and analyzed to gain information about associated hardware, and sometimes bits of data can be captured.

Thermal imaging attack—If the surface of the CPU can be seen, infrared images can be taken that provide clues about the code.

Side channel attacks rely on emitted information, as in acoustic or radiation monitoring, and relational information, as in timing or power monitoring attacks. Countermeasures against side channel attacks include power conditioning and uninterruptible power supplies to control power fluctuations and emissions, shielding to prevent radiation leakage, and strong physical security to prevent acoustic recorders or other monitoring devices from being installed.

Launching these attacks requires a high level of expertise, which eliminates many potential attackers. As successful attacks emerge, however, automated scripts and instructions invari- ably appear, making it possible for less knowledgeable attackers to use the techniques.

Passive Attacks

In a passive attack, cryptanalysts simply observe data being transmitted. To gather information, they do not interact with parties exchanging information; they just eavesdrop on transmissions. Detecting this type of attack is difficult because attackers are not trans- mitting anything. Therefore, countermeasures against passive attacks focus on using strong encryption so that attackers cannot decrypt any data they intercept or crack keys.

Chosen Ciphertext and Chosen Plaintext Attacks

A chosen ciphertext attack selects a captured encrypted message (ciphertext) and decrypts it with an unknown key. This type of attack sometimes uses a decryption oracle, a device that decrypts ciphertext messages the attacker or software has selected. This attack is sometimes called a lunchtime or midnight attack because the attacker gains access to a decryption oracle left unattended during breaks or at night. Chosen ciphertext attacks can be prevented by using the correct cryptographic padding values or redundancy checks.

In a chosen plaintext attack, the attacker can select arbitrary plaintext messages to be encrypted to get the resulting ciphertext messages. Because encryption is carried out in both hardware and software and used in a wide variety of applications, a chosen plaintext attack is often possible.

Public key encryption algorithms that are not randomized are vulnerable to chosen plaintext attacks. Countermeasures are based on randomized encryption, in which a mechanism such as

CSPRNGs or randomized padding is used to produce randomized ciphertext messages that can- not be looked up in a rainbow table. Any algorithm that is not vulnerable to chosen plaintext attacks is also considered secure against chosen ciphertext and known plaintext attacks.

XSL Attacks

An XSL attack is a method of block cipher cryptanalysis based on complex mathematical func- tions (multivariate quadratic equations) that uses an extended sparse linearization algorithm. The researchers who developed the XSL algorithm claim that it can potentially break Rijndael (AES) as well as other block algorithms, such as Camellia and Serpent. This claim is a cause for concern because AES is used in government agencies and many commercial organizations.

Most cryptanalysis methods require an unrealistically high number of known plaintext messages to perform with any effectiveness. XSL attacks require far fewer known plaintext messages to recover a key, which is a major concern. XSL’s potential to crack Rijndael is highly debated, but this method warrants further study, and security professionals should monitor new developments.

Random Number Generator Attacks

Modern cryptographic systems require random values for many operations, and hardware or software components that generate or use random numbers can be compromised if attackers can gain access to them via a random number generator attack. They can substitute predict- able values and break the entire coding system. These attacks require only a single access to the system, so no further information needs to be sent, as with viruses or worms that obtain a key and then e-mail it back to the attacker. The following major countermeasures can be used against random number generator attacks:

● Combine hardware-generated random numbers with the output of a secure stream cipher. XOR functions are typically used for this method.

● Consider using open-source software for encryption systems. Vendors often do not explain how proprietary products generate random numbers or provide a method to audit the process. Without a way to audit the process, there is no way to assess its security.

● Make sure that physical security for the system is strong.

● Use off-the-shelf hardware for security systems, and do not announce their intended use (such as in online help forums) to prevent potential attackers from knowing what equipment you are using.

● Use a true random source for password generation. Ideally, use a random password/ passphrase generator instead of allowing users to choose their own. In practice, this method might be difficult, especially when users must remember their passwords. At a minimum, use the tools provided with your operating system to enforce strong password policies and reduce the possibility of weak passwords.

Related Key Attacks

A related key attack is a form of cryptanalysis in which attackers can observe a cipher’s operation by using several different keys. Initial values for these keys are unknown, but a mathematical relationship connecting the keys is known.

Wired Equivalent Privacy (WEP) is an important example of a cryptographic protocol that failed because of related key attacks. Each client in a WEP network uses the same key and the RC4 algorithm. WEP keys must be changed manually, so typically they are not changed often. Attack- ers can assume that all keys in WEP encryption are related by a known initialization vector (IV). With 24 bits for an IV, only about 17 million keys are possible. This number sounds high, but in practice, WEP’s key schedule repeats in a short time. WEP’s inherent weaknesses and certain weak keys in RC4 make it easy to recover WEP keys used for encryption. In 2005, the FBI dem- onstrated that WEP could be broken and the WEP key recovered in less than three minutes.

Preventing related key attacks on WEP networks is not possible, given the protocol’s weaknesses. To defend wireless networks against related key attacks and other attacks, use WPA2 or 802.11i for security. To defend wired cryptographic systems against related key attacks or others that exploit weak key schedules, use a cryptographic protocol, such as AES, that incorporates a strong key schedule.

Some older network interface cards (NICs) cannot perform strong encryption methods, so you might need to upgrade NICs to support stronger encryption.

Integral Cryptanalysis

Integral cryptanalysis is applicable to block ciphers that use a substitution-permutation network, including Rijndael, Twofish, and IDEA, among others. This attack uses sets of chosen plaintext messages that share a common constant. Each set of messages shares a constant value, and the remainder of each plaintext message is tried with all possible variables, much like a brute-force attack that checks all possible keys. In integral cryptanalysis, however, only part of the message is tested; the remaining bits are constant. For example, in a set of 256 chosen plaintext messages, each might vary by only 8 bits. In this attack, each set of plaintext messages has an XOR sum of zero, and the corresponding sets of ciphertext messages (generated from the plaintext messages) offer information about the cipher’s operation based on the XOR variations.

Differential Cryptanalysis

Differential cryptanalysis applies mainly to block ciphers but can also be used against stream ciphers and hashing functions. Generally, it examines how differences in input affect the output. In block ciphers, it is used to discover where the cipher has nonrandom behavior. Predictable behavior in ciphers results in weaknesses that attackers can use to gain informa- tion about the cipher’s functions and then recover keys.

Differential cryptanalysis uses pairs of plaintext messages related by a constant difference. By computing differences in the corresponding ciphertext messages (called differentials), attack- ers might be able to find statistical patterns. Differentials depend on the nature of S-box func- tions used for encryption, so attackers analyze differentials for each S-box value to look for their frequency of use. This information reveals areas where the cipher displays nonrandom behavior.

Because predictable behavior makes a cipher more vulnerable to being broken, using secure PRNG methods is critical. The goal of cryptographers is to prevent or mask predictable behavior. No algorithm is completely random, but nonrandom functions can be disguised.

Remember the importance of staying informed about the cryptographic system you are using. Sign up for mailing lists and newsletters to keep up to date on emerging threats and new defenses. New versions to correct flaws are released often, so make sure your systems are patched and updated. Another useful place to find information about emerging attacks is hackers’ sites. Often, they are the first people to report flaws in cryptographic systems.