In
cryptographyCryptography is the practice and study of hiding information. Modern cryptography intersects the disciplines of mathematics, computer science, and engineering...
, a
ciphertext-only attack (COA) or
known ciphertext attack is an
attack modelAttack models or attack types specify how much information a cryptanalyst has access to when cracking an encrypted message...
for
cryptanalysisCryptanalysis is the study of methods for obtaining the meaning of encrypted information, without access to the secret information which is normally required to do so. Typically, this involves knowing how the system works and finding a secret key...
where the attacker is assumed to have access only to a set of
ciphertextIn cryptography, ciphertext is the result of the process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. This result is also known as encrypted information...
s.
The attack is completely successful if the corresponding
plaintextIn cryptography, plaintext is information a sender wishes to transmit to a receiver. Cleartext is, sometimes confusingly, often used as a synonym. Before the computer era, plaintext most commonly meant message text in the language of the communicating parties...
s can be deduced, or even better, the key. The ability to obtain any information at all about the underlying plaintext is still considered a success. For example, if an adversary is sending ciphertext continuously to maintain traffic-flow security, it would be very useful to be able to distinguish real messages from nulls.
In
cryptographyCryptography is the practice and study of hiding information. Modern cryptography intersects the disciplines of mathematics, computer science, and engineering...
, a
ciphertext-only attack (COA) or
known ciphertext attack is an
attack modelAttack models or attack types specify how much information a cryptanalyst has access to when cracking an encrypted message...
for
cryptanalysisCryptanalysis is the study of methods for obtaining the meaning of encrypted information, without access to the secret information which is normally required to do so. Typically, this involves knowing how the system works and finding a secret key...
where the attacker is assumed to have access only to a set of
ciphertextIn cryptography, ciphertext is the result of the process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. This result is also known as encrypted information...
s.
The attack is completely successful if the corresponding
plaintextIn cryptography, plaintext is information a sender wishes to transmit to a receiver. Cleartext is, sometimes confusingly, often used as a synonym. Before the computer era, plaintext most commonly meant message text in the language of the communicating parties...
s can be deduced, or even better, the key. The ability to obtain any information at all about the underlying plaintext is still considered a success. For example, if an adversary is sending ciphertext continuously to maintain traffic-flow security, it would be very useful to be able to distinguish real messages from nulls. Even making an informed guess of the existence of real messages would facilitate
traffic analysisTraffic analysis is the process of intercepting and examining messages in order to deduce information from patterns in communication. It can be performed even when the messages are encrypted and cannot be decrypted. In general, the greater the number of messages observed, or even intercepted and...
.
In the
history of cryptographyThe history of cryptography begins thousands of years ago. Until recent decades, it has been the story of what might be called classic cryptography — that is, of methods of encryption that use pen and paper, or perhaps simple mechanical aids...
, early ciphers, implemented using pen-and-paper, were routinely broken using ciphertexts alone. Cryptographers developed statistical techniques for attacking ciphertext, such as frequency analysis. Mechanical encryption devices such as Enigma made these attacks much more difficult (although, historically, Polish cryptographers were able to mount a successful ciphertext-only
cryptanalysis of the EnigmaCryptanalysis of the Enigma enabled the Allies in World War II to read substantial amounts of secret Morse-coded radio communications of the Axis powers enciphered using Enigma machines...
by exploiting an insecure protocol for indicating the message settings).
Every modern
cipherIn cryptography, a cipher is an algorithm for performing encryption or decryption — a series of well-defined steps that can be followed as a procedure. An alternative, less common term is encipherment. In non-technical usage, a “cipher” is the same thing as a “code”; however, the concepts...
attempts to provide protection against ciphertext-only attacks. The vetting process for a new cipher design standard usually takes many years and includes exhaustive testing of large quantities of ciphertext for any statistical departure from random noise.
See: Advanced Encryption Standard processThe Advanced Encryption Standard , the block cipher ratified as a standard by National Institute of Standards and Technology of the United States , was chosen using a process markedly more open and transparent than its predecessor, the aging Data Encryption Standard...
. Also, the field of
steganographySteganography is the art and science of writing hidden messages in such a way that no one, apart from the sender and intended recipient, suspects the existence of the message, a form of security through obscurity. The word steganography is of Greek origin and means "concealed writing"...
evolved, in part, to develop methods like
mimic functionA mimic function changes a file A so it assumes the statistical properties of another file B. That is, if p is the probability of some substring t occurring in A, then a mimic function f, recodes A so that p approximates p for all strings t of length less than some n...
s that allow one piece of data to adopt the statistical profile of another. Nonetheless poor cipher usage or reliance on home-grown proprietary algorithms that have not been subject to thorough scrutiny has resulted in many computer-age encryption systems that are still subject to ciphertext-only attack. Examples include:
- Early versions of Microsoft
Microsoft Corporation is a multinational computer technology corporation that develops, manufactures, licenses, and supports a wide range of software products for computing devices...
's PPTPThe Point-to-Point Tunneling Protocol is a method for implementing virtual private networks. PPTP does not provide confidentiality or encryption; It relies on the protocol being tunneled to provide privacy. PPTP has been made obsolete by Layer 2 Tunneling Protocol and IPSec.- PPTP specification...
virtual private networkA virtual private network is a computer network that is implemented in an additional software layer on top of an existing larger network for the purpose of creating a private scope of computer communications or providing a secure extension of a private network into an insecure network such as the...
software used the same RC4In cryptography, RC4 is the most widely-used software stream cipher and is used in popular protocols such as Secure Sockets Layer and WEP...
key for the sender and the receiver (later versions had other problems). In any case where a stream cipher like RC4 is used twice with the same key it is open to ciphertext-only attack. See: stream cipher attackStream ciphers, where plaintext bits are combined with a cipher bit stream by an exclusive-or operation , can be very secure if used properly. However they are vulnerable to attack if certain precautions are not followed:*keys must never be used twice...
- Wired Equivalent Privacy
Wired Equivalent Privacy is a deprecated algorithm to secure IEEE 802.11 wireless networks. Wireless networks broadcast messages using radio and are thus more susceptible to eavesdropping than wired networks...
(WEP), the first security protocol for Wi-FiWi-Fi is a trademark of the Wi-Fi Alliance for certified products based on the IEEE 802.11 standards. This certification warrants interoperability between different wireless devices....
, proved vulnerable to several attacks, most of them ciphertext-only.
- Some modern cipher designs have later been shown to be vulnerable to ciphertext-only attacks. For example, Akelarre
Akelarre is a block cipher proposed in 1996, combining the basic design of IDEA with ideas from RC5. It was shown to be susceptible to a ciphertext-only attack in 1997....
.
- A cipher whose key space is too small is subject to brute force attack
In cryptography, a brute force attack is a strategy used to break the encryption of data. It involves traversing the search space of possible keys until the correct key is found....
with access to nothing but ciphertext by simply trying all possible keys. All that is needed is some way to distinguish valid plaintext from random noise, never a problem for natural languages. One example is DESThe Data Encryption Standard is a block cipher that was selected by the National Bureau of Standards as an official Federal Information Processing Standard for the United States in 1976 and which has subsequently enjoyed widespread use internationally. It is based on a symmetric-key algorithm...
, which only has 56-bit keys. All too common current examples are commercial security products that derive keys for otherwise impregnable ciphers like AESIn cryptography, the Advanced Encryption Standard is an encryption standard adopted by the U.S. government. The standard comprises three block ciphers, AES-128, AES-192 and AES-256, adopted from a larger collection originally published as Rijndael. Each AES cipher has a 128-bit block size, with...
from a user-selected passwordA password is a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource . The password must be kept secret from those not allowed access....
. Since users rarely employ passwords with anything close to the entropyIn information theory, entropy is a measure of the uncertainty associated with a random variable. The term by itself in this context usually refers to the Shannon entropy, which quantifies, in the sense of an expected value, the information contained in a message, usually in units such as bits...
of the cipher's key space, such systems are often quite easy to break in practice using only ciphertext.