| 词条 | Adaptive chosen-ciphertext attack |
| 释义 |
An adaptive chosen-ciphertext attack (abbreviated as CCA2) is an interactive form of chosen-ciphertext attack in which an attacker first sends a number of ciphertexts to be decrypted chosen adaptively, then uses the results to distinguish a target ciphertext without consulting the oracle on the challenge ciphertext, in an adaptive attack the attacker is further allowed adaptive queries to be asked after the target is revealed (but the target query is disallowed). It is extensing the indifferent (non-adaptive) chosen-ciphertext attack (CCA1) where the second stage of adaptive queries is not allowed. Charles Rackoff and Dan Simon defined CCA2 and suggested a system building on the non-adaptive CCA1 definition and system of Moni Naor and Moti Yung (which was the first treatment of chosen ciphertext attack immunity of public key systems). In certain practical settings, the goal of this attack is to gradually reveal information about an encrypted message, or about the decryption key itself. For public-key systems, adaptive-chosen-ciphertexts are generally applicable only when they have the property of ciphertext malleability — that is, a ciphertext can be modified in specific ways that will have a predictable effect on the decryption of that message. Practical attacksAdaptive-chosen-ciphertext attacks were perhaps considered to be a theoretical concern but not to be manifested in practice until 1998, when Daniel Bleichenbacher of Bell Laboratories (at the time) demonstrated a practical attack against systems using RSA encryption in concert with the PKCS#1 v1 encoding function, including a version of the Secure Socket Layer (SSL) protocol used by thousands of web servers at the time.[1] The Bleichenbacher attacks, also known as the million message attack, took advantage of flaws within the PKCS #1 function to gradually reveal the content of an RSA encrypted message. Doing this requires sending several million test ciphertexts to the decryption device (e.g., SSL-equipped web server). In practical terms, this means that an SSL session key can be exposed in a reasonable amount of time, perhaps a day or less. With slight variations this vulnerability still exists in many modern servers, under the new name "Return Of Bleichenbacher's Oracle Threat" (ROBOT).[2] Preventing attacksIn order to prevent adaptive-chosen-ciphertext attacks, it is necessary to use an encryption or encoding scheme that limits ciphertext malleability and a proof of security of the system. After the theoretical and foundation level development of CCA secure systems, a number of systems have been proposed in the Random Oracle model: the most common standard for RSA encryption is Optimal Asymmetric Encryption Padding (OAEP). Unlike improvised schemes such as the padding used in the early versions of PKCS#1, OAEP has been proven secure in the random oracle model, [3] OAEP was incorporated into PKCS#1 as of version 2.0 published in 1998 as the now-recommended encoding scheme, with the older scheme still supported but not recommended for new applications.[4] However, the golden standard for security is to show the system secure without relying on the Random Oracle idealization.{{fact|date=February 2019}} Mathematical modelIn complexity-theoretic cryptography, security against adaptive chosen-ciphertext attacks is commonly modeled using ciphertext indistinguishability (IND-CCA2). References1. ^{{Cite conference| conference=CRYPTO '98 | conference-url=https://link.springer.com/book/10.1007/BFb0055715| date=August 23–27, 1998| first=Daniel | last=Bleichenbacher| title=Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1|publisher=Springer Berlin Heidelberg| place=Santa Barbara, California| pages=1–12 | doi=10.1007/BFb0055716 | url=https://link.springer.com/content/pdf/10.1007%2FBFb0055716.pdf| isbn=978-3-540-64892-5 }} {{DEFAULTSORT:Adaptive Chosen-Ciphertext Attack}}2. ^{{Cite web |url = https://robotattack.org |title = ROBOT attack |author=Hanno Böck |author2=Juraj Somorovsky |author3=Craig Young |access-date = February 27, 2018 }} 3. ^{{cite journal | last1 = Fujisaki | first1 = Eiichiro | authorlink1 = | last2 = Okamoto | first2 = Tatsuaki | last3 = Pointcheval | first3 = David | last4 = Stern | first4 = Jacques | title = RSA-OAEP Is Secure under the RSA Assumption | journal = Journal of Cryptology | volume = 17 | issue = 2 | pages = 81–104 | year = 2004 | url = http://www.di.ens.fr/~pointche/Documents/Papers/2004_joc.pdf | doi = 10.1007/s00145-002-0204-y | id = | accessdate = 2009-01-12| citeseerx = 10.1.1.11.7519 }} 4. ^{{cite IETF |title=PKCS #1: RSA Cryptography Specifications Version 2.0 |rfc=2437 |last1=Kaliski |first1=B. |last2=Staddon |first2=J. |date=October 1998 |publisher=IETF |accessdate=February 20, 2019 |doi=10.17487/RFC2437}} 1 : Cryptographic attacks |
| 随便看 |
|
开放百科全书收录14589846条英语、德语、日语等多语种百科知识,基本涵盖了大多数领域的百科知识,是一部内容自由、开放的电子版国际百科全书。