C. Hall, I. Goldberg, and B. Schneier, \Reaction Attacks Against Several Public-Key Cryptosystems," Proceedings of Information and Communication Security, SpringerVerlag, 1999, pp. 2-12.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....which, on input of a pair (m; c) answers whether c encrypts the message m. This attack has been named the Plaintext Checking Attack [11] a validity checking oracle which, on input of a ciphertext c, just answers whether it is a valid ciphertext. This weak oracle (involved in the reaction attacks [8]) had been enough to break some famous encryption schemes [4, 9] namely PKCS #1 v1.5; or the decryption oracle itself, which on the input of any ciphertext, except the challenge ciphertext, responds with the corresponding plaintext (non adaptive adaptive chosen ciphertext attacks [10, 12] The ....

C. Hall, I. Goldberg, and B. Schneier. Reaction Attacks Against Several Public-Key Cryptosystems. In Proc. of ICICS'99, LNCS, pages 2--12. Springer-Verlag, 1999.

....oracles. A plaintext checking oracle receives as its input a pair (m; c) and answers whether c encrypts message m. This gives rises to plaintext checking attack [11] A validity checking oracle answers whether its input c is a valid ciphertext or not. This scenario has been termed reaction attack [9]. It has been successfully applied to break the famous PKCS #1 v1.5 encryption scheme [4] Finally, a decryption oracle returns the decryption of any ciphertext, with the only restriction that it should be di erent from the challenge ciphertext. When the oracle access is only granted to the ....

C. Hall, I. Goldberg, and B. Schneier. Reaction Attacks Against Several Public-Key Cryptosystems. In Proc. of ICICS'99, LNCS, pages 2-12. Springer-Verlag, 1999.

....which, on input of a pair (m, c) answers whether c encrypts the message m. This attack has been named the Plaintext Checking Attack [11] a validity checking oracle which, on input of a ciphertext c, just answers whether it is a valid ciphertext. This weak oracle (involved in the reaction attacks [8]) had been enough to break some famous encryption schemes [4, 9] namely PKCS 1 vl.5; or the decryption oracle itself, which on the input of any ciphertext, except the challenge ciphertext, responds with the corresponding plaintext (non adaptive adaptive chosen ciphertext attacks [10, 12] The ....

C. Hall, I. Goldberg, and B. Schneier. Reaction Attacks Against Several PublicKey Cryptosystems. In Proc. of ICICS'99, LNCS, pages 2-12. Springer-Verlag, 1999.

....hard to predict: an attacker can simply wait until the predicted padding values collide and then use the predicted value to successfully mount an attack. The attack we describe here is similar in spirit to Wagner s attack in [7] and to the attacks in [20, 26] the term reaction attack comes from [16]) The attack proceeds roughly as follows: an attacker intercepts (and prevents the delivery of) two ciphertexts sent by one party involved in an SSH connection. The adversary then makes a guess about the relationship between the two plaintexts corresponding to the two intercepted ciphertexts. ....

C. Hall, I. Goldberg, and B. Schneier. Reaction attacks against several public-key cryptosystems. In Proceedings of Information and Communication Security, ICICS'99, 1999.

....on the word problem, and illustrated their proposal with a concrete suggestion for the choice of the system parameters. In this contribution we present an attack on Wagner and Magyarik s scheme which doesn t transgress the hardness of the underlying word problem. The attack is in the spirit of [8] and shows that for any choice of the nitely presented group it is possible to recover the private key by observing the reaction of some legitimate recipient. This observation is modelled by means of an oracle O which recognizes properly ciphered texts without giving further information about ....

....instances. Although the underlying mathematical problem may be intractable, the above discussion shows that in the current state this design cannot be considered as a safe theoretical basis for deriving practical cryptosystems. Reaction attacks were rst presented by Hall, Goldberg, and Schneier [8], who succeeded in respectively decrypting ciphertexts and recovering the private key of the McEliece and Ajtai Dwork cryptosystems. Our attack on Wagner and Magyarik s scheme is in a sense more powerful, as we access fewer information about the legitimate recipient s actions, i.e. we know ....

Chris Hall, Ian Goldberg, and Bruce Schneider. Reaction Attacks Against Several Public-Key Cryptosystems. In Vijay Varadharajan and Yi Mu, editors, Information and Communication Security, Second International Conference, ICICS'99, volume 1726 of Lecture Notes in Computer Science, pages 2-12. Springer, 1999.

....input of a pair (m; c) answers whether c encrypts the message m. This attack has been named the Plaintext Checking Attack (PCA) 22] a validity checking oracle which, on input of a ciphertext c, just answers whether it is a valid ciphertext. This weak oracle (involved in the reaction attacks [18]) had been enough to break some famous encryption schemes [7, 20] namely PKCS #1 v1.5; or the decryption oracle itself, which on the input of any ciphertext, except the challenge ciphertext, responds with the corresponding plaintext (non adaptive adaptive chosen ciphertext attacks [21, ....

C. Hall, I. Goldberg, and B. Schneier. Reaction Attacks Against Several Public-Key Cryptosystems. In Proc. of ICICS'99, LNCS, pages 2--12. Springer-Verlag, 1999.

....hard to predict: an attacker can simply wait until the predicted padding values collide and then use the predicted value to successfully mount an attack. The attack we describe here is similar in spirit to Wagner s attack in [6] and to the attacks in [20, 26] the term reaction attack comes from [16]) Since the SSH draft allows the use of non random padding, we consider the existence of this attack to be a serious problem. The attack proceeds roughly as follows: an attacker intercepts (and prevents the delivery of) two ciphertexts sent by one party involved in an SSH connection. The ....

C. Hall, I. Goldberg, and B. Schneier. Reaction attacks against several public-key cryptosystems. In Proceedings of Information and Communication Security, ICICS'99, 1999.

....on input of a pair (m; c) answers whether c encrypts the message m. This attack has been named the Plaintext Checking Attack [11] a validity checking oracle which, on input of a ciphertext c, just answers whether it is a valid ciphertext. This weak oracle (involved in the reaction attacks [8]) had been enough to break some famous encryption schemes [4, 9] namely PKCS #1 v1.5; or the decryption oracle itself, which on the input of any ciphertext, except the challenge ciphertext, responds with the corresponding plaintext (non adaptive adaptive chosen ciphertext attacks [10, 12] The ....

C. Hall, I. Goldberg, and B. Schneier. Reaction Attacks Against Several Public-Key Cryptosystems. In Proc. of ICICS'99, LNCS, pages 2--12. Springer-Verlag, 1999.

No context found.

C. Hall, I. Goldberg, and B. Schneier, \Reaction Attacks Against Several Public-Key Cryptosystems," Proceedings of Information and Communication Security, SpringerVerlag, 1999, pp. 2-12.

No context found.

Chris Hall, Ian Goldberg, and Bruce Schneier. Reaction Attacks Against Several Public-Key Cryptosystems. In Proc. ICICS 1999.

No context found.

C. Hall, I. Goldberg, B. Schneier, \Reaction Attacks Against Several Public-Key Cryptosystems," 1998, in preparation.

....the attack to be nontrivial the adversary is not allowed to submit the original ciphertext C to the decryption oracle. At first glance, this type of attack seems purely academic (when does an adversary have access to free decryption ) but consideration of the attack is of practical significance [8, 4, 2, 9]. One can readily think of examples in which information about the decrypted plaintext is available to the attacker. For instance, an adversary might be interacting with a computer which, when given some ciphertext, performs a specified action if the 2 ciphertext is valid (i.e. whose decryption ....

....invalid ones. Such an attack on the RSA Encryption Standard PKCS#1 has been demonstrated [2] leading to a feasible attack on certain implementations of the SSL V.3.0 protocol. A similar attack, called a reaction attack, has been used to break several coding theory based public key cryptosystems [9]. In yet another example [8] the adversary communicates with a party on the network who responds to ciphertext messages only if the decryption of the message corresponds to valid English text. This, too, gives the adversary information about the decrypted plaintext which may prove useful in ....

C. Hall, I. Goldberg, and B. Schneier, "Reaction Attacks Against Several Public-Key Cryptosystems," Proceedings of Information and Communication Security, SpringerVerlag, 1999, pp. 2--12.

....begun to appear in the literature: attacks that target speci c implementation details. Both timing attacks [Koc96] and di erential fault analysis [BDL97,BS97] make assumptions about the implementation, and use additional information garnered from attacking certain implementations. Failure analysis [HGS97,Bel96] assumes a one bit feedback from the implementation was the message successfully decrypted in order to break the underlying cryptographic primitive. More recently, di erential power analysis [KJY98] sometimes referred to as DPA in the remainder of this article) has been developed and applied to ....

C. Hall, I. Goldberg, B. Schneier, \Reaction Attacks Against Several Public-Key Cryptosystems," 1998, in preparation.

....to appear in the literature: attacks that target specific implementation details. Both timing attacks [Koc96] and di#erential fault analysis [BDL97,BS97] make assumptions about the implementation, and use additional information garnered from attacking certain implementations. Failure analysis [HGS97,Bel96] assumes a one bit feedback from the implementation was the message successfully decrypted in order to break the underlying cryptographic primitive. Related key cryptanalysis [Bih94,KSW96,KSW97] also makes assumptions about the implementation, in this case about related keys used to encrypt ....

C. Hall, I. Goldberg, B. Schneier, "Reaction Attacks Against Several Public-Key Cryptosystems," 1998, in preparation.

....to appear in the literature: attacks that target specific implementation details. Both timing attacks [Koc96] and di#erential fault analysis [BDL97,BS97] make assumptions about the implementation, and use additional information garnered from attacking certain implementations. Failure analysis [HGS97,Bel96] assumes a one bit feedback from the implementation was the message successfully decrypted in order to break the underlying cryptographic primitive. More recently, di#erential power analysis [KJY98] sometimes referred to as DPA in the remainder of this article) has been developed and ....

C. Hall, I. Goldberg, B. Schneier, "Reaction Attacks Against Several Public-Key Cryptosystems," 1998, in preparation.

....to appear in the literature: attacks that target specific implementation details. Both timing attacks [Koc96] and differential fault analysis [BDL97,BS97] make assumptions about the implementation, and use additional information garnered from attacking certain implementations. Failure analysis [HGS97,Bel96] assumes a one bit feedback from the implementation was the message successfully decrypted in order to break the underlying cryptographic primitive. Related key cryptanalysis [Bih94,KSW96,KSW97] also makes assumptions about the implementation, in this case about related keys used to encrypt ....

C. Hall, I. Goldberg, B. Schneier, "Reaction Attacks Against Several Public-Key Cryptosystems," unpublished manuscript, 1997.

No context found.

C. Hall, I. Goldberg, and B. Schneier. \Reaction Attacks Against Several PublicKey Cryptosystems". In Proc. of the 2nd International Conference on Information and Communications Security (ICICS'99), LNCS 1726, pages 2-12, 1999.

No context found.

C. Hall, I. Goldberg, and B. Schneier. Reaction Attacks against Several Public-Key Cryptosystems. In Proc. of ICICS '99, LNCS, pages 2--12. Springer-Verlag, 1999.

No context found.

C. Hall, I. Goldberg, and B. Schneier. Reaction Attacks Against Several PublicKey Cryptosystems. In Proc. of ICICS '99, LNCS, pages 2-12. Springer-Verlag, 1999.

No context found.

C. Hall, I. Goldberg, and B. Schneier. Reaction Attacks Against Several PublicKey Cryptosystems. In Proc. of ICICS'99, Lecture Notes in Computer Science, Springer-Verlag, 1999, 2-12.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC