# Chosen Ciphertext Attacks

Chosen ciphertext attacks are the important topic of the Subject Information and Network Security.

- This type of attack exploits properties of the RSA algorithm.
- The adversary could select a plaintext, encrypt it with the target’s public key, and then gets the plaintext back by having it decrypted with the private key.
- This provides no new information. Instead, the adversary exploits properties of RSA and selects blocks of data that, when processed using the target’s private key, gives the information needed for cryptanalysis.
- An example of one such attack is that the attacker exploits the following property of RSA.

**E(PU,M1)× E(PU,M2) = E(PU, [M1 × M2]) **

- Compute X = (C×2
^{e}) mod n. - Submit X as a chosen ciphertext and receive back Y = X
^{d }mod n o But now note that

X =(C mod n) * (2^{e}mod n)

= (M^{e }mod n) * (2^{e}mod n)

X = (2M)^{e }mod n

- Therefore, Y = (2M) mod n.
- To overcome this simple attack, randomly pad the plaintext before encryption.
- This randomizes the ciphertext so that the Equation no longer holds.

### Man-in-the-Middle Attack: Chosen Ciphertext Attacks

- Suppose A and B wish to exchange keys, and E is the attacker.
- The attack proceeds as follows.
- E generates two random private keys
**X**and_{E1 }**X**then computing the corresponding public keys_{E2 }**Y****E1**and**Y****E2.** - A transmits
**YA**to B. - E intercepts
**Y**and transmits ‘_{A }**Y**to B._{E1 } - B receives
**Y**and calculates_{E1 }**K**_{1}= (Y_{E1})^{XB}mod q. - B transmits
**Y**to A._{B} - E intercepts
**Y**and transmits_{B}**Y**to A._{E2 } - A receives
**Y**and calculates_{E2}**K**_{2}= (Y_{E2})^{XA }mod q. - E also calculates
**K**and_{1}= (Y_{B})^{XE1}mod q**K**_{2}= (Y_{A})^{XE2 }mod q

- E generates two random private keys

- At this point, B and A think that they share a secret key, but instead Band E share secret key and A and E share a secret key.
- All future communication between B and A is compromised in the following way.
- A sends an encrypted message
**M**as**E(K**_{2}, M). - E intercepts the encrypted message and decrypts it to recover M.
- E sends
**E(K**or_{1}, M)**E(K**to B, where_{1}, M’)**M’**is any message.

- A sends an encrypted message
- The key exchange protocol is vulnerable to such an attack because it does not authenticate the participants.
- This vulnerability can be overcome with the use of digital signatures and public-key certificates.

**Related Terms**

Information and Network Security, Modes: Operations, Public Key Cryptanalysis, RSA Algorithm

## Leave a Reply