Cryptology: Known Plaintext Attack

Cryptology

Known Plaintext Attack

a7Hzq .#5r< kÜ\as TâÆK$ ûj(Ö2 ñw%h: Úk{4R f~`z8 ¤˜Æ+Ô „&¢Dø

Frequently asked question: What is an »attack with known plaintext«? If the attacker knows the plaintext, there is nothing left to crack!

Answer: Often the cryptanalyst knows a chunk of plaintext, maybe only a single probable word, and then tries to determine some further chunks of plaintext—or the key and thereby the complete plaintext.

Grading of the Attack

Plaintext completely unknown.
Supposed (probable) word:
- a frequent word (for example articles or, what the German cryptanalysts in World War II utilized in breaking the American M-209, numbers spelled as letters—»five seven three«),
- a special word in the context of the message.
Known chunk of plaintext (for example set phrases).
One or more complete compromised messages.

Often the position of the probable word is determined by trial and error.

Probable words and and chunks of known plaintext occur as:

Frequent words
Stereotypical phrases (»Yours sincerily«)
Context information (»Oberkommando der Wehrmacht«)
Provoked messages (»Erloschen ist Leuchttonne«)
Carelessness of operators (for example sending the same message in an old, already broken cipher and in a new one that is not yet implemented at all receivers
- This frequently happened in history, and even in World War II resulted in some spectacular cryptanalytic successes.
... or by activities of the secret service

Often the known plaintext is a part of the text that was already found or guessed in an earlier stage of cryptanalysis, for example by pattern search.

Or the same message was sent in two different ciphers, one of them already broken, providing a complete known plaintext message for the other cipher. In history this happened when an old cipher was replaced by a new one and not all receivers had yet implemented the new cipher.

Some procedures of modern cryptography use challenge-response techniques for authenticating users. They send a random plaintext and get back the corresponding ciphertext. The attacker sees both of them.

The amount of known plaintext that is needed for a certain attack method serves as measure of the efficiency of this attack. Therefore it contributes to assessing the security of the cipher. This measure is somewhat coarser than the time complexity of the attack because every part of the known plaintext has to be touched (otherwise the attack could dispense with it).

Examples

Shift Cipher

Even a single known letter of plaintext reveals the key.

General Monoalphabetic Substitution

Each known letter of plaintext revels one letter of the key.

Breaking a monoalphabetic substitution is trivial with known plaintext of about 5 or 6 letters. These suffice for guessing many words in the plaintext and reconstructing the complete key.

Stepping Up: Chosen Plaintext Attack

The cryptanalyst has even better promises if she can encrypt a plaintext of her own choice.

At first view this sounds completely absurd, but in certain situations it is a real danger:

A weak form is the provoked message.
With one-way ciphers or asymmetric ciphers [see later] each one can encrypt any plaintext.
A similar situation is a black box, for example a stolen smartcard or the built-in encryption of a hardware or software system, where the goal is finding the key and then using it »illegaly«,
... or a challenge-response procedure.

An extreme case is »plaintext exhaustion«, that is a testwise encryption of all possible plaintexts (of a certain length), or a dictionary attack that at least encrypts the most probable plaintexts. Think of password cracking.

An example is given in

Jeff Zamora: ActiveSync 2.x allows unauthorized access to your NT password.

This chosen plaintext attack revealed that Microsoft used a simple XOR encryption with the key »susageP« (= »Pegasus« backwards).

Some General Remarks on Cryptanalysis

Cryptanalysis uses context knowledge almost always. How much and what kind of context knowledge is needed differs from case to case.
Cryptanalysis consumes time. Often a cipher is considered sufficiently secure, if this time is long enough for making the message useless for the cryptanalyst. Pursuing this idea further leads into complexity theory.
An essential requirement for the cryptanalyst is to have as many methods as possible at her disposition. If one method fails, she tries another one.
Encrypting the same plaintext with different keys, or different plaintexts with the same key, offers ways for attack.
The history of cryptology teaches that not only direct attacks on the algorithm but also attacks on the »protocol« lead to cryptanalytic success, that is, attacks on the circumstances of the use. Bruce Schneier's notion for this is »Side Channel Cryptanalysis«.

And an important lesson from the cryptanalytic methods learned up to now is:

Good cryptographic procedures should hide the characteristic frequencies and patterns of the plaintext language.

In the next section we'll study an approach that tries to accomplish this goal: polyalphabetic encryption.

Exercises

EJGGZ TGWOF IPOHI HONAW OCIAO TQUPO HZTHI EFOTQ QCHIO TNAIO IOHHZ TGUJP QRAOT QCGWO FIIJP ROTQR OTQNA VJHOT RJQJQ EOP
(The plaintext is supposed to be in German. It could mention the village Waidhaus near the German-Czech border.)
FTCZQ POFHM ATPOZ WDZUC HUOQJ TUQZE BDUTQ OADHP OTCBN WEDUP KATPO ZWDFH MHWQJ TUAZW WCZMD PZKOL THUEZ UQHMZ UDUTQ OAOAD QDTCK HVVTM ZUBOT QTHEY NUFOZ TUCZM DCZMD UHNBA OKKGH PFTVG
(William Friedman; probably the language is English.)

Author: Klaus Pommerening, 1999-Oct-27; last change: 2021-Apr-28.