The Impact of Known Plaintext on Encryption Security

If knowing part of the plaintext gives an advantage to the attacker in its efforts to guess or recompute other encrypted bytes, or the key itself, then this is considered a serious weakness of the encryption algorithm. No such weakness is known for AES.

The paragraph above needs some precisions. Indeed, if I, as an attacker, is given the knowledge that some plaintext bytes are “Pope Bened.ct XVI is resigning”, with the “.” being a byte unknown to the attacker, then I can guess with relatively high probability that the unknown byte actually encodes an “i”. So the correct definition would be: if the attacker, given knowledge of some plaintext bytes and the whole encrypted file, can guess the missing bytes with higher probability of success than the same attacker who knows the same plaintext bytes but not the encrypted file, then the encryption algorithm can be considered as broken. AES is not considered as broken, so that’s OK.

Another point is about active attacks. An attacker may want to modify the data so as to induce an honest system to work over fake data; and the behaviour of that system can give a lot of information about the unknown bytes (a variant of this attack is what is used in the BEAST attack on SSL/TLS). Knowledge of some plaintext bytes makes such attacks easier. AES-CBC, by itself, does not protect against active attackers. To defeat active attackers, you need to apply a MAC. Combining encryption and MAC is not easy; you’d better replace CBC with an encryption mode which includes a MAC and handles the hard work (e.g. GCM or EAX).

(The definition above is about “known plaintext attacks”, where the attacker knows part of the plaintext. For active attacks, we would talk about “chosen plaintext attacks”, where the attacker gets to choose part of the plaintext, and “chosen ciphertext attacks”, where the attacker alters the ciphertext and observes more or less directly the result of decryption. Properly applied and verified MAC gives reliable protection against chosen ciphertext attacks.)

Leave a Reply

Your email address will not be published. Required fields are marked *