Cryptanalysis Attacks & Protecting Government Data Encryption

Cryptanalysis is just another tool in the hackers’ toolbox that exploits the math protecting city data and IoT devices. But cryptos say government technologists can fight fire with fire.

Polynomials, proofs and Euclidean algorithms are not things government officials can afford to view as relics of their secondary education. It’s through such advanced mathematics that government technologists must protect encrypted data -- which is to be guarded by randomized ciphers -- from hackers that can figure out said ciphers through cryptanalysis.

Encrypted data that may be vulnerable to a cryptographic attack includes the kind that Internet of Things (IoT) or smart devices use to run, protect and improve an array of municipal operations.

So it’s not just physical, network or software attacks governments must guard against -- it’s another type of cybersecurity attack on the very math that encrypts transmitted government data.

What is a Cryptographic Attack?

Without semantic security, encryption algorithms are vulnerable to chosen-plaintext attacks (CPAs), according to Lukas Rist, in the Medium post, Encrypt Your Machine Learning.

The working definition of a CPA is:

A chosen-plaintext attack (CPA) is an attack model for cryptanalysis which presumes that the attacker can obtain the ciphertexts for arbitrary plaintexts.”

CPAs are cryptanalysis attacks that attempt to deduce encryption keys by searching for weaknesses in the algorithm, according to an IBM primer on IoT security risks. Such attacks also include ciphertext-only, adaptive-chosen-plaintext, chosen-ciphertext and adaptive-chosen-ciphertext in addition to CPAs.

The cipher vulnerability is not new, but it’s exploitation has returned, according to a cybersecurity threat alert in December 2017.

Such attacks on the RSA Cryptosystem, one of the first public-key cryptosystems used for secure data transmissions, have been analyzed and watched out for over the last two decades. However, the return can still be used against many HTTPS hosts, and several vendors from Bouncy Castle to Wolf SSL and all the huge names in between have patches available for download on Robotattack.org.

Cipher Expansion

Mike Rosulek, PhD, of Oregon State University, explained the cryptography before he reviews the math to guard against CPAs in Chapter 8 of The Joy of Cryptography:

“If the ciphertexts of an encryption scheme leak some partial information about plaintexts, then it is possible to break CPA security. Simply challenge the CPA libraries with two plaintexts whose partial information is different. Then detecting the partial information will tell you which library you are linked to,” he wrote.

Rosulek said that ciphertext expansion is essentially unavoidable for CPA security and prescribed an approach for encrypting plain text after a series of exercises government cryptos might enjoy.

Explore Security Against Chosen Plain Attacks on Oregonstate.edu.

Andrea Fox is Editor of Gov1.com and Senior Editor at Lexipol. She is based in Massachusetts.