Amount of Plaintext Known to Attackers

Key search or factoring attacks are seldom required to reveal the contents of encrypted information. Other types of cryptanalysis methods can be used to break encryption schemes, including known plaintext attacks and chosen plaintext attacks. Attackers can collect ciphertext to help them determine the encryption key. The more plaintext that is known to attackers, the greater the potential that an attacker can discover the encryption key used to produce ciphertext.

For a known plaintext attack, an attacker uses known information in encrypted files (such as standard e-mail headers) to break the encryption scheme for the rest of the ciphertext. For example, an early version of the Microsoft® Windows® 95 password file contained known encrypted plaintext, which enabled intruders to easily decipher user passwords that were stored in the file. When this security hole was discovered, a software patch was provided that removed the known plaintext from the encrypted portion of the Windows 95 password file.

For a chosen plaintext attack, an attacker chooses plaintext and submits it to be encrypted. Attackers can then analyze the ciphertext that corresponds to the chosen plaintext, identify subtle differences and patterns, and quickly break the encryption. Chosen plaintext attacks are relatively easy to launch. Attackers often can easily send chosen information through encrypted channels and then monitor the encrypted traffic with a network sniffer program to collect the chosen plaintext that has been encrypted.

Public key algorithms, in particular, are very susceptible to chosen plaintext attacks because attackers have the public key. Therefore, attackers can freely choose what plaintext to encrypt. All public key cryptosystems are vulnerable to chosen plaintext attacks and, thus, use a variety of techniques to protect against these attacks.

Many bulk encryption technologies, such as S/MIME secure mail and EFS, generate a new secret encryption key for each message or file that is encrypted. By using a new encryption key for each message or file, these technologies limit the amount of ciphertext available for cryptanalysis of that symmetric key. Likewise, secure online communications technologies, such as TLS and IPSec, normally use short lived session keys to limit the amount of ciphertext available for cryptanalysis. Some technologies, such as IPSec and the Kerberos authentication protocol, enable you to configure the lifetime of session keys to limit available ciphertext for each session key.

In general, you can reduce the risk of plaintext attacks by doing the following:

• Limit key lifetimes. This reduces the amount of ciphertext available for cryptanalysis for a particular key. The smaller the amount of ciphertext, the smaller the amount of material that is available for cryptanalysis, which reduces the risk of cryptanalysis attacks.
• Minimize the encryption of known plaintext. For example, if you encrypt known information such as system files on a hard disk, the known plaintext is available for cryptanalysis. You can reduce the risk of attack by not encrypting known files and sections of the hard disk.
• Minimize the amount of plaintext that is encrypted with the same session key. For example, during confidential IPSec communication, an attacker might be able to submit chosen plaintext for cryptanalysis. If the session key that is used to encrypt information is changed frequently, the amount of ciphertext produced by a single session key is limited, and thus reduces the risk of plaintext attacks.

© 1985-2000 Microsoft Corporation. All rights reserved.