written 8.4 years ago by | modified 2.9 years ago by |
Subject: System Web Security
Topic: Software Security
Difficulty: Medium
written 8.4 years ago by | modified 2.9 years ago by |
Subject: System Web Security
Topic: Software Security
Difficulty: Medium
written 8.4 years ago by |
The attack is notable for requiring only a handful of known plaintexts to perform; previous methods of cryptanalysis, such as linear and differential cryptanalysis, often require unrealistically large numbers of known or chosen plaintexts.
Example:
Consider the below code
int main(intargc, const char *argv[])
{
inti;
char serial[9] = “S123N456\n”;
for(I = 0;I < 8;++i)
{
if(argv[1][i] ! = serial[i]) break;
}
if(i==8)
{
printf(“\n Serial number is correct !\n\n”);
}
}
Attacker then tries all 2 char strings $S^*$
Finds S1 takes most time
Attacker is able to recover serial number one character at a time.
What is the advantage of attacking serial number one character at a time?
Suppose serial number is 8 characters and each has 128 possible
values
i. Then $128^8 = 25^6$ possible serial numbers
ii. Attacker would guess the serial number in about $2^{55}$ tries- a lot of work
iii. Using the linearization attack, the work is about 8*(128/2) = $2^9$ which is trivial
A real-world linearization attack
TENEX (an ancient timeshare system)
i. Passwords checked one character at a time
ii. Careful timing was not necessary
iii. could arrange for a “page fault” when next unknown character guessed correctly
iv. The page fault register was user accessible
v. Attack was very easy in practice.