Jump to content

Oracle attack

From Wikipedia, the free encyclopedia

This is the current revision of this page, as edited by Patar knight (talk | contribs) at 02:23, 12 November 2024 (Adding short description: "Type of in security engineering"). The present address (URL) is a permanent link to this version.

(diff) ← Previous revision | Latest revision (diff) | Newer revision → (diff)

In the field of security engineering, an oracle attack is an attack that exploits the availability of a weakness in a system that can be used as an "oracle" to give a simple go/no go indication to inform attackers how close they are to their goals. The attacker can then combine the oracle with a systematic search of the problem space to complete their attack.[1]

The padding oracle attack, and compression oracle attacks such as BREACH, are examples of oracle attacks, as was the practice of "crib-dragging" in the cryptanalysis of the Enigma machine. An oracle need not be 100% accurate: even a small statistical correlation with the correct go/no go result can frequently be enough for a systematic automated attack.

In a compression oracle attack the use of adaptive data compression on a mixture of chosen plaintext and unknown plaintext can result in content-sensitive changes in the length of the compressed text that can be detected even though the content of the compressed text itself is then encrypted. This can be used in protocol attacks to detect when the injected known plaintext is even partially similar to the unknown content of a secret part of the message, greatly reducing the complexity of a search for a match for the secret text. The CRIME and BREACH attacks are examples of protocol attacks using this phenomenon.

See also

[edit]

References

[edit]
  1. ^ Jason Coombs (2 December 2004). "Understanding Oracle Attacks". Dr. Dobbs'. Retrieved 2013-10-04.