Chapter 52 Β· Glossary

Cryptographic Attacks Glossary

Key terms for birthday attacks, hash collisions, MD5, downgrade attacks, SSL stripping, and POODLE.

Cryptographic Attack
An attack that targets the security of encrypted data or cryptographic systems without possessing the encryption key. Rather than stealing the key, the attacker finds a way to undo or circumvent the cryptographic protection β€” either by exploiting mathematical weaknesses in the algorithm itself (as in birthday attacks against weak hash functions) or by exploiting flaws in how the cryptography was implemented or negotiated (as in downgrade attacks). The algorithms in widespread use today have generally withstood scrutiny; most practical cryptographic attacks target implementation weaknesses rather than the core mathematics.
Birthday Attack
A cryptographic attack that exploits the birthday paradox probability principle to find hash collisions. Named after the counterintuitive result that only 23 people are needed in a room before there is a 50% chance two share a birthday. In cryptography, it is significantly easier to find any two inputs that produce the same hash (a collision between any pair) than to find an input that matches one specific hash. For a hash producing N possible outputs, birthday attacks find a collision in approximately √N attempts rather than N. This means 128-bit hash functions (like MD5) offer only 64-bit collision resistance β€” not 128-bit.
Hash Collision
A condition where two different plaintext inputs produce the exact same hash digest output. A properly designed hash function should make collisions computationally infeasible to find β€” different inputs should yield different hashes. When a collision is found, the hash function's collision resistance property has failed. The security impact depends on the context: in digital signatures, a collision allows an attacker to substitute a fraudulent document for a legitimate one while preserving the valid signature. Hash collisions are the basis of birthday attacks and were demonstrated practically against MD5 (collisions found 1996; exploited for certificate forgery 2008) and SHA-1 (SHAttered attack, 2017).
MD5 (Message Digest Algorithm 5)
A hash function producing a 128-bit (32 hexadecimal character) digest, first published in April 1992. MD5 was widely used for digital signatures, certificate signing, password hashing, and file integrity verification. Theoretical collision vulnerabilities were identified in 1996; practical collision generation was demonstrated in 2004; and in December 2008, researchers used MD5 collisions to forge a fraudulent CA-signed TLS certificate. MD5 must not be used in any security-critical context requiring collision resistance β€” digital signatures, certificate validation, or authentication token generation. It remains acceptable for non-security integrity verification (file download checksums) where both parties are trusted.
Hash Function
A mathematical function that takes input data of any length and produces a fixed-length digest (hash). Properties required for security: (1) pre-image resistance β€” given a hash, it is computationally infeasible to find any input that produces it; (2) second pre-image resistance β€” given an input and its hash, it is infeasible to find a different input with the same hash; (3) collision resistance β€” it is infeasible to find any two inputs with the same hash. Birthday attacks target the third property. Secure modern hash functions include SHA-256 and SHA-3. The hash output size directly affects collision resistance: SHA-256 provides 128-bit collision resistance (256/2); SHA-512 provides 256-bit collision resistance.
Downgrade Attack
An attack that forces two communicating parties to use a weaker cryptographic protocol or algorithm than either would choose voluntarily, by interfering with the negotiation process. Downgrade attacks do not break the stronger protocol β€” they prevent it from being used. The attacker then exploits either the absence of encryption (SSL stripping) or known weaknesses in the downgraded protocol (POODLE's exploitation of SSL 3.0 padding vulnerabilities). The attack exploits the backward-compatibility feature that many protocol implementations include to support older clients β€” the attacker weaponizes this compatibility by making a newer protocol appear unavailable.
SSL Stripping
A downgrade attack that intercepts a user's HTTP-to-HTTPS redirect and prevents the client from ever establishing an encrypted HTTPS connection. The on-path attacker sits between the victim and the server. When the server sends a 301 redirect to HTTPS, the attacker intercepts it and instead maintains an HTTP connection with the victim while itself connecting to the server over HTTPS. The victim transmits credentials and session data in plaintext to the attacker, believing they are communicating normally with the web server. The server's logs show a clean HTTPS session. Mitigated by HSTS (HTTP Strict Transport Security), which instructs browsers to refuse HTTP connections to the protected domain entirely.
POODLE
Padding Oracle On Downgraded Legacy Encryption. A vulnerability disclosed in October 2014 (CVE-2014-3566) that combines a downgrade attack with a cryptographic weakness in SSL 3.0. An on-path attacker interferes with the TLS handshake, causing repeated connection failures that force the client to fall back to SSL 3.0 (a legacy protocol retained for backward compatibility). SSL 3.0's CBC mode padding implementation contains a padding oracle vulnerability β€” an attacker can deduce plaintext content byte-by-byte by sending modified ciphertext blocks and observing whether the server accepts or rejects the padding. POODLE's response: modern browsers removed SSL 3.0 fallback support entirely; servers were instructed to disable SSL 3.0.
HTTP Strict Transport Security (HSTS)
A web security policy mechanism that instructs browsers to connect to a domain exclusively over HTTPS β€” rejecting any HTTP connection attempt β€” for a specified duration. Delivered as an HTTP response header: Strict-Transport-Security: max-age=31536000; includeSubDomains. After a browser receives this header for a domain, it will not send the initial HTTP request that SSL stripping requires β€” effectively eliminating the SSL stripping attack vector for that domain. HSTS preloading extends protection to first-time visitors: browsers ship with a built-in list of HSTS domains that will never be contacted over HTTP, even before the browser has ever visited the site.
Padding Oracle Attack
A cryptographic attack against block cipher implementations in CBC (Cipher Block Chaining) mode that leaks information about the plaintext through the way the system handles padding errors. In CBC mode, each plaintext block is padded to a fixed block size before encryption. A padding oracle is any server behavior that reveals whether decrypted data had valid padding β€” either explicitly (different error messages) or implicitly (timing differences). By sending modified ciphertext and observing the server's response, an attacker can determine plaintext values byte-by-byte without the key. POODLE exploited a padding oracle in SSL 3.0's design. The defense is using authenticated encryption modes (like GCM) that do not rely on padding.
Implementation Vulnerability
A security weakness arising not from the cryptographic algorithm itself but from how that algorithm is used, configured, or integrated into a system. The algorithm may be mathematically sound and resistant to known attacks β€” but incorrect implementation can introduce vulnerabilities that bypass the algorithm's protections. Examples: using a secure algorithm but allowing fallback to an insecure one (enabling downgrade attacks); generating predictable initialization vectors in CBC mode; reusing nonces in authenticated encryption; and accepting both MD5 and SHA-256 for signature verification (allowing an attacker to choose the weaker option). Implementation vulnerabilities are the primary attack surface for modern cryptographic attacks, because the algorithms themselves are generally well-vetted.
SSL / TLS
Secure Sockets Layer (SSL) and its successor Transport Layer Security (TLS) are cryptographic protocols that provide encrypted, authenticated communication over a network. SSL 2.0 and 3.0 are deprecated with known cryptographic weaknesses; TLS 1.0 and 1.1 are deprecated; TLS 1.2 remains widely used; TLS 1.3 (2018) is the current recommended version. The protocol negotiation handshake β€” where client and server agree on which version and cipher suite to use β€” is the target of downgrade attacks. Both POODLE (SSL 3.0 fallback) and SSL stripping (HTTPS to HTTP) exploit this negotiation phase. When people refer to "SSL certificates," they technically mean TLS certificates, but the legacy terminology persists.