crib-dragging

Crib-dragging is an attack on multi-time pad where a short sequence (the “crib”) of high probability of occurrence in the plaintext is dragged across the ciphertexts.

Theory

Given a scenario where an adversary obtains several ciphertexts $C_{i}$ encrypted using a multi-time pad, if the adversary correctly guesses one of the plaintexts (e.g. $P_{j}$ ), then he can obtain $K$ :

C_{j} \oplus P_{j} = (P_{j} \oplus K) \oplus P_{j} = P_{j} \oplus P_{j} \oplus K = 0 \oplus K = K

Of course, it is unlikely that an adversary guess the entire message at once, but if he guesses part of the key correctly, he now obtains part of $K$ that can be used to decrypt other message fragments in the same location range.

Generating Cribs

Crib generation depends on the context of the message, but assuming that the message is in English, we have a few popular choices (note the spaces):

the and variants (e.g. . The )
of, in, to, and, a, etc

The more knowledge about the ciphertext we have, the more cribs we can generate based on the context. For example, if the plaintext is an HTTP request, it might contain Content-Type: or Host: .

Expanding known key bytes

If you find a valid crib, then chances are you can generate more potential cribs from other plaintexts. If the decrypted fragment of another fragment stops (or starts) in the middle of a word, try to search for words beginning with / ending with that fragment. Repeat this step when another valid crib is found. This step is easier the more separate ciphertexts you have (more cribbing positions, more plaintext bytes obtained per valid crib, easier validation of crib since there are more ciphertexts available to test with).

📖 Notes

Recent Notes

heap exploitation

2024-06-05

2024-06-04

2024-06-03

2024-05-29

crib-dragging

Theory

Generating Cribs

Expanding known key bytes

Graph View

Table of Contents

Backlinks