Crib-dragging is an attack on multi-time pad where a short sequence (the “crib”) of high probability of occurrence in the plaintext is dragged across the ciphertexts.
Theory
Given a scenario where an adversary obtains several ciphertexts encrypted using a multi-time pad, if the adversary correctly guesses one of the plaintexts (e.g. ), then he can obtain :
Of course, it is unlikely that an adversary guess the entire message at once, but if he guesses part of the key correctly, he now obtains part of that can be used to decrypt other message fragments in the same location range.
Generating Cribs
Crib generation depends on the context of the message, but assuming that the message is in English, we have a few popular choices (note the spaces):
the
and variants (e.g.. The
)of
,in
,to
,and
,a
, etc
The more knowledge about the ciphertext we have, the more cribs we can generate based on the context. For example, if the plaintext is an HTTP request, it might contain Content-Type:
or Host:
.
Expanding known key bytes
If you find a valid crib, then chances are you can generate more potential cribs from other plaintexts. If the decrypted fragment of another fragment stops (or starts) in the middle of a word, try to search for words beginning with / ending with that fragment. Repeat this step when another valid crib is found. This step is easier the more separate ciphertexts you have (more cribbing positions, more plaintext bytes obtained per valid crib, easier validation of crib since there are more ciphertexts available to test with).