Title: Stream Ciphers
1Stream Ciphers
- Block ciphers generate ciphertext
- Ciphertext(Key,Message)Message?Key
- Key must be a random bit sequence as long as
message - Idea replace random with pseudo-random
- Encrypt with pseudo-random number generator
(PRNG) - PRNG takes a short, truly random secret seed
(key) and expands it into a long random-looking
sequence - E.g., 128-bit key into a 106-bit
- pseudo-random sequence
- Ciphertext(Key,Message)Message?PRNG(Key)
- Message processed bit by bit, not in blocks
Randomness amplification (remember HMAC?)
2Properties of Stream Ciphers
- Usually very fast
- Used where speed is important WiFi, SSL, DVD
- Unlike one-time pad, stream ciphers do not
provide perfect secrecy - Only as secure as the underlying PRNG
- If used properly, can be as secure as block
ciphers - PRNG must be unpredictable
- Given the stream of PRNG output (but not the
seed!), its hard to predict what the next bit
will be - If PRNG(unknown seed)b1bi, then bi1 is 0
with probability ½, 1 with probability ½
3Weaknesses of Stream Ciphers
- No integrity
- Associativity commutativity (X?Y)?Z(X?Z)?Y
- (M1?PRNG(key)) ? M2 (M1?M2) ? PRNG(key)
- Known-plaintext attack is very dangerous if
keystream is ever repeated - Self-cancellation property of XOR X?X0
- (M1?PRNG(key)) ? (M2?PRNG(key)) M1?M2
- If attacker knows M1, then easily recovers M2
- Most plaintexts contain enough redundancy that
knowledge of M1 or M2 is not even necessary to
recover both from M1?M2
4Stream Cipher Terminology
- Seed of pseudo-random generator often consists of
initialization vector (IV) and key - IV is usually sent with the ciphertext
- The key is a secret known only to the sender and
the recipient, not sent with the ciphertext - The pseudo-random bit stream produced by
PRNG(IV,key) is referred to as keystream - Encrypt message by XORing with keystream
- ciphertext message ? keystream
5RC4
- Designed by Ron Rivest for RSA in 1987
- Simple, fast, widely used
- SSL/TLS for Web security, WEP for wireless
- Byte array S256 contains a permutation of
numbers from 0 to 255 - i j 0
- loop
- i (i1) mod 256
- j (jSi) mod 256
- swap(Si,Sj)
- output (SiSj) mod 256
- end loop
6RC4 Initialization
Divide key K into L bytes for i 0 to 255 do
Si i j 0 for i 0 to 255 do j
(jSiKi mod L) mod 256 swap(Si,Sj)
Key can be any length up to 2048 bits
Generate initial permutation from key K
- To use RC4, usually prepend initialization vector
(IV) to the key - IV can be random or a counter
- IV is often sent in the clear with the ciphertext
- RC4 is not random enough! 1st byte of generated
sequence depends only on 3 cells of state array
S. This can be used to extract the key. - To use RC4 securely, RSA suggests discarding
first 256 bytes
Fluhrer-Mantin-Shamir attack
7Modes of Operation
- block ciphers encrypt fixed size blocks
- eg. DES encrypts 64-bit blocks, with 56-bit key
- need way to use in practise, given usually have
arbitrary amount of information to encrypt - four were defined for DES in ANSI standard ANSI
X3.106-1983 Modes of Use - subsequently now have 5 for DES and AES
- have block and stream modes
8Electronic Codebook Book (ECB)
- message is broken into independent blocks which
are encrypted - each block is a value which is substituted, like
a codebook, hence name - each block is encoded independently of the other
blocks - Ci DESK1 (Pi)
- uses secure transmission of single values
-
9Electronic Codebook Book (ECB)
10Advantages and Limitations of ECB
- repetitions in message may show in ciphertext
- if aligned with message block
- particularly with data such graphics
- or with messages that change very little, which
become a code-book analysis problem - weakness due to encrypted message blocks being
independent - main use is sending a few blocks of data
11Cipher Block Modes of Operation
- Cipher Block Chaining Mode (CBC)
- The input to the encryption algorithm is the XOR
of the current plaintext block and the preceding
ciphertext block. - Repeating pattern of 64-bits are not exposed
12Cipher FeedBack (CFB)
- message is treated as a stream of bits
- added to the output of the block cipher
- result is feed back for next stage (hence name)
- standard allows any number of bit (1,8 or 64 or
whatever) to be feed back - denoted CFB-1, CFB-8, CFB-64 etc
- is most efficient to use all 64 bits (CFB-64)
- Ci Pi XOR DESK1(Ci-1)
- C-1 IV
- uses stream data encryption, authentication
13Cipher FeedBack (CFB)
14Advantages and Limitations of CFB
- appropriate when data arrives in bits/bytes
- most common stream mode
- limitation is need to stall while do block
encryption after every n-bits - note that the block cipher is used in encryption
mode at both ends - errors propagate for several blocks after the
error
15Location of Encryption Device
- Link encryption
- A lot of encryption devices
- High level of security
- Decrypts each packet at every switch
- End-to-end encryption
- The source encrypts and the receiver decrypts
- Payload encrypted
- Header in the clear
- High Security Both link and end-to-end
encryption are needed (see Figure 2.9)
16(No Transcript)
17Key Distribution
- A key could be selected by A and physically
delivered to B. - A third party could select the key and physically
deliver it to A and B. - If A and B have previously used a key, one party
could transmit the new key to the other,
encrypted using the old key. - If A and B each have an encrypted connection to a
third party C, C could deliver a key on the
encrypted links to A and B.
18Key Distribution (See Figure 2.10)
- Session key
- Data encrypted with a one-time session key. At
the conclusion of the session the key is
destroyed - Permanent key
- Used between entities for the purpose of
distributing session keys
19(No Transcript)