Stream Ciphers

1
Stream Ciphers

• Block ciphers generate ciphertext
• Ciphertext(Key,Message)Message?Key
• Key must be a random bit sequence as long as
  message
• Idea replace random with pseudo-random
• Encrypt with pseudo-random number generator
  (PRNG)
• PRNG takes a short, truly random secret seed
  (key) and expands it into a long random-looking
  sequence
• E.g., 128-bit key into a 106-bit
• pseudo-random sequence
• Ciphertext(Key,Message)Message?PRNG(Key)
• Message processed bit by bit, not in blocks

Randomness amplification (remember HMAC?)
2
Properties of Stream Ciphers

• Usually very fast
• Used where speed is important WiFi, SSL, DVD
• Unlike one-time pad, stream ciphers do not
  provide perfect secrecy
• Only as secure as the underlying PRNG
• If used properly, can be as secure as block
  ciphers
• PRNG must be unpredictable
• Given the stream of PRNG output (but not the
  seed!), its hard to predict what the next bit
  will be
• If PRNG(unknown seed)b1bi, then bi1 is 0
  with probability ½, 1 with probability ½

3
Weaknesses of Stream Ciphers

• No integrity
• Associativity commutativity (X?Y)?Z(X?Z)?Y
• (M1?PRNG(key)) ? M2 (M1?M2) ? PRNG(key)
• Known-plaintext attack is very dangerous if
  keystream is ever repeated
• Self-cancellation property of XOR X?X0
• (M1?PRNG(key)) ? (M2?PRNG(key)) M1?M2
• If attacker knows M1, then easily recovers M2
• Most plaintexts contain enough redundancy that
  knowledge of M1 or M2 is not even necessary to
  recover both from M1?M2

4
Stream Cipher Terminology

• Seed of pseudo-random generator often consists of
  initialization vector (IV) and key
• IV is usually sent with the ciphertext
• The key is a secret known only to the sender and
  the recipient, not sent with the ciphertext
• The pseudo-random bit stream produced by
  PRNG(IV,key) is referred to as keystream
• Encrypt message by XORing with keystream
• ciphertext message ? keystream

5
RC4

• Designed by Ron Rivest for RSA in 1987
• Simple, fast, widely used
• SSL/TLS for Web security, WEP for wireless
• Byte array S256 contains a permutation of
  numbers from 0 to 255
• i j 0
• loop
• i (i1) mod 256
• j (jSi) mod 256
• swap(Si,Sj)
• output (SiSj) mod 256
• end loop

6
RC4 Initialization
Divide key K into L bytes for i 0 to 255 do
Si i j 0 for i 0 to 255 do j
(jSiKi mod L) mod 256 swap(Si,Sj)
Key can be any length up to 2048 bits
Generate initial permutation from key K

• To use RC4, usually prepend initialization vector
  (IV) to the key
• IV can be random or a counter
• IV is often sent in the clear with the ciphertext
• RC4 is not random enough! 1st byte of generated
  sequence depends only on 3 cells of state array
  S. This can be used to extract the key.
• To use RC4 securely, RSA suggests discarding
  first 256 bytes

Fluhrer-Mantin-Shamir attack
7
Modes of Operation

• block ciphers encrypt fixed size blocks
• eg. DES encrypts 64-bit blocks, with 56-bit key
• need way to use in practise, given usually have
  arbitrary amount of information to encrypt
• four were defined for DES in ANSI standard ANSI
  X3.106-1983 Modes of Use
• subsequently now have 5 for DES and AES
• have block and stream modes

8
Electronic Codebook Book (ECB)

• message is broken into independent blocks which
  are encrypted
• each block is a value which is substituted, like
  a codebook, hence name
• each block is encoded independently of the other
  blocks
• Ci DESK1 (Pi)
• uses secure transmission of single values

9
Electronic Codebook Book (ECB)
10
Advantages and Limitations of ECB

• repetitions in message may show in ciphertext
• if aligned with message block
• particularly with data such graphics
• or with messages that change very little, which
  become a code-book analysis problem
• weakness due to encrypted message blocks being
  independent
• main use is sending a few blocks of data

11
Cipher Block Modes of Operation

• Cipher Block Chaining Mode (CBC)
• The input to the encryption algorithm is the XOR
  of the current plaintext block and the preceding
  ciphertext block.
• Repeating pattern of 64-bits are not exposed

12
Cipher FeedBack (CFB)

• message is treated as a stream of bits
• added to the output of the block cipher
• result is feed back for next stage (hence name)
• standard allows any number of bit (1,8 or 64 or
  whatever) to be feed back
• denoted CFB-1, CFB-8, CFB-64 etc
• is most efficient to use all 64 bits (CFB-64)
• Ci Pi XOR DESK1(Ci-1)
• C-1 IV
• uses stream data encryption, authentication

13
Cipher FeedBack (CFB)
14
Advantages and Limitations of CFB

• appropriate when data arrives in bits/bytes
• most common stream mode
• limitation is need to stall while do block
  encryption after every n-bits
• note that the block cipher is used in encryption
  mode at both ends
• errors propagate for several blocks after the
  error

15
Location of Encryption Device

• Link encryption
• A lot of encryption devices
• High level of security
• Decrypts each packet at every switch
• End-to-end encryption
• The source encrypts and the receiver decrypts
• Payload encrypted
• Header in the clear
• High Security Both link and end-to-end
  encryption are needed (see Figure 2.9)

16
(No Transcript)
17
Key Distribution

• A key could be selected by A and physically
  delivered to B.
• A third party could select the key and physically
  deliver it to A and B.
• If A and B have previously used a key, one party
  could transmit the new key to the other,
  encrypted using the old key.
• If A and B each have an encrypted connection to a
  third party C, C could deliver a key on the
  encrypted links to A and B.

18
Key Distribution (See Figure 2.10)

• Session key
• Data encrypted with a one-time session key. At
  the conclusion of the session the key is
  destroyed
• Permanent key
• Used between entities for the purpose of
  distributing session keys

19
(No Transcript)