Stream Ciphers

1. Stream Ciphers • Block ciphers generate ciphertext Ciphertext(Key,Message)=MessageKey • Key must be a random bit sequence as long as message • Idea: replace “random” with “pseudo-random” • Encrypt with pseudo-random number generator (PRNG) • PRNG takes a short, truly random secret seed (key) and expands it into a long “random-looking” sequence • E.g., 128-bit key into a 106-bit pseudo-random sequence • Ciphertext(Key,Message)=MessagePRNG(Key) • Message processed bit by bit, not in blocks Randomness amplification (remember HMAC?)

2. Properties of Stream Ciphers • Usually very fast • Used where speed is important: WiFi, SSL, DVD • Unlike one-time pad, stream ciphers do not provide perfect secrecy • Only as secure as the underlying PRNG • If used properly, can be as secure as block ciphers • PRNG must be unpredictable • Given the stream of PRNG output (but not the seed!), it’s hard to predict what the next bit will be • If PRNG(unknown seed)=b1…bi, then bi+1 is “0” with probability ½, “1” with probability ½

3. Weaknesses of Stream Ciphers • No integrity • Associativity & commutativity: (XY)Z=(XZ)Y • (M1PRNG(key))  M2 = (M1M2)  PRNG(key) • Known-plaintext attack is very dangerous if keystream is ever repeated • Self-cancellation property of XOR: XX=0 • (M1PRNG(key))  (M2PRNG(key)) = M1M2 • If attacker knows M1, then easily recovers M2 • Most plaintexts contain enough redundancy that knowledge of M1 or M2 is not even necessary to recover both from M1M2

4. Stream Cipher Terminology • Seed of pseudo-random generator often consists of initialization vector (IV) and key • IV is usually sent with the ciphertext • The key is a secret known only to the sender and the recipient, not sent with the ciphertext • The pseudo-random bit stream produced by PRNG(IV,key) is referred to as keystream • Encrypt message by XORing with keystream • ciphertext = message  keystream

5. RC4 • Designed by Ron Rivest for RSA in 1987 • Simple, fast, widely used • SSL/TLS for Web security, WEP for wireless Byte array S[256] contains a permutation of numbers from 0 to 255 i = j := 0 loop i := (i+1) mod 256 j := (j+S[i]) mod 256 swap(S[i],S[j]) output (S[i]+S[j]) mod 256 end loop

6. RC4 Initialization • To use RC4, usually prepend initialization vector (IV) to the key • IV can be random or a counter • IV is often sent in the clear with the ciphertext • RC4 is not random enough! 1st byte of generated sequence depends only on 3 cells of state array S. This can be used to extract the key. • To use RC4 securely, RSA suggests discarding first 256 bytes Divide key K into L bytes for i = 0 to 255 do S[i] := i j := 0 for i = 0 to 255 do j := (j+S[i]+K[i mod L]) mod 256 swap(S[i],S[j]) Key can be any length up to 2048 bits Generate initial permutation from key K Fluhrer-Mantin-Shamir attack

7. Modes of Operation • block ciphers encrypt fixed size blocks • eg. DES encrypts 64-bit blocks, with 56-bit key • need way to use in practise, given usually have arbitrary amount of information to encrypt • four were defined for DES in ANSI standard ANSI X3.106-1983 Modes of Use • subsequently now have 5 for DES and AES • have block and stream modes

8. Electronic Codebook Book (ECB) • message is broken into independent blocks which are encrypted • each block is a value which is substituted, like a codebook, hence name • each block is encoded independently of the other blocks Ci = DESK1 (Pi) • uses: secure transmission of single values

9. Electronic Codebook Book (ECB)

10. Advantages and Limitations of ECB • repetitions in message may show in ciphertext • if aligned with message block • particularly with data such graphics • or with messages that change very little, which become a code-book analysis problem • weakness due to encrypted message blocks being independent • main use is sending a few blocks of data

11. Cipher Block Modes of Operation • Cipher Block Chaining Mode (CBC) • The input to the encryption algorithm is the XOR of the current plaintext block and the preceding ciphertext block. • Repeating pattern of 64-bits are not exposed

12. Cipher FeedBack (CFB) • message is treated as a stream of bits • added to the output of the block cipher • result is feed back for next stage (hence name) • standard allows any number of bit (1,8 or 64 or whatever) to be feed back • denoted CFB-1, CFB-8, CFB-64 etc • is most efficient to use all 64 bits (CFB-64) Ci = Pi XOR DESK1(Ci-1) C-1 = IV • uses: stream data encryption, authentication

13. Cipher FeedBack (CFB)

14. Advantages and Limitations of CFB • appropriate when data arrives in bits/bytes • most common stream mode • limitation is need to stall while do block encryption after every n-bits • note that the block cipher is used in encryption mode at both ends • errors propagate for several blocks after the error

15. Location of Encryption Device • Link encryption: • A lot of encryption devices • High level of security • Decrypts each packet at every switch • End-to-end encryption • The source encrypts and the receiver decrypts • Payload encrypted • Header in the clear • High Security: Both link and end-to-end encryption are needed (see Figure 2.9)

17. Key Distribution • A key could be selected by A and physically delivered to B. • A third party could select the key and physically deliver it to A and B. • If A and B have previously used a key, one party could transmit the new key to the other, encrypted using the old key. • If A and B each have an encrypted connection to a third party C, C could deliver a key on the encrypted links to A and B.

18. Key Distribution (See Figure 2.10) • Session key: • Data encrypted with a one-time session key. At the conclusion of the session the key is destroyed • Permanent key: • Used between entities for the purpose of distributing session keys