1 / 30

RC4-Stream Ciphers Blowfish, RC5 Block Ciphers

RC4-Stream Ciphers Blowfish, RC5 Block Ciphers . M. Sakalli, Marmara Univ. Chapter 6 of Cryptography and Network Security by William Stallings Modified from the original slides of Lawrie Brown. K. PRNG. . k. E. PT. CT. K. PRNG. . k. CT. PT. D. Stream Ciphers.

arty
Download Presentation

RC4-Stream Ciphers Blowfish, RC5 Block Ciphers

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. RC4-Stream CiphersBlowfish, RC5 Block Ciphers M. Sakalli, Marmara Univ. Chapter 6 of Cryptography and Network Security by William Stallings Modified from the original slides of Lawrie Brown

  2. K PRNG  k E PT CT K PRNG  k CT PT D Stream Ciphers • process message bit by bit (as a stream) • have a pseudo random keystream • Idea of randomness of stream key is complete destroy of the statistically properties in message • Ci = Mi StreamKeyi • but must never reuse stream key • otherwise can recover messages (cf book cipher)

  3. Stream Cipher Properties • some design considerations are: • long sequence with no periodicities • statistically random • depends on large enough key • large linear complexity • correlation immunity • confusion, diffusion (cryptographically) • can be as secure as a block cipher with same size key • but simpler & faster

  4. (Ron Rivest!!! Cipher) RC4 • the period of the cipher is overwhelmingly likely to be greater than 10100 • Runs faster - five/fifteen times than DES/3DES • Used in • SSL/TLS (Secure socket, transport layer security) between web browsers and servers, • IEEE 802.11 wirelss LAN std: WEP (Wired Equivalent Privacy), WPA (WiFi Protocol Access) protocol • a proprietary cipher owned by RSA, kept secret, released at the sites of Cyberpunk remailers. • simple but effective, variable key length from 1 to 256 bytes; starts with an array S of numbers: 0..255 and after initialization 0 S[.] 255..

  5. (Ron Rivest!!! Cipher) RC4 • key forms random permutation of all 8-bit values, scrambles input info a byte at a time • S internal state of the cipher, a byte k is generated from S by selecting one of the 255 entries in a systematic fashion. • Initialization and permutation of S state vector. Key length: 1 |K|256 for i = 0 to 255 do S[i] = i // T[i] = K[i mod(|K|)]) j = 0 for i = 0 to 255 do j = (j + S[i] + T[i]) (mod 256) swap (S[i], S[j])

  6. KSA Key scheduling • encryption continues shuffling array values • sum of shuffled pair selects "stream key" value from permutation • XOR S[t] with next byte of message to en/decrypt i = j = 0 for each message byte Mi i = (i + 1) (mod 256) j = (j + S[i]) (mod 256) swap(S[i], S[j]) t = (S[i] + S[j]) (mod 256) Ci = Mi XOR S[t]

  7. RC4 Encryption • claimed secure against known attacks • have some analyses in a number of papers, but none to be practical with a reasonable key length, such as 128 bits. • In one authors demonstrate that in the case of WEP, it is vulnerable to a particular attack approach due to the initialization of the keys but not the RC4 itself but the way in which keys are generated. • Remedied by changing the way in which keys are generated. • since RC4 is a stream cipher, must never reuse a key

  8. encrypted 802.11 frames using WEP l Header IV Packet ICV FCS Security issues of RC4 • The keystream generated by RC4 is biased. • The second byte is biased toward zero with high probability. • The first few bytes are strongly non-random and leak information about the input key. • Defense: discard the initial n bytes of the keystream. • Called “RC4-drop[n-bytes]”. • Recommended values for n = 256, 768, or 3072 bytes. ----------------------------- • WEP is a protocol using RC4 to encrypt packets for transmission over IEEE 802.11 wireless LAN. • WEP requires each packet to be encrypted with a separate RC4 key. • The RC4 key for each packet is a concatenation of a 24-bit IV (initialization vector) and a 40 or 104-bit long-term key.

  9. Fluhrer, Mantin, and Shamir showed that: If the same secret key is used with numerous IVs, and the attacker can obtain the first word of RC4 output (keystream) corresponding to each IV, then he can construct the secret key with little effort. The first word is known for many plaintext packets. Recall: Ciphertext = plaintext  keystream So, the first word of RC output (keystream) can be obtained. Tews, Weinmann, and Pyshkin wrote an article, “Breaking 104 bit WEP in less than 60 seconds,” discussing how to discover the RC4 key by analyzing the easily identified ARP packets. 9

  10. PSN Chapter 7: Confidentiality using Symmetric EncryptionWhich part to encrypt in a PSN Packet switching nw • traditionally symmetric encryption is used to provide message confidentiality • Vulnerable points: snooping, monitoring or modifying by using • another workstation • dial-in to LAN or server or external router • by physically taping line in wiring closet • end-to-end encryption (shared keys): protects data between source and destination, needs devices at each end. • link encryption, (paired keys): protects traffic monitoring, is considered over every link, requires many devices, • End [ Link [] Link ] End

  11. (b) TCP Layer level (c) Link Layer Level Placement of Encryption in the various levels of OSI Encapsulation Model

  12. Traffic monitoring • The purpose of monitoring • military & commercial • can also be used to create a covert channel if controlled • Link encryption obscures header details • But overall traffic volumes in networks and at end-points will still be visible • Traffic padding can further obscure flows but at cost of continuous traffic..

  13. How to distribute key • symmetric schemes require to share a common secret key • often secure system failure due to a break in the key distribution scheme • given parties A and B have various key distribution alternatives: • Physically delivery from A to B • Third party can issue & deliver key to A & B, if A & B have secure communications with a third party C, C can relay key between A & B • Distribution of Key is based on a Hierarchy, at least two levels of keys are used • temporary key referred as session key • used for the duration of a logical connection between users • for one logical session then discarded • master key • used to encrypt session keys • shared by user & key distribution center

  14. Key Distribution Scenario • Assume that user A wishes to establish a logical connection with B and requires a one-time session key to protect the data transmitted over the logical connection to B. A has a master key, Ka, known only to itself and the KDC; similarly, B shares the master key Kb with the KDC. The following steps occur:

  15. A issues a request to the KDC for a session key to B including the identity of Aand B and a unique session identifier, N1, valid for this transaction, nonce: a timestamp, a counter, or a random number; differs with each request. I.e. to prevent masquerading, suppose something like, a random number. The KDC’s response to A: KAThus, only A can decrypt the message. One-time session key, KS, to be used for the session. Items for A: The original message so that, A can verify the original request not altered before reception by the KDC. The nonce, so that this is not a replay of some previous request. Items for B: The one time session key KS and IDSA (e.g., its network address), both encrypted with KB (the master key that the KDC shares with B).

  16. A stores KS for use in the upcoming session and forwards to B the information originated from the KDC for B, namely, E(KB, [KS || IDA]). Because this information is encrypted with KB, it is protected from eavesdropping. B knows the session key (KS), and A, and the information that must have originated at the KDC Kb.--A secure KS delivered to A and B, to proceed with protected exchange---. Protected exchange with sym key KS used by A and B for encryption. B sends a nonce, N2, E(KSN2). A responds with E(KS f(N2)). (e.g., adding one).. Last steps involve authentication.

  17. Random Numbers • uses of random numbers: nonces in authentication protocols to prevent replay, session keys, public key generation • statistically random, uniform distribution, • If a problem is to hard, time-consuming, then use randomization, i.e. RSA public key exchange, large prime number N, sqrt(10150) • independent so that unpredictable • (ie reciprocal authentication and session key generation), where the requirement is not so much that the numbers be statistically random but be unpredictable. • With "true" random sequences, each number is statistically independent, therefore unpredictable. However used seldom. • Often deterministic algorithmic techniques used to create “random numbers”. “Pseudorandom Number Generators (PRNGs)”. Care to be taken that an opponent not be able to predict future elements.

  18. Linear Congruential Generator • The most common to produce random sequences and an iterative technique: Xn+1 = (aXn + c) mod m • Only a small number of suitable values available: Consider the values a = 7, c = 0, m = 32, and X0 = 1. This generates the sequence {7, 17, 23, 1, 7, etc.}, which is also clearly unsatisfactory. Of the 32 possible values, only 4 are used; thus, the sequence is said to have a period of 4. If, instead, we change the value of a to 5, then the sequence is {5, 25, 29, 17, 21, 9, 13, 1, 5, etc.}, which increases the period to 8.

  19. Linear Congruential Generator • m to be very large, for producing a long series of distinct random numbers, nearly equal to the maximum representable nonnegative integer for a given computer, equal to m=231-1. • Function should generate a long full-period sequence between 0 and m, • Generated deterministically, should appear random. • Efficient implementation with 32-bit. • an attacker can reconstruct sequence given a small number of values. 3 unknowns, a, c, m, 3 equations. • One solution is using internal system clock to modify the random number stream. • Restart the sequence after every N numbers with the current clock value (mod m) as the new seed • Add the current clock value to each random number (mod m).

  20. Cryptographically Generated Random Numbers • Use a block cipher to generate random numbers • often for creating session keys from master key which is protected, counter 56 key length, 256 possible c.. • Counter Mode Xi = EKm[i] • Output Feedback Mode Xi = EKm[Xi-1]

  21. Cryptographically Generated Random Numbers ANSI X9.17 PRNG • One of the strongest • DTi, Vi - Date/time, seed values at the beginning of ith generation stage • Ri - Pseudorandom number produced by the ith generation stage • K1, K2 - DES keys used for each stage • Ri = EDE([K1, K2], [Vi EDE([K1, K2], DTi)]) • Vi+1 = EDE([K1, K2], [Ri EDE([K1, K2], DTi)]) • where EDE([K1,K2], X)

  22. Blum Blum Shub Generator • based on public key algorithms • use least significant bit from iterative equation: • xi = xi-12 mod n • where n=p.q, and primes p,q should be congruent to = 3 mod 4 = p, q and • gcd(φ(p-1), φ(q-1)) should be small • unpredictable, passes next-bit test • security rests on difficulty of factoring N • is unpredictable given any run of bits • slow, since very large numbers must be used • too slow for cipher use, good for key generation

  23. Natural Random Noise • best source is natural randomness in real world • find a regular but random event and monitor • do generally need special h/w to do this • eg. radiation counters, radio noise, audio noise, thermal noise in diodes, leaky capacitors, mercury discharge tubes etc • starting to see such h/w in new CPU's • problems of bias or uneven distribution in signal • have to compensate for this when sample and use • best to only use a few noisiest bits from each sample

  24. Published Sources • a few published collections of random numbers • Rand Co, in 1955, published 1 million numbers • generated using an electronic roulette wheel • has been used in some cipher designs cf Khafre • earlier Tippett in 1927 published a collection • issues are that: • these are limited • too well-known for most uses

  25. A symmetric block cipher Blowfish • Designed by Bruce Schneier in 1993/94 • characteristics • fast implementation on 32-bit CPUs • compact in use of memory • simple structure for analysis/implementation • variable security by varying key size • has been implemented in various products • uses a 32 to 448 bit key • used to generate • 18 32-bit subkeys stored in K-array Kj • four 8x32 S-boxes stored in Si,j • key schedule consists of: • initialize P-array and then 4 S-boxes using pi • XOR P-array with key bits (reuse as needed) • loop repeatedly encrypting data using current P & S and replace successive pairs of P then S values • requires 521 encryptions, hence slow in re-keying

  26. uses two primitives: addition & XOR • data is divided into two 32-bit halves L0 & R0 for i = 1 to 16 do Ri= Li-1 XOR Pi; Li= F[Ri] XOR Ri-1; L17 = R16 XOR P18; R17 = L16 XOR i17; • where F[a,b,c,d] = ((S1,a+ S2,b) XOR S3,c) + S4,a • key dependent S-boxes and subkeys, makes cryptanalysis very difficult • changing both halves in each round increases security • provided key is large enough, brute-force key search is not practical, especially given the high key schedule cost

  27. RC5, ciphers, modes • a proprietary cipher owned by RSADSI • designed by Ronald Rivest (of RSA fame) • used in various RSADSI products • can vary key size / data size / no rounds • very clean and simple design • easy implementation on various CPUs • yet still regarded as secure • RC5 is a family of ciphers RC5-w/r/b • w = word size in bits (16/32/64) nb data=2w • r = number of rounds (0..255) • b = number of bytes in key (0..255) • nominal version is RC5-32/12/16 • ie 32-bit words so encrypts 64-bit data blocks • using 12 rounds • with 16 bytes (128-bit) secret key • RFC2040 defines 4 modes used by RC5 • RC5 Block Cipher, is ECB mode • RC5-CBC, is CBC mode • RC5-CBC-PAD, is CBC with padding by bytes with value being the number of padding bytes • RC5-CTS, a variant of CBC which is the same size as the original message, uses ciphertext stealing to keep size same as original

  28. RC5 Key Expansion and Encryption • RC5 uses 2r+2 subkey words (w-bits) • subkeys are stored in array S[i], i=0..t-1 • then the key schedule consists of • initializing S to a fixed pseudorandom value, based on constants e and phi • the byte key is copied (little-endian) into a c-word array L • a mixing operation then combines L and S to form the final S array • split input into two halves A & B L0 = A + S[0]; R0 = B + S[1]; for i = 1 to r do Li= ((Li-1 XOR Ri-1) <<< Ri-1) + S[2 x i]; Ri= ((Ri-1 XOR Li) <<< Li) + S[2 x i + 1]; • each round is like 2 DES rounds • note rotation is main source of non-linearity • need reasonable number of rounds (eg 12-16)

  29. In summary • have considered: • use and placement of symmetric encryption to protect confidentiality • need for good key distribution • use of trusted third party KDC’s • random number generation issues

More Related