1 / 31

Stream Cipher

CS 686 Special Topics in CS Privacy and Security. Stream Cipher. EJ Jung ejung@cs.usfca.edu. Announcements. Course Questionnaire and Consent Form No submission, no grades Service Lab community partners are coming Reading assignment in schedule read “ahead”. Course questionnaire results.

mili
Download Presentation

Stream Cipher

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CS 686 Special Topics in CS Privacy and Security Stream Cipher EJ Jung ejung@cs.usfca.edu CS 686

  2. Announcements • Course Questionnaire and Consent Form • No submission, no grades • Service Lab community partners are coming • Reading assignment in schedule • read “ahead” CS 686

  3. Course questionnaire results • 20 students • Previous courses • 13 networks, 10 OS, 3 crypto, 1 security • Familiar technology • 13 hash, 10 proxy, 9 SSL/TLS, 9 PKC, 3 TOR, 2 PGP, 1 IPsec, CS 686

  4. Current challenging problems • Conflicting goals: • privacy vs. utility, anonymity vs. authenticity • safety vs. convenience, usability • right to opt-out • happy medium • Hackers • User education and admin education • Data sharing among many parties • Data leak from social networks CS 686

  5. Want to solve • Hacking prevention, Server protection, Data protection • Vulnerability (loophole) analysis and mitigation • Intrusion detection • packet sniffing and monitoring • User education, usability • Malware, e.g. virus, key-loggers, prevention&detection • Identity theft, Phishing prevention/detection • Right to opt-out, Pay for privacy • Anonymity, Finding happy medium between anonymity and authenticity • TOR • Security software development • Secure data sharing among multiple parties, Data tracing CS 686

  6. After this course • Become knowledgeable • Find vulnerabilities • Protect systems and websites • without hurting performance and usability too much • Work as security specialist CS 686

  7. Basic Problem ----- ----- ----- ? Given: both parties already know the same secret Goal: send a message confidentially How is this achieved in practice? Any communication system that aims to guarantee confidentiality must solve this problem CS 686 slide 7

  8. One-Time Pad 10111101… ----- ----- ----- = 10111101…   10001111… = 00110010… 00110010… = Key is a random bit sequence as long as the plaintext Decrypt by bitwise XOR of ciphertext and key: ciphertext  key = (plaintext  key)  key = plaintext  (key  key) = plaintext Encrypt by bitwise XOR of plaintext and key: ciphertext = plaintext  key Cipher achieves perfect secrecy if and only if there are as many possible keys as possible plaintexts, and every key is equally likely (Claude Shannon) CS 686 slide 8

  9. Advantages of One-Time Pad Easy to compute Encryption and decryption are the same operation Bitwise XOR is very cheap to compute As secure as theoretically possible Given a ciphertext, all plaintexts are equally likely, regardless of attacker’s computational resources …as long as the key sequence is truly random True randomness is expensive to obtain in large quantities …as long as each key is same length as plaintext But how does the sender communicate the key to receiver? CS 686 slide 9

  10. Problems with One-Time Pad Key must be as long as plaintext Impractical in most realistic scenarios Still used for diplomatic and intelligence traffic Does not guarantee integrity One-time pad only guarantees confidentiality Attacker cannot recover plaintext, but can easily change it to something else Insecure if keys are reused Attacker can obtain XOR of plaintexts CS 686 slide 10

  11. Stream Ciphers • One-time pad Ciphertext(Key,Message)=MessageKey • Key must be a random bit sequence as long as message • Idea: replace “random” with “pseudo-random” • Encrypt with pseudo-random number generator (PRNG) • PRNG takes a short, truly random secret seed (key) and expands it into a long “random-looking” sequence • E.g., 128-bit key into a 106-bit pseudo-random sequence • Ciphertext(Key,Message)=MessagePRNG(Key) • Message processed bit by bit, not in blocks CS 686

  12. CS 686

  13. CS 686

  14. Properties of Stream Ciphers • Usually very fast • Used where speed is important: WiFi, SSL, DVD • Unlike one-time pad, stream ciphers do not provide perfect secrecy • Only as secure as the underlying PRNG • If used properly, can be as secure as block ciphers • PRNG must be unpredictable • Given the stream of PRNG output (but not the seed!), it’s hard to predict what the next bit will be • If PRNG(unknown seed)=b1…bi, then bi+1 is “0” with probability ½, “1” with probability ½ CS 686

  15. Weaknesses of Stream Ciphers • No integrity • Associativity & commutativity: (XY)Z=(XZ)Y • (M1PRNG(key))  M2 = (M1M2)  PRNG(key) • Known-plaintext attack is very dangerous if keystream is ever repeated • Self-cancellation property of XOR: XX=0 • (M1PRNG(key))  (M2PRNG(key)) = M1M2 • If attacker knows M1, then easily recovers M2 • Most plaintexts contain enough redundancy that knowledge of M1 or M2 is not even necessary to recover both from M1M2 CS 686

  16. Stream Cipher Terminology • Seed of pseudo-random generator often consists of initialization vector (IV) and key • IV is usually sent with the ciphertext • The key is a secret known only to the sender and the recipient, not sent with the ciphertext • The pseudo-random bit stream produced by PRNG(IV,key) is referred to as keystream • Encrypt message by XORing with keystream • ciphertext = message  keystream CS 686

  17. RC4 • Designed by Ron Rivest for RSA in 1987 • Simple, fast, widely used • SSL/TLS for Web security, WEP for wireless Byte array S[256] contains a permutation of numbers from 0 to 255 i = j := 0 loop i := (i+1) mod 256 j := (j+S[i]) mod 256 swap(S[i],S[j]) output (S[i]+S[j]) mod 256 end loop CS 686

  18. What happens if even a single player key is compromised? This helps attacker verify his guess of disk key Content Scrambling System (CSS) • DVD encryption scheme from Matsushita and Toshiba Each player has its own PLAYER KEY (409 player manufacturers, each has its player key) • KEY DATA BLOCK contains disk key encrypted • with 409 different player keys: • EncryptDiskKey(DiskKey) • EncryptPlayerKey1(DiskKey) … EncryptPlayerKey409(DiskKey) Each DVD is encrypted with a disk-specific 40-bit DISK KEY CS 686

  19. Feedback Function Generic LFSR output taps feedback path • The register is seeded with an initial value. • At each clock tick, the feedback function is evaluated using the input from the tapped bits. The result is shifted into the leftmost bit of the register. The rightmost bit is shifted into the output. CS 686

  20. CS 686

  21. Linear Feedback Shift Register • Pseudo-random bit stream • Linear Feedback Shift Register (LFSR) • The LFSR is one popular technique for generating a pseudo-random bit stream. After the LFSR is seeded with a value, it can be clocked to generate a stream of bits. • Unfortunately, LFSRs aren’t truly random – they are periodic and will eventually repeat. • In general, the larger the LFSR, the greater its period. There period also depends on the particular configuration of the LFSR. • If the initial value of an LFSR is 0, it will produce only 0’s, this is sometimes called null cycling CS 686

  22. + 8-bit add CSS: LFSR Addition first 2 bytes of key + 4th bit 1 1 byte LFSR-17 8 ticks Optional bit-wise inverter Output byte last 3 bytes of key + 4th bit 1 1 byte LFSR-25 carry-out 8 ticks Optional bit-wise inverter carry-out from prior addition CS 686

  23. Weakness #1: LFSR Cipher • Brainless: disk key is 40 bit long • 240 isn’t really very big – just brainlessly brute-force the keys • With 6 Output Bytes O(216) : • Guess the initial state of LFSR-17 O(216). • Clock out 4 bytes. • Use those 4 bytes to determine the corresponding 4 bytes of output from LFSR-25. • Use the LFSR-25 output to determine LFSR-25’s state. • Clock out 2 bytes on both LFSRs. • Verify these two bytes. Celebrate or guess again. CS 686

  24. + 8-bit add CSS: LFSR Addition first 2 bytes of key + 4th bit 1 1 byte LFSR-17 8 ticks Optional bit-wise inverter Output byte last 3 bytes of key + 4th bit 1 1 byte LFSR-25 carry-out 8 ticks Optional bit-wise inverter carry-out from prior addition CS 686

  25. CS 686

  26. Weakness #1: LFSR Cipher (Cont.) • With 5 Output Bytes O(217) : • Guess the initial state of LFSR-17 O(216) • Clock out 3 bytes • Determine the corresponding output bytes from LFSR-25 • This reveals all but the highest-order bit of LFSR-25 • Try both possibilities: O(2) • Clock back 3 bytes • Select the setting where bit 4 is 1 (remember this is the initial case). • It is possible that both satisfy this – try both. • Clock out 2 bytes on both LFSRs. • Verify these two bytes. Celebrate or guess again. CS 686

  27. CS 686

  28. Weakness #2: Mangled Output • With Known ciphertext and plainttext • Guess Lk(1 byte) • Work backward and verify input byte • This is a O(28) attack. • Repeat for all 5 bytes – this gives you the 5 bytes of known output for prior weakness. CS 686

  29. + + + + + + + + + + CSS decryption algorithm Bytes of Ciphertext 2 3 1 0 4 Table lookup Table lookup Table lookup Table lookup Table lookup Lk Lk Lk Lk Lk Table lookup Table lookup Table lookup Table lookup Table lookup Lk Lk Lk Lk Lk Bytes of Plaintext 1 2 3 4 5 CS 686

  30. Attack on CSS Decryption Scheme [due to Frank Stevenson] “1” seeded in 4th bit LFSR-17  Knowing encrypted and decrypted title key, try 256 possibilities to recover 40 output bits of the LFSRs – this takes O(28)  Guess 16 bits of the key contained in LFSR-17 – this takes O(216)  Clock out 24 bits out of LFSR-17, use them to determine the corresponding output bits of LFSR-25 (this reveals all of LFSR-25 except the highest bit)  Clock back 24 bits, try both possibilities – this takes O(2)  Verify the key  16 key bits …    disk key Decrypted title key +mod 256  … 24 key bits invert LFSR-25 “1” seeded in 4th bit carry EncryptDiskKey(DiskKey) stored on disk  Encrypted title key Table-based “mangling” This attack takes O(225) CS 686

  31. Reading assignment • Aircrack-ng • http://www.aircrack-ng.org/doku.php CS 686

More Related