«applied cryptanalysis stream ciphers» by vladimir garbuz
TRANSCRIPT
Applied Cryptanalysis:Stream ciphers
Vladimir Garbuz
Intro
•Why do I need to learn about Crypto generally?• It’s often used to create Cookies, hidden parameters• To do TLS the right way• For hashes and data integrity checks• Password and sensitive info storage• To have more marketable skills during an interview
•To whom is this useful?•Devs, QA, anyone interested in security and crypto
•What do I need to understand this?• School math knowledge•Desire to learn
Overview
•Symmetric encryption• Stream ciphers• Block ciphers• Modes of operation
•Cryptographic hash• Key derivation•Authenticated Encryption, AEAD
•Asymmetric encryption•Conclusions and best practices
Symmetric Crypto basics
Jean-Phillipe Aumasson
Symmetric Crypto basics
•To Encrypt is to take Plaintext, key and convert them into Ciphertext: C = E(P, k)•To Decrypt is to take Ciphertext, key and convert
them back into Plaintext: P = D(C, k)•An attacker must, ideally, try (bruteforce) all
possible keys – for 256 bit key – 1077 combinations
Symmetric Crypto basics
•What’s an attack?
Symmetric Crypto basics
•OK, what’s a cryptographic attack?•Anything better than bruteforce
•What’s a practical attack?•Any attack an adversary with best technology available
can conduct in “reasonable” amount of time• “reasonable” is determined based on how long the plaintext keeps it’s
value• Normally, due to exponential nature of cryptanalytic difficulty, attacks
are either impossible or very much possible
Symmetric Crypto basics
Main cryptanalytic methods, at a glance•Known plaintext•Chosen plaintext (encryption oracles)•Chosen ciphertext (decryption oracles, bit
flipping)•Statistical cryptanalysis•Differential cryptanalysis•Side-channel attacks
Symmetric Crypto basics
http://www.washingtonpost.com/wp-srv/politics/special/clinton/stories/pizza121998.htm
Symmetric Crypto basics
XOR ⊕ Refresher•Basically a bit flipping machine•A ⊕ A = 0
Symmetric Crypto basics
XOR ⊕ Refresher1. A ⊕ A = 02. A 0 = A⊕3. A B = B A (commutativity)⊕ ⊕4. A ( B C ) = ( A B) C (associativity)⊕ ⊕ ⊕ ⊕5. Let K M = C , then:⊕C K = K M K = K K M = 0 M = M⊕ ⊕ ⊕ ⊕ ⊕ ⊕
Stream ciphers
•Historic stream cipher example – One-time Pads• Sender and Receiver must have identical Pads• Pads fully filled with random data• Sender computes Message Pad and sends result⊕• Receiver does Ciphertext Pad to get Message⊕
•One-time Pads are mathematically proven to be unbreakable! YAY! VICTORY! Let’s all go home now.
THE END
QUESTIONS?
Stream ciphers
•Historic stream cipher example – One-time Pads• Sender and Receiver must have identical Pads• Pads fully filled with random data• Sender computes Message Pad and sends result⊕• Receiver does Ciphertext Pad to get Message⊕
•One-time Pads are mathematically proven to be unbreakable! YAY! VICTORY! Let’s all go home now.•Cons? One-time Pads are horribly impractical •And unbreakable, well… Only as long as Pads’ data is
truly random and they are never used twice
Stream ciphers
•Modern electronic Stream Ciphers•Were inspired by One-time pads•Have almost all of their problems + some more!•Derive high entropy Key from Passphrase•Generate Keystream via a PRNG algorithm from Key• It’s output is effectively used instead of one-time pads
• Employ Initialization Vectors - transmitted in cleartext• They are mixed with the Key to avoid key reuse (pad reuse)
Stream ciphers
Basic vulnerabilities: bit flipping•With Steam Ciphers, a flipped bit in the Ciphertext
ALWAYS results in a flipped bit in the Plaintext•Having only a Ciphertext, an attacker can make it
say ANYTHING when decrypted!•Needs to know the target position in the plaintext• How? E.g. via reverse engineering the app or Crib-dragging
•Requires no knowledge of the encryption key•Every stream cipher is vulnerable to it!
Stream ciphers
Basic vulnerabilities: bit flipping example•Given: an encrypted cookie with data like…&user=john.doe&admin=0&…•Whose encrypted bytes in binary look like…10010011 11011001 01101000…•A flip of only 1 bit of ciphertext is necessary…10010011 11011000 01101000…•To make the decrypted plaintext say…&user=john.doe&admin=1&…
Stream ciphers
Basic vulnerabilities: key reuseWhat’s so terrible about key (pad) reuse?•So we have 2 plaintexts P1 and P2, and we encrypt
them separately under the same Key, IV pair:C1=P1 F(Key,IV)⊕C2=P2 F(Key,IV)⊕When attacker intercepts them, he can then compute:C1 C2=P1 P2⊕ ⊕•“Oh, please! How bad could that possibly be?..”
Stream ciphers
Basic vulnerabilities: key reuse
Stream ciphers
Basic vulnerabilities: key reuse•Edge case: if one of the plaintexts, e.g. P1, is known,
restoring the other one is trivialC1 C2 P1 = (P1 K) (P2 K) P1 = 0 P2 = P2⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕•Edge case: if a portion of Plaintext is known, the
Keystream in corresponding position is revealedC = P E(Key,IV) ⊕ C P = E(Key,IV)⊕•Now, having the Keystream at some position, we can
decrypt data at that position from ALL other ciphertexts•We can also change and re-encrypt any data there
Stream ciphers
Basic vulnerabilities: Why does key reuse happen?•No IV is used•Static IV• For example, the encryption key itself•Or a hash of the password – good entropy, still useless
•Very short IV• E.g. WEP had a 24 bit IV == 16777216 values• Birthday paradox - in 4096 packets IV is reused with P=0.5• Birthday paradox??
Stream ciphers
Birthday paradox• For what number of people, the chances that two of them
share a birthday are 50-50?
Stream ciphers
Basic vulnerabilities: Why does key reuse happen?•Bad IV• Caused by bad random
• Specifically, where a PRNG is used instead of CSPRNG• “Oh please, what’s the difference?”
Stream ciphers: random
•Popular PRNG named RANDU•Dots as (x,y) and (x,y,z) – all fall in 15 3D planes!
Stream ciphers: random
•CSPRNG sequence attractor analysis
Stream ciphers: random
•Windows 98 PRNG attractor analysis
Stream ciphers: random
Hacking Java’s Random(): predicting the future•Linear Congruential PRNG:seed = (seed * multiplier + addend) mod (2 ^ precision)• Has 48 bits of state, but discloses only 32 at a time e.g. nextInt()• The remaining 16 bits are easily bruteforcible on modern PCs:
Stream ciphers: random
Hacking Java’s Random(): peeking into the past• Long story short, one bit at a time we unwind the changes a
previous seed would’ve had on the current number• And can do so recursively as far back as we wish
Stream ciphers
Case-study•Used a circular XOR cipher•Meaning, “keystream”, the passphrase, was reused•Well, not exactly XOR operation but close enough
•With a hardcoded key • That had barely any entropy
•Without an IV•All this made it vulnerable to every kind of attack
Stream ciphers
Case-studyDifferential Cryptanalysis via chosen plaintext attack
1. ‘aaaaa’ user session cookie, first 10 “bytes” : 131!167!208!205!204!194!184!192!164!124!...
2. ‘bbbbb’ user session cookie: 131!167!209!206!205!195!185!192!164!124!...
3. This is basically an “encryption” oracle4. From this, we can already deduce the “keystream”5. But it’s revealed clearly if we use ‘\0’ for username6. But what if we couldn’t control the plaintext?..
Stream ciphers
Case-studyStatistical analysis
•Only the end part of cookies changed between sessions•We can already see what’s encrypted here•Now just bruteforce 1 byte for each column• Voila! We have our keystream symbol!
Stream ciphers
So, how to do it right?•NEVER be clever and invent your own crypto!•Use well-known Crypto suits, e.g. Bouncy Castle•Never use a vulnerable cipher! E.g., RC4• Instead, go for ChaCha20 – no known attacks
•When you’re asked for an IV, get it from CSPRNG! •And make it LOOOOONG
•Never use the Passphrase as the Key!• Instead, google how to use PBKDF2 from RFC 2898
