Cryptography and Cryptography and

Network SecurityNetwork Security

Chapter 7Chapter 7

Fifth EditionFifth Edition

by William Stallingsby William Stallings

Lecture slides by Lecture slides by LawrieLawrie BrownBrown

(with edits by RHB)(with edits by RHB)

Chapter 7 Chapter 7 –– Stream Ciphers and Stream Ciphers and

Random Number GenerationRandom Number Generation

The comparatively late rise of the theory of The comparatively late rise of the theory of probability shows how hard it is to grasp, probability shows how hard it is to grasp, and the many paradoxes show clearly that and the many paradoxes show clearly that we, as humans, lack a well grounded we, as humans, lack a well grounded intuition in this matter. intuition in this matter.

In probability theory there is a great deal of art In probability theory there is a great deal of art in setting up the model, in solving the in setting up the model, in solving the problem, and in applying the results back to problem, and in applying the results back to the real world actions that will follow. the real world actions that will follow.

—— The Art of Probability, Richard HammingThe Art of Probability, Richard Hamming

OutlineOutline

•• pseudorandom number generationpseudorandom number generation

•• stream ciphersstream ciphers

•• RC4RC4

•• true random numbers true random numbers

Random NumbersRandom Numbers

•• many uses of many uses of random numbersrandom numbers in cryptography in cryptography

–– noncesnonces in authentication protocols to prevent replayin authentication protocols to prevent replay

–– session keyssession keys

–– public key generationpublic key generation

–– keystreamkeystream for a onefor a one--time padtime pad

•• in all cases its critical that these values are in all cases its critical that these values are

–– statistically random, uniform distribution, independentstatistically random, uniform distribution, independent

–– have unpredictability of future from have unpredictability of future from previous valuesprevious values

•• true random numbers provide thistrue random numbers provide this

•• care needed with generated random numberscare needed with generated random numbers

Pseudorandom Number Pseudorandom Number

Generators (Generators (PRNGsPRNGs))

•• often use deterministic algorithmic often use deterministic algorithmic

techniques to create techniques to create ““random numbersrandom numbers””

–– although are not truly randomalthough are not truly random

–– can pass many tests of can pass many tests of ““randomnessrandomness””

•• known as known as ““pseudorandom numberspseudorandom numbers””

•• created by created by ““Pseudorandom Number Pseudorandom Number

Generators (Generators (PRNGsPRNGs))””

Random & Pseudorandom Random & Pseudorandom

Number GeneratorsNumber Generators

PRNG RequirementsPRNG Requirements

•• randomnessrandomness

–– uniformity, scalability, consistencyuniformity, scalability, consistency

•• unpredictabilityunpredictability

–– forward & backward unpredictabilityforward & backward unpredictability

–– same tests used to check bothsame tests used to check both

•• characteristics of the seedcharacteristics of the seed

–– securesecure

–– if known adversary can determine outputif known adversary can determine output

–– so must be random or pseudorandom numberso must be random or pseudorandom number

Linear Linear CongruentialCongruential

GeneratorGenerator

•• common iterative technique using:common iterative technique using:XXnn+1+1 == ((aXaXnn ++ cc)) modmod mm

•• given suitable values of parameters can produce given suitable values of parameters can produce a long randoma long random--like sequencelike sequence

•• suitable criteria to have are:suitable criteria to have are:–– function generates a fullfunction generates a full--period (period always period (period always exists)exists)

–– generated sequence should appear randomgenerated sequence should appear random

–– efficient implementation with 32efficient implementation with 32--bit arithmeticbit arithmetic

•• note that an attacker can reconstruct sequence note that an attacker can reconstruct sequence given a small number of values (knowing given a small number of values (knowing aa cc mm))

•• have possibilities for making this harderhave possibilities for making this harder

Blum Blum BlumBlum ShubShub GeneratorGenerator

•• based on public key algorithmsbased on public key algorithms

•• use least significant bit from iterative equation:use least significant bit from iterative equation:xx00 == ss22 modmod nn

LOOP xLOOP xii== xx

ii--1122 modmod n n

bbii== xx

iimodmod 22

where where nn == p.qp.q, and primes , and primes p,qp,q == 33 modmod 44

•• unpredictable, passes unpredictable, passes nextnext--bitbit testtest

•• security restssecurity rests on difficulty of factoring on difficulty of factoring nn

•• is unpredictable given any run of bits is unpredictable given any run of bits

•• slow, since very large numbers must be usedslow, since very large numbers must be used

•• too slow for cipher use, good for key generation too slow for cipher use, good for key generation

Example Operation of BBS

Using Block Ciphers as Using Block Ciphers as PRNGsPRNGs

•• for cryptographic applications, can use a block for cryptographic applications, can use a block

cipher to generate random numberscipher to generate random numbers

•• often for creating session keys from master keyoften for creating session keys from master key

•• CTRCTR

XXii== EE

KK[V[V

ii]]

•• OFBOFB

XXii== EE

KK[[XX

ii--11]]

ANSI X9.17 PRGANSI X9.17 PRG

• a relatively complicated construction, including timestamps, and multiple encryptions

• date and time (DTi)

• uses 2-key (K1,K2) triple DES

(3 times per random bit Ri)

• feeds back between rounds (Vi)

ANSI X9.17 PRGANSI X9.17 PRG ANSI X9.17 ANSI X9.17 PRNGPRNG

Stream CiphersStream Ciphers

•• process message bit by bit (as a stream) process message bit by bit (as a stream)

•• have a pseudo random have a pseudo random keystreamkeystream

•• Which is combined (XOR) with plaintext bit by bit Which is combined (XOR) with plaintext bit by bit

(cf. one(cf. one--time pad) time pad)

•• randomness of randomness of stream keystream key completely destroys completely destroys

statistically properties in messagestatistically properties in message

–– CCii == MMii XORXOR StreamKeyStreamKeyii

•• but must never reuse stream keybut must never reuse stream key

–– otherwise can recover messages (via XOR of otherwise can recover messages (via XOR of msgsmsgs))

Stream Cipher StructureStream Cipher Structure

Stream Cipher PropertiesStream Cipher Properties

•• some design considerations are:some design considerations are:

–– long period with no repetitions of long period with no repetitions of keystreamkeystream

–– statistically random statistically random

–– depends on large enough keydepends on large enough key

–– large linear complexitylarge linear complexity

•• properly designed, can be as secure as a properly designed, can be as secure as a

block cipher with same size keyblock cipher with same size key

•• but usually simpler & fasterbut usually simpler & faster

RC4RC4

•• a proprietary cipher owned by RSA DSI a proprietary cipher owned by RSA DSI

•• a Ron a Ron RivestRivest design, simple but effectivedesign, simple but effective

•• variable key size, bytevariable key size, byte--oriented stream cipher oriented stream cipher

•• was widely used (web SSL/TLS, wireless was widely used (web SSL/TLS, wireless

WEP/WPA) WEP/WPA)

•• key forms random permutation of all 8key forms random permutation of all 8--bit values bit values

•• uses that permutation to scramble input info uses that permutation to scramble input info

processed a byte at a timeprocessed a byte at a time

•• these days, known to have vulnerabilities these days, known to have vulnerabilities

RC4 Key Schedule RC4 Key Schedule

•• starts with an array S of numbers: 0..255 starts with an array S of numbers: 0..255

•• use key to well and truly shuffle Suse key to well and truly shuffle S

•• S forms S forms internal stateinternal state ofof the cipher the cipher for ifor i == 00 toto 255255 dodo

S[iS[i]] == ii

T[iT[i]] == K[iK[i modmod keylenkeylen]]

jj == 00

for ifor i == 00 toto 255255 do do

jj == (j(j ++ S[iS[i]] ++ T[iT[i])]) (mod(mod 256) 256)

swapswap ((S[iS[i],], S[jS[j])])

RC4 EncryptionRC4 Encryption

•• encryption continues shuffling array valuesencryption continues shuffling array values

•• sum of shuffled pair selects "stream key" value sum of shuffled pair selects "stream key" value from permutationfrom permutation

•• XOR XOR S[tS[t] with next byte of msg. to en/de] with next byte of msg. to en/de--cryptcryptii == jj == 0 0

forfor eacheach messagemessage bytebyte MMii

ii == (i(i ++ 1)1) (mod(mod 256)256)

jj == (j(j ++ S[iS[i])]) (mod(mod 256)256)

swapswap ((S[iS[i],], S[jS[j])])

tt == ((S[iS[i]] ++ S[jS[j])]) (mod(mod 256) 256)

CCii == MMii XORXOR S[tS[t]]

RC4 OverviewRC4 OverviewRC4 SecurityRC4 Security

•• claimed secure against known attacks when claimed secure against known attacks when

managed properlymanaged properly

–– have some analyses, none practical have some analyses, none practical

•• result is very nonresult is very non--linear linear

•• since RC4 is a stream cipher, must since RC4 is a stream cipher, must never reuse never reuse

a keya key

•• these days, RC4 is known to be biased (unequal these days, RC4 is known to be biased (unequal

numbers of 0s and 1s in the numbers of 0s and 1s in the keystreamkeystream))

•• NSA has been breaking RC4 for NSA has been breaking RC4 for many years!many years!

Natural Random NoiseNatural Random Noise

•• best source is natural randomness in real world best source is natural randomness in real world

•• find a regular but random event and monitor find a regular but random event and monitor

•• do generally need special do generally need special h/wh/w to do this to do this –– eg. radiation counters, radio noise, audio noise, eg. radiation counters, radio noise, audio noise,

thermal noise in diodes, leaky capacitors, mercury thermal noise in diodes, leaky capacitors, mercury discharge tubes etc discharge tubes etc …… photon detectors photon detectors ……

•• see such see such h/wh/w in better contemporary CPU's in better contemporary CPU's

•• problems of problems of biasbias or uneven distribution in signal or uneven distribution in signal –– have to compensate for this when sample, often by have to compensate for this when sample, often by

passing bits through a hash function passing bits through a hash function

–– best to only use a few noisiest bits from each samplebest to only use a few noisiest bits from each sample

–– RFC4086 recommends using multiple sources + hash RFC4086 recommends using multiple sources + hash

Photon Detector TRNG

Photon Detector TRNG Compensating for physical bias

Exponential decay leads to unequal bins

Using a TRNG to give seed Published SourcesPublished Sources

•• a few published collections of random numbers a few published collections of random numbers

•• Rand Rand Co.,Co., in 1955, published 1 million numbers in 1955, published 1 million numbers

–– generated using an electronic roulette wheel generated using an electronic roulette wheel

–– has been used in some cipher designs has been used in some cipher designs cfcf KhafreKhafre

•• earlier earlier TippettTippett in 1927 published a collection in 1927 published a collection

•• issues are that:issues are that:

–– these are limitedthese are limited

–– too welltoo well--known for most uses known for most uses