pkzip stream cipher 1 pkzip pkzip stream cipher 2 pkzip phil katz’s zip program katz...
out of 33
Post on 19-Dec-2015
Embed Size (px)
- Slide 1
- Slide 2
- PKZIP Stream Cipher 1 PKZIP
- Slide 3
- PKZIP Stream Cipher 2 PKZIP Phil Katzs ZIP program Katz invented zip file format o ca 1989 Before that, Katz created PKARC utility o ARC compression was patented by SEA, Inc. o SEA successfully sued Katz Katz then invented zip o ZIP was much better than SEAs ARC o He started his own company, PKWare Katz died of alcohol abuse at age 37 in 2000
- Slide 4
- PKZIP Stream Cipher 3 PKZIP PKZIP compresses files using zip Optionally, it encrypts compressed file o Uses a homemade stream cipher o PKZIP cipher due to Roger Schlafly o Schlafly has PhD in math (Berkeley, 1980) PKZIP cipher is susceptible to attack o Attack is nontrivial, has significant work factor, lots of memory required, etc.
- Slide 5
- PKZIP Stream Cipher 4 PKZIP Cipher Generates 1 byte of keystream per step 96 bit internal state o State: 32-bit words, which we label X,Y,Z o Initial state derived from a password Of course, password guessing is possible o We do not consider password guessing here Cipher design seems somewhat ad hoc o No clear design principles o Uses shifts, arithmetic operations, CRC, etc.
- Slide 6
- PKZIP Stream Cipher 5 PKZIP Encryption Given o Current state: X, Y, Z (32-bit words) o p = byte of plaintext to encrypt o Note: upper case for 32-bit words, lower case bytes Then the algorithm is k = getKeystreamByte(Z) c = p k update(X, Y, Z, p) Next, we define getKeystreamByte, update
- Slide 7
- PKZIP Stream Cipher 6 PKZIP getKeystreamByte Let be binary OR Define X ij as bits i thru j (inclusive) of X o As usual, bits numbered left-to-right from 0 Shift X by n bits to right: X n Then getKeystreamByte(Z) t = Z 3 1631 k = (t (t 1)) 8 2431 return(k) end getKeystreamByte
- Slide 8
- PKZIP Stream Cipher 7 PKZIP update Given current state X, Y, Z and p update(X, Y, Z, p) X = CRC(X, p) Y = (Y + X 2431 ) 134775813 + 1 (mod 2 32 ) Z = CRC(Z, Y 07 ) end update CRC function defined on next slide
- Slide 9
- PKZIP Stream Cipher 8 PKZIP CRC Let X be 32-bit word, b a byte CRC(X, b) X = X b for i = 0 to 7 if X is odd X = (X 1) 0xedb88320 else X = (X 1) end if next i return(X) end CRC
- Slide 10
- PKZIP Stream Cipher 9 CRCTable and CRCinverse For efficiency, define CRCtable so that CRC(X,b) = X 023 CRCtable[ X 2431 b] Inverse table, CRCinverse, exists in the following sense: If B = A 023 CRCtable[ A 2431 b] Then A = (B 8) CRCinverse[ B 07 ] b Inverse table is useful in attack
- Slide 11
- PKZIP Stream Cipher 10 Lists Let (X i,Y i,Z i ) be internal state used to generate i th keystream byte Let k i be the i th keystream byte Let p i be i th plaintext byte Define X -list to be X 0,X 1,X n o Note that n+1 elements in this list Similar definition for k -list, p -list, etc.
- Slide 12
- PKZIP Stream Cipher 11 Outline of PKZIP Attack Assume k -list and p -list are known o This is a known plaintext attack Want to find state (X i,Y i,Z i ) for some i o Then all keystream bytes are known Executive summary of the attack 1. Use k -list to find a set of Z -lists 2. For each Z -list, find multiple Y -lists 3. For each Y -list, use p -list to obtain one X -list 4. True X -list is among X -lists in 3. Find X -list using p -list. From X -list, obtain state and keystream Details of steps 1 thru 4 on following slides
- Slide 13
- PKZIP Stream Cipher 12 Step 1: Z-lists Assume keystream bytes k 0,k 1,,k n known Keystream byte k i computed as k i = (t (t 1)) 8 2431 Where t = Z i 3 1631 Given k n, there are 64 possible t o Due to the 3 This gives 64 putative Z n 1629 Similarly, we find 64 putative Z n 1 1629
- Slide 14
- PKZIP Stream Cipher 13 Step 1: Z-lists Have 64 putative Z n 1629 and Z n 1 1629 Implies there are 2 22 putative Z n 029 By update we have Z n = CRC(Z n 1, Y 07 ) By CRC inversion formula Z n 1 = (Z n 8) CRCinverse[ Z n 07 ] Y n 07 For each of 2 22 putative Z n 029 o Know bits 0 thru 21 on RHS, bits 16 to 29 on LHS o For correct Z n and Z n 1, bits 16 thru 21 must agree o Since 6 bits, 1/64 chance of a random match o Since 64 Z n 1, for each Z n expect 1 matching Z n 1 o Since there are 2 22 Z n 1 we obtain 2 22 Z n 1
- Slide 15
- PKZIP Stream Cipher 14 Step 1: Z-lists Repeat for Z n 2 029 then Z n 3 029 etc. Bottom Line o We obtain about 2 22 Z -lists o Each of the form Z i 029, for i = 1,2,,n Possible to extend each of these to full Z i o That is, Z i bits 0 thru 31, not just bits 0 thru 29 o We omit details here (see text) We have 2 22 Z -lists, Z i 029, for i = 1,2,,n
- Slide 16
- PKZIP Stream Cipher 15 Step 1 Refinement Possible to reduce number of Z -lists Requires additional known plaintext Reduces overall work factor For example o 28 more bytes, we can reduce number of Z -lists (and overall work) by a factor of 2 4 o 1000 additional bytes can reduce number of lists to a range by 2 11 to 2 14 We ignore refinement, so 2 22 Z -lists
- Slide 17
- PKZIP Stream Cipher 16 Step 2: Y-lists We have about 2 22 putative Z -lists o Each consisting of putative Z 1,Z 2,,Z n We use these to find consistent Y -lists From update, we can write CRC inverse as Y i 07 = Z i 1 (Z i 8) CRCinverse[ Z i 07 ] For each Z -list, have Y 2 07, Y 3 07, , Y n 07 How to find remaining 24 bits of each Y i ? o This is a bit tricky
- Slide 18
- PKZIP Stream Cipher 17 Step 2: Y-lists From update we have Y i = (Y i 1 + X i 2431 ) 134775813 + 1 (mod 2 32 ) Rewrite this as (Y i 1) C = Y i 1 + X i 2431 Where C = 134775813 1 (mod 2 32 ) Then with very high probability (Y i 1) C 07 = Y i 1 07 Letting i = n, we have (Y n 1) C 07 = Y n 1 07
- Slide 19
- PKZIP Stream Cipher 18 Step 2: Y-lists We have (Y n 1) C 07 = Y n 1 07 o Where both Y n 07 and Y n 1 07 known Test all 2 24 choices for Y n 831 o For each, compute (Y n 1) C 07 o And compare to known Y n 1 07 o Probability of a match is 1/2 8 Bottom line: Obtain 2 16 Y n per Z -list Since 2 22 Z -lists, we have 2 38 Y n
- Slide 20
- PKZIP Stream Cipher 19 Step 2: Y-lists We have (Y n 1) C = Y n 1 + X n 2431 Rewrite as Y n 1 = (Y n 1) C X n 2431 Let a = X n 2431 Then Y n 1 = (Y n 1) C a For some unknown byte a
- Slide 21
- PKZIP Stream Cipher 20 Step 2: Y-lists We have Y n 1 = (Y n 1) C a o For some unknown byte a For each Y n, compute Y n 1 for all possible a o Test whether (Y n 1 1) C 07 = Y n 2 07 o Recall that Y n 2 07 is known o Try all 256 a, each has 1/2 8 probability of match o Expect one Y n 1 for each Y n Can be made efficient using lookup tables o Given Y n 2 07 lookup consistent Y n 1 07
- Slide 22
- PKZIP Stream Cipher 21 Step 2: Y-lists Repeat for Y n 2,Y n 3,,Y 3 Bottom line o Expect to obtain 2 38 Y -lists o Each of the form Y 3,Y 4,,Y n Remaining steps in the attack o Find X -lists (step 3) o Find correct X -list from set of X -lists (step 4) o Then some (X i,Y i,Z i ) known and msg is broken!
- Slide 23
- PKZIP Stream Cipher 22 Step 3: X-lists We have about 2 38 putative Y -lists o Each is of the form Y 3,Y 4,,Y n How to find corresponding X -lists? Consider the formula X i 2431 = (Y i 1) C Y i 1 Use this to obtain X i 2431 for i = 4,5,,n How to find remaining bits of each X i ?
- Slide 24
- PKZIP Stream Cipher 23 Step 3: X-lists From update function X i = CRC(X i 1, p i ) Using CRC table, X i = X i 1 023 CRCtable[ X i 1 2431 p i ] Implications? If we know one complete X i and all p j then we can compute all (complete) X j o CRC inverse allows us to find X i-1 from X i So how to find one complete X i ?
- Slide 25
- PKZIP Stream Cipher 24 Step 3: X-lists We know X i 2431 and p i for each i From update: X i = X i 1 023 CRCtable[ X i 1 2431 p i ] This implies 1. X i 023 = X i+1 CRCtable[ X i 2431 p i+1 ] 2. X i+1 023 = X i+2 CRCtable[ X i+1 2431 p i+2 ] 3. X i+2 023 = X i+3 CRCtable[ X i+2 2431 p i+3 ] From X i+3 2431, X i+2 2431 and 3, get X i+2 1631 From X i+2 1631, X i+1 2431 and 2, get X i+1 831 From X i+1 831, X i 2431 and 1, get X i = X i 031
- Slide 26
- PKZIP Stream Cipher 25 Step 3: X-lists Using X i found on previous slide and X i = X i 1 023 CRCtable[ X i 1 2431 p i ] We can find the complete X- list Repeat this for each putative Y -list o Gives us about 2 38 putative X- lists Correct X -list will (almost certainly) be among these 2 38 X -lists How to select the winning X -list?
- Slide 27
- PKZIP Stream Cipher 26 Step 4: Correct X-lists How to select correct X -list? We can compute X i 2431 in two ways: X i = X i 1 023 CRCtable[ X i 1 2431 p i ] X i 2431 = (Y i 1) C Y i 1 These two results must agree! Since testing 1 byte o Probability of random match about 1/2 8 We have about 2 38 putative X -lists, so About 5 such comparisons and were done!
- Slide 28
- PKZIP Stream Cipher 27 Step 4: Recover Keystream Once we have found correct X -list o We know corresponding Y -list, Z -list For some i n, we know state (X i,Y i,Z i ) From (X i,Y i
View more >