stream cipher - school of computer sciencemdr/teaching/crypto15/crypto5.pdf · lfsr stream cipher...
TRANSCRIPT
Stream cipher
Block cipher as stream cipherLFSR stream cipherRC4General remarks
Stream Cipher
Suppose you want to encrypt a stream of data, such as:
the data from a keyboard
the data from a sensor
Block ciphers might be awkward/inefficient (consider eachkeystroke as a block??).
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 90
Stream cipher
Block cipher as stream cipherLFSR stream cipherRC4General remarks
Stream cipher
A stream cipher is a bit like a one-time pad: we generate a keythat’s as long as the data, but we generate it from a short seed.
The key stream is thus not random, but pseudorandom.Use seed (short random number) and produce keystream.
Key/Seed generatorPseudo-random Keystream
Plaintext
Ciphertext
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 91
Stream cipher
Block cipher as stream cipherLFSR stream cipherRC4General remarks
Example 1
A block cipher, using counter mode.
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 92
Stream cipher
Block cipher as stream cipherLFSR stream cipherRC4General remarks
Example 2: LFSR
Linear Feedback Shift Register: Building block for many modernstream ciphersCan be implemented very efficientlyKey idea: have register of single bit cells shifted by one at everyclock cycle together with feedback function
Source: Wikipedia
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 93
Stream cipher
Block cipher as stream cipherLFSR stream cipherRC4General remarks
Example:
Source: Wikipedia
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 94
Stream cipher
Block cipher as stream cipherLFSR stream cipherRC4General remarks
Reasoning about LFSRs
Interesting property: Length of keystream periodReasoning works as follows:
Have state vector s = [s1, . . . , sn] for shift register with n cells
Have a matrix M =
c1 c2 · · · cn−1 cn1 0 · · · 0 00 1 · · · 0 0...
. . .. . .
......
0 · · · 0 1 0
where ci is 1 if the i th cell in s is used for feedback and 0 ifnot.
Next state vector given by M · s.
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 95
Stream cipher
Block cipher as stream cipherLFSR stream cipherRC4General remarks
Combining LFSRs
LFSRs are insecure in practice (given a lot of output, the values cican computed fairly efficiently)Hence multiple LFSRs are combined in non-linear fashion
Source: Wikipedia
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 96
Stream cipher
Block cipher as stream cipherLFSR stream cipherRC4General remarks
CSS
CSS used to encrypt DVD for copy protectionFollowing steps are taken:
Check whether region code and code on DVD match
Use player keys to extract disk key from DVD
Use disk key to extract title key for track
Use title key to extract for each sector a sector key, which isused to decrypt the sector.
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 97
Stream cipher
Block cipher as stream cipherLFSR stream cipherRC4General remarks
Sector encryption is combination of two LFSR’s added modulo 256(observing carry bit from previous addition):
1||K2||K3||K4
seed
17 bit LFSR
25 bit LFSR
add modulo 2568 bit keystream
1||K0||K1
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 98
Stream cipher
Block cipher as stream cipherLFSR stream cipherRC4General remarks
Security of CSS
Can be broken in time 217:Idea: Because of structure of MP4, first 20 bytes of plaintext areknownHence also first 20 bytes of keystream are knownGiven output of 17 bit LFSR, can deduce output of 25 bit LFSR bysubtractionHence try all 217 possibilities for 17 bit LFSR and if generated 25bit LFSR produces observed keystream, cipher is cracked
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 99
Stream cipher
Block cipher as stream cipherLFSR stream cipherRC4General remarks
A5/1
Stream cipher used in GSM mobile phone communication
Became public knowledge through leaks and reverseengineering
Built from three LFSRs with irregular clock cycle
54 bit secret key and 22 bit initialisation vector
A register is shifted only if its clock bit is the same as majorityof the three clock bits
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 100
Stream cipher
Block cipher as stream cipherLFSR stream cipherRC4General remarks
Source: Wikipedia
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 101
Stream cipher
Block cipher as stream cipherLFSR stream cipherRC4General remarks
Security of A5/1
Better design: Clock shift make cryptanalysis much harderHowever, advanced techniques means mainstream PC withterabytes of flash memory (to store pre-processed tables) can breakA5/1 with probability ≥ 90% in a few seconds
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 102
Stream cipher
Block cipher as stream cipherLFSR stream cipherRC4General remarks
Example 3: RC4
Stream cipher invented 1987 by Ron RivestMain datastructure is array S of 256 bytes.
Consists of two phases:
Initalisation of S phase (“key schedule”)
Keystream generation phase
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 103
Stream cipher
Block cipher as stream cipherLFSR stream cipherRC4General remarks
Code for RC4
for i := 0 to 255 doS[i ] := i
endj := 0for i := 0 to 255 do
j := (j + S[i ] + K[i mod keylength]) mod 256swap(S[i ],S[j ])
endi := 0j := 0while GeneratingOutput:
i := (i + 1) mod 256j := (j + S[i ]) mod 256swap(S[i ],S[j ])output S[(S[i ] + S[j ]) mod 256]
end
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 104
Stream cipher
Block cipher as stream cipherLFSR stream cipherRC4General remarks
Graphical representation
Source: Wikipedia
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 105
Stream cipher
Block cipher as stream cipherLFSR stream cipherRC4General remarks
Properties of RC4
Extremely compact, and beautiful
Exhaustively studied
Two books, and hundreds of research papers
Pretty good!
But not good enough by modern standards:
Numerous “attacks” (biases in the stream, especially the firstfew bytes)Led to real attacks on WEP, and modes of TLS that use it
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 106
Stream cipher
Block cipher as stream cipherLFSR stream cipherRC4General remarks
WEP
Old standard for encryption on wireless networksbased on RC4, but seriously broken - don’t use
Source: Wikipedia
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 107
Stream cipher
Block cipher as stream cipherLFSR stream cipherRC4General remarks
Weaknesses in WEP
Initialisation vector only 24 bits, hence key streams repeatafter at most 224 frames
With certain initialisation vectors knowing m bytes of key andkeystream means you can deduce byte m + 1 of key
First bytes of key stream known because standard headers arealways sent
With this method, can crack the key in minutes on modern PChardware
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 108
Stream cipher
Block cipher as stream cipherLFSR stream cipherRC4General remarks
Keys for stream ciphers must not be reused.Formally, RC4 and LFSR as presented do not satisfy IND-CPAsecurity.Need carefully used initialisation vectors or nonces to obtainIND-CPA.
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 109