200 likes | 372 Views
Stream Ciphers. Block ciphers generate ciphertext Ciphertext(Key,Message)=Message Key Key must be a random bit sequence as long as message Idea: replace “random” with “pseudo-random” Encrypt with pseudo-random number generator (PRNG)
E N D
Stream Ciphers • Block ciphers generate ciphertext Ciphertext(Key,Message)=MessageKey • Key must be a random bit sequence as long as message • Idea: replace “random” with “pseudo-random” • Encrypt with pseudo-random number generator (PRNG) • PRNG takes a short, truly random secret seed (key) and expands it into a long “random-looking” sequence • E.g., 128-bit key into a 106-bit pseudo-random sequence • Ciphertext(Key,Message)=MessagePRNG(Key) • Message processed bit by bit, not in blocks Randomness amplification (remember HMAC?)
Properties of Stream Ciphers • Usually very fast • Used where speed is important: WiFi, SSL, DVD • Unlike one-time pad, stream ciphers do not provide perfect secrecy • Only as secure as the underlying PRNG • If used properly, can be as secure as block ciphers • PRNG must be unpredictable • Given the stream of PRNG output (but not the seed!), it’s hard to predict what the next bit will be • If PRNG(unknown seed)=b1…bi, then bi+1 is “0” with probability ½, “1” with probability ½
Weaknesses of Stream Ciphers • No integrity • Associativity & commutativity: (XY)Z=(XZ)Y • (M1PRNG(key)) M2 = (M1M2) PRNG(key) • Known-plaintext attack is very dangerous if keystream is ever repeated • Self-cancellation property of XOR: XX=0 • (M1PRNG(key)) (M2PRNG(key)) = M1M2 • If attacker knows M1, then easily recovers M2 • Most plaintexts contain enough redundancy that knowledge of M1 or M2 is not even necessary to recover both from M1M2
Stream Cipher Terminology • Seed of pseudo-random generator often consists of initialization vector (IV) and key • IV is usually sent with the ciphertext • The key is a secret known only to the sender and the recipient, not sent with the ciphertext • The pseudo-random bit stream produced by PRNG(IV,key) is referred to as keystream • Encrypt message by XORing with keystream • ciphertext = message keystream
RC4 • Designed by Ron Rivest for RSA in 1987 • Simple, fast, widely used • SSL/TLS for Web security, WEP for wireless Byte array S[256] contains a permutation of numbers from 0 to 255 i = j := 0 loop i := (i+1) mod 256 j := (j+S[i]) mod 256 swap(S[i],S[j]) output (S[i]+S[j]) mod 256 end loop
RC4 Initialization • To use RC4, usually prepend initialization vector (IV) to the key • IV can be random or a counter • IV is often sent in the clear with the ciphertext • RC4 is not random enough! 1st byte of generated sequence depends only on 3 cells of state array S. This can be used to extract the key. • To use RC4 securely, RSA suggests discarding first 256 bytes Divide key K into L bytes for i = 0 to 255 do S[i] := i j := 0 for i = 0 to 255 do j := (j+S[i]+K[i mod L]) mod 256 swap(S[i],S[j]) Key can be any length up to 2048 bits Generate initial permutation from key K Fluhrer-Mantin-Shamir attack
Modes of Operation • block ciphers encrypt fixed size blocks • eg. DES encrypts 64-bit blocks, with 56-bit key • need way to use in practise, given usually have arbitrary amount of information to encrypt • four were defined for DES in ANSI standard ANSI X3.106-1983 Modes of Use • subsequently now have 5 for DES and AES • have block and stream modes
Electronic Codebook Book (ECB) • message is broken into independent blocks which are encrypted • each block is a value which is substituted, like a codebook, hence name • each block is encoded independently of the other blocks Ci = DESK1 (Pi) • uses: secure transmission of single values
Advantages and Limitations of ECB • repetitions in message may show in ciphertext • if aligned with message block • particularly with data such graphics • or with messages that change very little, which become a code-book analysis problem • weakness due to encrypted message blocks being independent • main use is sending a few blocks of data
Cipher Block Modes of Operation • Cipher Block Chaining Mode (CBC) • The input to the encryption algorithm is the XOR of the current plaintext block and the preceding ciphertext block. • Repeating pattern of 64-bits are not exposed
Cipher FeedBack (CFB) • message is treated as a stream of bits • added to the output of the block cipher • result is feed back for next stage (hence name) • standard allows any number of bit (1,8 or 64 or whatever) to be feed back • denoted CFB-1, CFB-8, CFB-64 etc • is most efficient to use all 64 bits (CFB-64) Ci = Pi XOR DESK1(Ci-1) C-1 = IV • uses: stream data encryption, authentication
Advantages and Limitations of CFB • appropriate when data arrives in bits/bytes • most common stream mode • limitation is need to stall while do block encryption after every n-bits • note that the block cipher is used in encryption mode at both ends • errors propagate for several blocks after the error
Location of Encryption Device • Link encryption: • A lot of encryption devices • High level of security • Decrypts each packet at every switch • End-to-end encryption • The source encrypts and the receiver decrypts • Payload encrypted • Header in the clear • High Security: Both link and end-to-end encryption are needed (see Figure 2.9)
Key Distribution • A key could be selected by A and physically delivered to B. • A third party could select the key and physically deliver it to A and B. • If A and B have previously used a key, one party could transmit the new key to the other, encrypted using the old key. • If A and B each have an encrypted connection to a third party C, C could deliver a key on the encrypted links to A and B.
Key Distribution (See Figure 2.10) • Session key: • Data encrypted with a one-time session key. At the conclusion of the session the key is destroyed • Permanent key: • Used between entities for the purpose of distributing session keys