1 / 19

Stream Ciphers

Stream Ciphers. Block ciphers generate ciphertext Ciphertext(Key,Message)=Message  Key Key must be a random bit sequence as long as message Idea: replace “random” with “pseudo-random” Encrypt with pseudo-random number generator (PRNG)

marge
Download Presentation

Stream Ciphers

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Stream Ciphers • Block ciphers generate ciphertext Ciphertext(Key,Message)=MessageKey • Key must be a random bit sequence as long as message • Idea: replace “random” with “pseudo-random” • Encrypt with pseudo-random number generator (PRNG) • PRNG takes a short, truly random secret seed (key) and expands it into a long “random-looking” sequence • E.g., 128-bit key into a 106-bit pseudo-random sequence • Ciphertext(Key,Message)=MessagePRNG(Key) • Message processed bit by bit, not in blocks Randomness amplification (remember HMAC?)

  2. Properties of Stream Ciphers • Usually very fast • Used where speed is important: WiFi, SSL, DVD • Unlike one-time pad, stream ciphers do not provide perfect secrecy • Only as secure as the underlying PRNG • If used properly, can be as secure as block ciphers • PRNG must be unpredictable • Given the stream of PRNG output (but not the seed!), it’s hard to predict what the next bit will be • If PRNG(unknown seed)=b1…bi, then bi+1 is “0” with probability ½, “1” with probability ½

  3. Weaknesses of Stream Ciphers • No integrity • Associativity & commutativity: (XY)Z=(XZ)Y • (M1PRNG(key))  M2 = (M1M2)  PRNG(key) • Known-plaintext attack is very dangerous if keystream is ever repeated • Self-cancellation property of XOR: XX=0 • (M1PRNG(key))  (M2PRNG(key)) = M1M2 • If attacker knows M1, then easily recovers M2 • Most plaintexts contain enough redundancy that knowledge of M1 or M2 is not even necessary to recover both from M1M2

  4. Stream Cipher Terminology • Seed of pseudo-random generator often consists of initialization vector (IV) and key • IV is usually sent with the ciphertext • The key is a secret known only to the sender and the recipient, not sent with the ciphertext • The pseudo-random bit stream produced by PRNG(IV,key) is referred to as keystream • Encrypt message by XORing with keystream • ciphertext = message  keystream

  5. RC4 • Designed by Ron Rivest for RSA in 1987 • Simple, fast, widely used • SSL/TLS for Web security, WEP for wireless Byte array S[256] contains a permutation of numbers from 0 to 255 i = j := 0 loop i := (i+1) mod 256 j := (j+S[i]) mod 256 swap(S[i],S[j]) output (S[i]+S[j]) mod 256 end loop

  6. RC4 Initialization • To use RC4, usually prepend initialization vector (IV) to the key • IV can be random or a counter • IV is often sent in the clear with the ciphertext • RC4 is not random enough! 1st byte of generated sequence depends only on 3 cells of state array S. This can be used to extract the key. • To use RC4 securely, RSA suggests discarding first 256 bytes Divide key K into L bytes for i = 0 to 255 do S[i] := i j := 0 for i = 0 to 255 do j := (j+S[i]+K[i mod L]) mod 256 swap(S[i],S[j]) Key can be any length up to 2048 bits Generate initial permutation from key K Fluhrer-Mantin-Shamir attack

  7. Modes of Operation • block ciphers encrypt fixed size blocks • eg. DES encrypts 64-bit blocks, with 56-bit key • need way to use in practise, given usually have arbitrary amount of information to encrypt • four were defined for DES in ANSI standard ANSI X3.106-1983 Modes of Use • subsequently now have 5 for DES and AES • have block and stream modes

  8. Electronic Codebook Book (ECB) • message is broken into independent blocks which are encrypted • each block is a value which is substituted, like a codebook, hence name • each block is encoded independently of the other blocks Ci = DESK1 (Pi) • uses: secure transmission of single values

  9. Electronic Codebook Book (ECB)

  10. Advantages and Limitations of ECB • repetitions in message may show in ciphertext • if aligned with message block • particularly with data such graphics • or with messages that change very little, which become a code-book analysis problem • weakness due to encrypted message blocks being independent • main use is sending a few blocks of data

  11. Cipher Block Modes of Operation • Cipher Block Chaining Mode (CBC) • The input to the encryption algorithm is the XOR of the current plaintext block and the preceding ciphertext block. • Repeating pattern of 64-bits are not exposed

  12. Cipher FeedBack (CFB) • message is treated as a stream of bits • added to the output of the block cipher • result is feed back for next stage (hence name) • standard allows any number of bit (1,8 or 64 or whatever) to be feed back • denoted CFB-1, CFB-8, CFB-64 etc • is most efficient to use all 64 bits (CFB-64) Ci = Pi XOR DESK1(Ci-1) C-1 = IV • uses: stream data encryption, authentication

  13. Cipher FeedBack (CFB)

  14. Advantages and Limitations of CFB • appropriate when data arrives in bits/bytes • most common stream mode • limitation is need to stall while do block encryption after every n-bits • note that the block cipher is used in encryption mode at both ends • errors propagate for several blocks after the error

  15. Location of Encryption Device • Link encryption: • A lot of encryption devices • High level of security • Decrypts each packet at every switch • End-to-end encryption • The source encrypts and the receiver decrypts • Payload encrypted • Header in the clear • High Security: Both link and end-to-end encryption are needed (see Figure 2.9)

  16. Key Distribution • A key could be selected by A and physically delivered to B. • A third party could select the key and physically deliver it to A and B. • If A and B have previously used a key, one party could transmit the new key to the other, encrypted using the old key. • If A and B each have an encrypted connection to a third party C, C could deliver a key on the encrypted links to A and B.

  17. Key Distribution (See Figure 2.10) • Session key: • Data encrypted with a one-time session key. At the conclusion of the session the key is destroyed • Permanent key: • Used between entities for the purpose of distributing session keys

More Related