slide 1

Stream Ciphers

Block ciphers generate ciphertext Ciphertext(Key,Message)=MessageKey

• Key must be a random bit sequence as long as message

Idea: replace “random” with “pseudo-random”• Encrypt with pseudo-random number generator (PRNG)• PRNG takes a short, truly random secret seed (key) and

expands it into a long “random-looking” sequence– E.g., 128-bit key into a 106-bit pseudo-random sequence

Ciphertext(Key,Message)=MessagePRNG(Key)• Message processed bit by bit, not in blocks

Randomness amplification

(remember HMAC?)

slide 2

Properties of Stream Ciphers

Usually very fast• Used where speed is important: WiFi, SSL, DVD

Unlike one-time pad, stream ciphers do not provide perfect secrecy• Only as secure as the underlying PRNG• If used properly, can be as secure as block ciphers

PRNG must be unpredictable• Given the stream of PRNG output (but not the

seed!), it’s hard to predict what the next bit will be

– If PRNG(unknown seed)=b1…bi, then bi+1 is “0” with probability ½, “1” with probability ½

slide 3

Weaknesses of Stream Ciphers

No integrity• Associativity & commutativity: (XY)Z=(XZ)Y

• (M1PRNG(key)) M2 = (M1M2) PRNG(key)

Known-plaintext attack is very dangerous if keystream is ever repeated• Self-cancellation property of XOR: XX=0

• (M1PRNG(key)) (M2PRNG(key)) = M1M2

• If attacker knows M1, then easily recovers M2

– Most plaintexts contain enough redundancy that knowledge of M1 or M2 is not even necessary to recover both from M1M2

slide 4

Stream Cipher Terminology

Seed of pseudo-random generator often consists of initialization vector (IV) and key • IV is usually sent with the ciphertext• The key is a secret known only to the sender and

the recipient, not sent with the ciphertext The pseudo-random bit stream produced by

PRNG(IV,key) is referred to as keystream Encrypt message by XORing with keystream

• ciphertext = message keystream

slide 5

RC4

Designed by Ron Rivest for RSA in 1987 Simple, fast, widely used

• SSL/TLS for Web security, WEP for wireless

Byte array S[256] contains a permutation of numbers from 0 to 255

i = j := 0loop

i := (i+1) mod 256j := (j+S[i]) mod 256swap(S[i],S[j])output (S[i]+S[j]) mod 256

end loop

slide 6

RC4 Initialization

Divide key K into L bytesfor i = 0 to 255 do S[i] := ij := 0for i = 0 to 255 do

j := (j+S[i]+K[i mod L]) mod 256swap(S[i],S[j])

Key can be any length

up to 2048 bits

Generate initial permutationfrom key K

To use RC4, usually prepend initialization vector (IV) to the key• IV can be random or a counter• IV is often sent in the clear with the ciphertext

RC4 is not random enough! 1st byte of generated sequence depends only on 3 cells of state array S. This can be used to extract the key.• To use RC4 securely, RSA suggests discarding first 256 bytes

Fluhrer-Mantin-Shamir attack

slide 7

Modes of Operation

block ciphers encrypt fixed size blocks eg. DES encrypts 64-bit blocks, with 56-bit

key need way to use in practise, given usually

have arbitrary amount of information to encrypt

four were defined for DES in ANSI standard ANSI X3.106-1983 Modes of Use

subsequently now have 5 for DES and AES have block and stream modes

slide 8

Electronic Codebook Book (ECB)

message is broken into independent blocks which are encrypted

each block is a value which is substituted, like a codebook, hence name

each block is encoded independently of the other blocks Ci = DESK1 (Pi)

uses: secure transmission of single values

slide 9

Electronic Codebook Book (ECB)

slide 10

Advantages and Limitations of ECB

repetitions in message may show in ciphertext • if aligned with message block • particularly with data such graphics • or with messages that change very little, which

become a code-book analysis problem

weakness due to encrypted message blocks being independent

main use is sending a few blocks of data

slide 11

Cipher Block Modes of Cipher Block Modes of OperationOperation

Cipher Block Chaining Mode (CBC)• The input to the encryption algorithm is the

XOR of the current plaintext block and the preceding ciphertext block.

• Repeating pattern of 64-bits are not exposed

ii1i1iiK1i

i1iiK

i1iKKiK

i1iki

PPCC][CDC

)P(C][CD

)]P(C[ED][CD

]P[CEC

slide 12

Cipher FeedBack (CFB)

message is treated as a stream of bits added to the output of the block cipher result is feed back for next stage (hence

name) standard allows any number of bit (1,8 or 64

or whatever) to be feed back • denoted CFB-1, CFB-8, CFB-64 etc

is most efficient to use all 64 bits (CFB-64)Ci = Pi XOR DESK1(Ci-1)

C-1 = IV uses: stream data encryption, authentication

slide 13

Cipher FeedBack (CFB)

slide 14

Advantages and Limitations of CFB

appropriate when data arrives in bits/bytes

most common stream mode limitation is need to stall while do block

encryption after every n-bits note that the block cipher is used in

encryption mode at both ends errors propagate for several blocks after

the error

slide 15

Location of Encryption Location of Encryption DeviceDevice

Link encryption:• A lot of encryption devices• High level of security• Decrypts each packet at every switch

End-to-end encryption• The source encrypts and the receiver decrypts• Payload encrypted• Header in the clear

High Security: Both link and end-to-end encryption are needed (see Figure 2.9)

slide 16

slide 17

Key DistributionKey Distribution

1. A key could be selected by A and physically delivered to B.

2. A third party could select the key and physically deliver it to A and B.

3. If A and B have previously used a key, one party could transmit the new key to the other, encrypted using the old key.

4. If A and B each have an encrypted connection to a third party C, C could deliver a key on the encrypted links to A and B.

slide 18

Key Distribution (See Key Distribution (See Figure 2.10)Figure 2.10)

Session key:• Data encrypted with a one-time session key. At

the conclusion of the session the key is destroyed

Permanent key:• Used between entities for the purpose of

distributing session keys

slide 19