slide 1 stream ciphers ublock ciphers generate ciphertext ciphertext(key,message)=message key key...
TRANSCRIPT
slide 1
Stream Ciphers
Block ciphers generate ciphertext Ciphertext(Key,Message)=MessageKey
• Key must be a random bit sequence as long as message
Idea: replace “random” with “pseudo-random”• Encrypt with pseudo-random number generator (PRNG)• PRNG takes a short, truly random secret seed (key) and
expands it into a long “random-looking” sequence– E.g., 128-bit key into a 106-bit pseudo-random sequence
Ciphertext(Key,Message)=MessagePRNG(Key)• Message processed bit by bit, not in blocks
Randomness amplification
(remember HMAC?)
slide 2
Properties of Stream Ciphers
Usually very fast• Used where speed is important: WiFi, SSL, DVD
Unlike one-time pad, stream ciphers do not provide perfect secrecy• Only as secure as the underlying PRNG• If used properly, can be as secure as block ciphers
PRNG must be unpredictable• Given the stream of PRNG output (but not the
seed!), it’s hard to predict what the next bit will be
– If PRNG(unknown seed)=b1…bi, then bi+1 is “0” with probability ½, “1” with probability ½
slide 3
Weaknesses of Stream Ciphers
No integrity• Associativity & commutativity: (XY)Z=(XZ)Y
• (M1PRNG(key)) M2 = (M1M2) PRNG(key)
Known-plaintext attack is very dangerous if keystream is ever repeated• Self-cancellation property of XOR: XX=0
• (M1PRNG(key)) (M2PRNG(key)) = M1M2
• If attacker knows M1, then easily recovers M2
– Most plaintexts contain enough redundancy that knowledge of M1 or M2 is not even necessary to recover both from M1M2
slide 4
Stream Cipher Terminology
Seed of pseudo-random generator often consists of initialization vector (IV) and key • IV is usually sent with the ciphertext• The key is a secret known only to the sender and
the recipient, not sent with the ciphertext The pseudo-random bit stream produced by
PRNG(IV,key) is referred to as keystream Encrypt message by XORing with keystream
• ciphertext = message keystream
slide 5
RC4
Designed by Ron Rivest for RSA in 1987 Simple, fast, widely used
• SSL/TLS for Web security, WEP for wireless
Byte array S[256] contains a permutation of numbers from 0 to 255
i = j := 0loop
i := (i+1) mod 256j := (j+S[i]) mod 256swap(S[i],S[j])output (S[i]+S[j]) mod 256
end loop
slide 6
RC4 Initialization
Divide key K into L bytesfor i = 0 to 255 do S[i] := ij := 0for i = 0 to 255 do
j := (j+S[i]+K[i mod L]) mod 256swap(S[i],S[j])
Key can be any length
up to 2048 bits
Generate initial permutationfrom key K
To use RC4, usually prepend initialization vector (IV) to the key• IV can be random or a counter• IV is often sent in the clear with the ciphertext
RC4 is not random enough! 1st byte of generated sequence depends only on 3 cells of state array S. This can be used to extract the key.• To use RC4 securely, RSA suggests discarding first 256 bytes
Fluhrer-Mantin-Shamir attack
slide 7
Modes of Operation
block ciphers encrypt fixed size blocks eg. DES encrypts 64-bit blocks, with 56-bit
key need way to use in practise, given usually
have arbitrary amount of information to encrypt
four were defined for DES in ANSI standard ANSI X3.106-1983 Modes of Use
subsequently now have 5 for DES and AES have block and stream modes
slide 8
Electronic Codebook Book (ECB)
message is broken into independent blocks which are encrypted
each block is a value which is substituted, like a codebook, hence name
each block is encoded independently of the other blocks Ci = DESK1 (Pi)
uses: secure transmission of single values
slide 10
Advantages and Limitations of ECB
repetitions in message may show in ciphertext • if aligned with message block • particularly with data such graphics • or with messages that change very little, which
become a code-book analysis problem
weakness due to encrypted message blocks being independent
main use is sending a few blocks of data
slide 11
Cipher Block Modes of Cipher Block Modes of OperationOperation
Cipher Block Chaining Mode (CBC)• The input to the encryption algorithm is the
XOR of the current plaintext block and the preceding ciphertext block.
• Repeating pattern of 64-bits are not exposed
ii1i1iiK1i
i1iiK
i1iKKiK
i1iki
PPCC][CDC
)P(C][CD
)]P(C[ED][CD
]P[CEC
slide 12
Cipher FeedBack (CFB)
message is treated as a stream of bits added to the output of the block cipher result is feed back for next stage (hence
name) standard allows any number of bit (1,8 or 64
or whatever) to be feed back • denoted CFB-1, CFB-8, CFB-64 etc
is most efficient to use all 64 bits (CFB-64)Ci = Pi XOR DESK1(Ci-1)
C-1 = IV uses: stream data encryption, authentication
slide 14
Advantages and Limitations of CFB
appropriate when data arrives in bits/bytes
most common stream mode limitation is need to stall while do block
encryption after every n-bits note that the block cipher is used in
encryption mode at both ends errors propagate for several blocks after
the error
slide 15
Location of Encryption Location of Encryption DeviceDevice
Link encryption:• A lot of encryption devices• High level of security• Decrypts each packet at every switch
End-to-end encryption• The source encrypts and the receiver decrypts• Payload encrypted• Header in the clear
High Security: Both link and end-to-end encryption are needed (see Figure 2.9)
slide 17
Key DistributionKey Distribution
1. A key could be selected by A and physically delivered to B.
2. A third party could select the key and physically deliver it to A and B.
3. If A and B have previously used a key, one party could transmit the new key to the other, encrypted using the old key.
4. If A and B each have an encrypted connection to a third party C, C could deliver a key on the encrypted links to A and B.
slide 18
Key Distribution (See Key Distribution (See Figure 2.10)Figure 2.10)
Session key:• Data encrypted with a one-time session key. At
the conclusion of the session the key is destroyed
Permanent key:• Used between entities for the purpose of
distributing session keys