Cryptography. Dr. Michael Schneider Chapter 10: Pseudorandom Bit Generators and Stream Ciphers

Transcription

1 Cryptography Dr. Michael Schneider Chapter 10: Pseudorandom Bit Generators and Stream Ciphers December 12, 2017 h_da WS2017/18 Dr. Michael Schneider 1

2 1 Random and Pseudorandom Bits 2 Stream ciphers December 12, 2017 h_da WS2017/18 Dr. Michael Schneider 2

3 1 Random and Pseudorandom Bits 2 Stream ciphers December 12, 2017 h_da WS2017/18 Dr. Michael Schneider 3

4 What are real random numbers? December 12, 2017 h_da WS2017/18 Dr. Michael Schneider 4

5 Cryptographic applications of (pseudo) random bits Key generation of symmetric block ciphers: Let l denote the key length in bits (e.g. l = 128 for AES) What is the attack complexity of a brute force attack, if every bit is truly random? if the key is derived from s truly random bits and then mapped to the whole key using a public mapping f (e.g. f = SHA-256)? Key generation of public / private key pairs Key streams for symmetric stream ciphers: ciphertext = plaintext XOR keystream We need a keystream which is as long as the plaintext December 12, 2017 h_da WS2017/18 Dr. Michael Schneider 5

6 Random bit generators Definition: Device or algorithm which outputs a sequence of statistically independent and unbiased binary digits Examples: coin tossing, radioactive decay, atmospheric radio noise, π Generation of random numbers in 2 steps: Generate enough bits Map the bit string to a number Examples: Find a random integer in the interval [0, n] Find a random real number in the interval [1, 3] December 12, 2017 h_da WS2017/18 Dr. Michael Schneider 6

7 Pseudo random bit generators (PRBG) Definition: A deterministic algorithm. Input (= seed) is a short truly random bit string of length k. Output is a bit string of length l k seeming to be random. Remarks: The pseudo random bit sequence of length l is not random: There are only 2 k different pseudo random sequences. BUT: There are 2 l different random sequences. The entropy of the output is fixed by the seed. An adversary SHALL not efficiently distinguish between truly random sequences and pseudo random sequences. December 12, 2017 h_da WS2017/18 Dr. Michael Schneider 7

8 The seed is crucial for security openssl-bug in Debian distribution: Seed was initialized with process ID On a Linux platform: default maximum process ID is 32, 768 Or e.g. s = 15 (processes usually start up in the same order) Every Debian generated RSA, AES,... key for use in TLS or SSH may be affected Time period: September 2006 May 2008 December 12, 2017 h_da WS2017/18 Dr. Michael Schneider 8

9 Elementary tests for PRBG Polynomial-time statistical test: No polynomial-time algorithm can distinguish between truly random bits and pseudo random bits with probability (accuracy) significantly greater than 50%. Next-bit test: There is no polynomial-time algorithm which knows the first k bits of a PRBG and can predict the k + 1 bit with probability (accuracy) significantly greater than 50%. Such a PRBG is called a Cryptographically Secure PRBG (CSPRBG) December 12, 2017 h_da WS2017/18 Dr. Michael Schneider 9

10 Or simply check visually Source: December 12, 2017 h_da WS2017/18 Dr. Michael Schneider 10

11 A general concept for computational secure PRBG The concept is based on a one-way function f : f may be a cryptographically strong hash function. f may be a symmetric encryption scheme using a secret key. Input is a seed s. Output is the sequence f (s), f (s + 1), f (s + 2),... Often only a few bits of f (s + i) are used to hide correlations, e.g. take the last byte only Examples: PRBG in TLS ( f makes use of an HMAC) PRBG of ANSI X9.17 ( f makes use of Triple-DES) December 12, 2017 h_da WS2017/18 Dr. Michael Schneider 11

12 Example of a PRBG from ANSI Source: Handbook of Applied Cryptography December 12, 2017 h_da WS2017/18 Dr. Michael Schneider 12

13 Example of a PRBG from ANSI Source: Handbook of Applied Cryptography Certificational weakness: ANSI X9.17 expects a collision after 2 63 outputs, while true randomness would yield a collision after 2 32 outputs Not a CSPRBG December 12, 2017 h_da WS2017/18 Dr. Michael Schneider 12

14 Example of a CSPRBG: BBS Source: Handbook of Applied Cryptography Lenore Blum, Manuel Blum, and Michael Shub - A Simple Unpredictable Pseudo-Random Number Generator - SIAM Journal on Computing, volume 15, pages , 1986 December 12, 2017 h_da WS2017/18 Dr. Michael Schneider 13

15 Further information on BBS Variations of BBS: Output r least significant bits in step 3.2: Take care to hide correlations. Only O(log(log(n))) bits shall be output in one step. Output the parity bit of x i. Properties of Blum-Blum-Shub PRBG: BBS is a CSPRBG under the assumption that factoring integers is intractable i.e. BBS is a provable secure PRBG. n has to be chosen as for RSA (i.e. bit length about 2048). A relatively slow PRBG due to modulo squaring. December 12, 2017 h_da WS2017/18 Dr. Michael Schneider 14

16 Basic idea of stream ciphers Recapitulation of Vernam s cipher: c = m XOR k k is a truly random bit string as long as the message m Unconditionally secure Idea of stream ciphers: Replace truly random key string in Vernam s cipher by a pseudo-random sequence. The only source of true randomness is the seed: The symmetric key is essentially the seed Expand it to a long key stream using a PRBG December 12, 2017 h_da WS2017/18 Dr. Michael Schneider 15

17 A Simple Stream Cipher Model December 12, 2017 h_da WS2017/18 Dr. Michael Schneider 16

18 A famous stream cipher: RC4 Officially Alleged RC4 for license reasons Invented by Ron Rivest (the R in RSA) RC = Ron s Cipher = Ron s Code = Rivest Cipher Remark: RC2, RC5, RC6 are symmetric block ciphers Key length: bits Simple and very fast in software December 12, 2017 h_da WS2017/18 Dr. Michael Schneider 17

19 RC4: State An array S of 256 bytes: Every byte 0, 1,..., 255 appears exactly once. Initially we have S[i] = i for all 0 i 255. Then S is permuted in some key dependent way: Key Scheduling Algorithm (KSA). Two pointers to elements of S: The pointer i is increased by 1 in each step. The pointer j is updated in some key and state dependent way. The pointers are used within the Pseudo Random Generation Algorithm (PRGA). December 12, 2017 h_da WS2017/18 Dr. Michael Schneider 18

20 RC4: Initial State Let K be a key-dependent array of 256 bytes: If the input key k is shorter then 256 bytes (= 2048 bits), concatenate k as often as necessary to get K. Generate the key-dependent array S as follows: for i=0 to 255 do S[i]=i; j = 0; for i=0 to 255 do { j = ( j + S[i] + K[i] ) % 256; swap( S[i], S[j] ); } December 12, 2017 h_da WS2017/18 Dr. Michael Schneider 19

21 RC4: State Update, Mapping, Encryption Initialisation: i=0; j=0; State Update: i = ( i + 1 ) % 256; j = ( j + S[i]) % 256; swap( S[i], S[j] ); Mapping (next byte of the key stream): keybyte = S[ ( S[i] + S[j] ) % 256]; Encryption (next byte of ciphertext): cipherbyte = clearbyte XOR keybyte December 12, 2017 h_da WS2017/18 Dr. Michael Schneider 20

22 RC4 Source: User:Stannered, original by User:Matt Crypto - December 12, 2017 h_da WS2017/18 Dr. Michael Schneider 21

23 RC4: Security After a long time of steadily improving attacks on RC4 2013: AlFardan, Bernstein, Paterson, Poettering, and Jacob Schuldt Decrypt RC4 in O(2 24 ) 2016: Vanhoef and Piessens Decrypt RC4 within 1-75 hrs RC4 must not be used anymore December 12, 2017 h_da WS2017/18 Dr. Michael Schneider 22