Stream Ciphers. Stream Ciphers 1

Similar documents
05 - WLAN Encryption and Data Integrity Protocols

Stream Ciphers - RC4. F. Sozzani, G. Bertoni, L. Breveglieri. Foundations of Cryptography - RC4 pp. 1 / 16

RC4. Invented by Ron Rivest. A stream cipher Generate keystream byte at a step

Stream ciphers. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 91

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some

PRNGs & DES. Luke Anderson. 16 th March University Of Sydney.

Stream Ciphers An Overview

Double-DES, Triple-DES & Modes of Operation

CIS 4360 Secure Computer Systems Symmetric Cryptography

Analysis of Security or Wired Equivalent Privacy Isn t. Nikita Borisov, Ian Goldberg, and David Wagner

How crypto fails in practice? CSS, WEP, MIFARE classic. *Slides borrowed from Vitaly Shmatikov

Analyzing Wireless Security in Columbia, Missouri

CSC 474/574 Information Systems Security

Summary on Crypto Primitives and Protocols

Security in IEEE Networks

Chapter 6 Contemporary Symmetric Ciphers

CS-435 spring semester Network Technology & Programming Laboratory. Stefanos Papadakis & Manolis Spanakis

Symmetric Encryption. Thierry Sans

CHAPTER 6. SYMMETRIC CIPHERS C = E(K2, E(K1, P))

Overview of Security

Introduction to Modern Cryptography. Lecture 2. Symmetric Encryption: Stream & Block Ciphers

Cryptographic Primitives A brief introduction. Ragesh Jaiswal CSE, IIT Delhi

Network Security Essentials Chapter 2

AN INTEGRATED BLOCK AND STREAM CIPHER APPROACH FOR KEY ENHANCEMENT

The Rectangle Attack

Content of this part

Cryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1

David Wetherall, with some slides from Radia Perlman s security lectures.

CIS 6930/4930 Computer and Network Security. Topic 3.1 Secret Key Cryptography (Cont d)

Secret Key Cryptography

Winter 2011 Josh Benaloh Brian LaMacchia

CIS 6930/4930 Computer and Network Security. Topic 3.2 Secret Key Cryptography Modes of Operation

Wireless Security Security problems in Wireless Networks

Data Encryption Standard (DES)

Lecture 1 Applied Cryptography (Part 1)

Wireless Security. Comp Sci 3600 Security. Attacks WEP WPA/WPA2. Authentication Encryption Vulnerabilities

Block Cipher Operation. CS 6313 Fall ASU

Enhancing Security of Improved RC4 Stream Cipher by Converting into Product Cipher

Comp527 status items. Crypto Protocols, part 2 Crypto primitives. Bart Preneel July Install the smart card software. Today

Information Security CS526

Advanced Encryption Standard and Modes of Operation. Foundations of Cryptography - AES pp. 1 / 50

CSCI 454/554 Computer and Network Security. Topic 3.2 Secret Key Cryptography Modes of Operation

Block Cipher Modes of Operation

Information Security CS526

Introduction to Cryptography. Lecture 3

Princess Nora Bint Abdulrahman University College of computer and information sciences Networks department Networks Security (NET 536)

Chapter 6: Contemporary Symmetric Ciphers

2013 Summer Camp: Wireless LAN Security Exercises JMU Cyber Defense Boot Camp

CPSC 467b: Cryptography and Computer Security

page 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas

A Scheme for Key Management on Alternate Temporal Key Hash

The Final Nail in WEP s Coffin

COSC4377. Chapter 8 roadmap

Introduction to Cryptography. Lecture 3

Security. Communication security. System Security

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

Solutions to exam in Cryptography December 17, 2013

Network Security Essentials

Wireless Security i. Lars Strand lars (at) unik no June 2004

CSE 127: Computer Security Cryptography. Kirill Levchenko

Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls

Chapter 8. Encipherment Using Modern Symmetric-Key Ciphers

Unit 8 Review. Secure your network! CS144, Stanford University

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl

Cryptography and Network Security Chapter 7

CPS2323. Symmetric Ciphers: Stream Ciphers

Processing with Block Ciphers

Managing and Securing Computer Networks. Guy Leduc. Chapter 7: Securing LANs. Chapter goals: security in practice: Security in the data link layer

CSC/ECE 574 Computer and Network Security. Processing with Block Ciphers. Issues for Block Chaining Modes

All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS

An Efficient Stream Cipher Using Variable Sizes of Key-Streams

CPSC 467b: Cryptography and Computer Security

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

Cryptography [Symmetric Encryption]

Encryption. INST 346, Section 0201 April 3, 2018

Using block ciphers 1

Cryptographic Concepts

Link Security A Tutorial

Cryptography III: Symmetric Ciphers

Fundamentals of Computer Security

CS 393/682 Network Security

Different attacks on the RC4 stream cipher

Security: Cryptography

More on Cryptography CS 136 Computer Security Peter Reiher January 19, 2017

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Block Cipher Operation

Hardware Implementation of RC4 Stream Cipher using VLSI

Securing Your Wireless LAN

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

Security and Authentication for Wireless Networks

CE Advanced Network Security Wireless Security

Block Cipher Modes of Operation

Cryptography. Recall from last lecture. [Symmetric] Encryption. How Cryptography Helps. One-time pad. Idea: Computational security

Modes of Operation. Raj Jain. Washington University in St. Louis

ECE 646 Lecture 8. Modes of operation of block ciphers

ECE596C: Handout #7. Analysis of DES and the AES Standard. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

BCA III Network security and Cryptography Examination-2016 Model Paper 1

Cryptography BITS F463 S.K. Sahay

n-bit Output Feedback

Introduction to Cryptography. Vasil Slavov William Jewell College

Transcription:

Stream Ciphers Stream Ciphers 1

Stream Ciphers Generate a pseudo-random key stream & xor to the plaintext. Key: The seed of the PRNG Traditional PRNGs (e.g. those used for simulations) are not secure. E.g., the linear congruential generator: X i = a X i-1 + b mod m for some fixed a, b, m. It passes the randomness tests, but it is predictible. Stream Ciphers 2

Linear Feedback Shift Registers Feedback shift register: x n x n-1....... x 1 output bits.... feedback fnc. ( register, feedback, shift ) LFSR: Feedback fnc. is linear over Z 2 (i.e., an xor): x n x n-1....... x 1.... Very compact & efficient in hardware. Stream Ciphers 3

Stream Ciphers from LFSRs LFSR 1 LFSR 2 f key stream....... LFSR k Desirable properties of f: high non-linearity long cycle period (~2 n1+n2+...+nk ) low correlation with the input bits Stream Ciphers 4

Example LFSR-Based Ciphers Geffe Generator: Three LFSRs LFSR 1 is used to choose between LFSR 2 &LFSR: 3 y = (x (1) x (2) ) ( x (1) x (3) ) Correlation problem: P(y = x (2) )=075 0.75 (or, P(y=x (3) )) Stop-and-Go Generators: One (or more) LFSR is used to clock the others E.g.: The alternating stop-and-go generator: Three LFSRs. If x (1) is 0, LFSR 2 is forwarded; otherwise LFSR 3. Output is x (2) x (3). Stream Ciphers 5

LFSR-Based Ciphers (cont d) The Shrinking Generator: Two LFSRs If x (1) is 1, output x (2). Else, discard both x (1) & x (2) ; A5 (the GSM standard): Three LFSRs; 64 bits in total. Designed secretly. Leaked in 1994. A5/2 is completely broken. (Barkan et al., 2003) E0 (Bluetooth s standard encryption) Four LFSRs; 128 bits in total. Stream Ciphers 6

GSM A5/1 The A5/1 stream cipher uses three LFSRs. A register is clocked if its clocking bit (orange) agrees with one or both of the clocking bits of the other two registers. (majority match) Stream Ciphers 7

Software-Oriented Stream Ciphers LFSRs slow in software Alternatives: ti Block ciphers (or hash functions) in CFB, OFB, CTR modes. Stream ciphers designed for software: RC4 Stream Ciphers 8

RC4 (Rivest, 1987) Simple, byte-oriented, fast in s/w. Popular: MS-Windows, Netscape, Apple, Oracle Secure SQL, WEP, etc. Algorithm: Works on n-bit words. (typically, n = 8) State of the cipher: A permutation of {0,1,...,N-1}, 1} where N = 2 n, stored at S[0,1,...,N-1]. Key schedule: Expands the key (40-256 bits) into the initial state table S. Stream Ciphers 9

RC4 (cont d) The encryption (i.e., the PRNG) algorithm: i 0 j 0 loop: { i i + 1 } j j + S[i] [] S[i] S[j] output S[S[i] [ + S[j]] Stream Ciphers 10

Comparison Speed comparisons: (from Crypto++ 5.1 benchmarks, on a 2.1 GHz P4): Algorithm Speed (MByte/s.) DES 22 AES 62 RC5-32/12 79 RC4 111 MD5 205 Stream Ciphers 11

RC4 & WEP WEP: Wired Eqv. Privacy (802.11 encryption prot.) RC4 encryption, with 40 104 bit keys. 24-bit IV is prepended to the key; RC4(IV k). IV is changed for each packet. Integrity protection: By encrypted CRC-32 checksum. (What are some obvious problems so far?) Key management not specified. (Typically, a key is shared among an AP and all its clients.) Design process: Not closed-door, not very public either. Stream Ciphers 12

Obvious problems: Attacks on WEP (Borisov, Goldberg, Wagner, 2000) 24-bit IV too shot; recycles easily. (And in most systems, implemented as a counter starting from 0.) CRC is linear; not secure against modifications. Even worse: Using CRC with a stream cipher. Passive decryption attacks: Statistical ti ti frequency analysis can discover the plaintexts t encrypted with the same IV. An insider can get the key stream for a packet he sent (i.e., by xoring plaintext and ciphertext); hence can decrypt anyone s packet encrypted with the same IV. Stream Ciphers 13

Attacks on WEP (cont d) Authentication: ti ti challenge-response with RC4 server sends 128-bit challenge client encrypts with RC4 and returns server decrypts and compares Problem: attacker sees both the challenge & the response; can easily obtain a valid key stream & use it to respond dto future challenges. Stream Ciphers 14

Attacks on WEP (cont d) An active attack: Since RC4 is a stream cipher, an attacker can modify the plaintext bits over the ciphertext and fix the CRC checksum accordingly. Parts of the plaintext is predictable (e.g., the upper-layer protocol headers). Attacker sniffs a packet and changes its IP address to his machine from the ciphertext. (If the attacker s machine is outside the firewall, the TCP port number could also be changed, to 80 for example, which most firewalls would not block.) Hence, the attacker obtains the decrypted text without breaking the encryption. Stream Ciphers 15

Attacks on WEP (cont d) A table-based based attack: An insider generates a packet for each IV. Extracts the key stream by xoring the ciphertext with the plaintext. Stores all the key streams in a table indexed by the IV. (Requires ~15GB in total.) Now he can decrypt any packet sent to that AP. Note: All these attacks are practical. Some assume a shared key, which is realistic. Stream Ciphers 16

Attacks on WEP (cont d) The final nail in the coffin: (Fluhrer, Mantin, Shamir, 2001) The way RC4 is used in WEP can be broken completely: When IV is known, it is possible to getkinrc4(iv k) k). WEP2 proposal: 128-bit key, 128-bit IV. This can be broken even faster! Stream Ciphers 17

WPA (inc. TKIP) Replacements for WEP encryption: RC4, but with a complex IV-key mixing integrity: cryptographic checksum (by lightweight Michael algorithm) replay protection: 48-bit seq.no.; also used as IV WPA2 (long-term replacement, 802.11i std.) encryption: AES-CTR mode integrity: AES-CBC-MAC Stream Ciphers 18

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback