CHAPTER 2. KEYED NON-SURJECTIVE FUNCTIONS IN STREAM CIPHERS54 All bytes in odd positions of the shift register are XORed and used as an index into a f

Similar documents
Introduction to Modern Cryptography. Lecture 2. Symmetric Encryption: Stream & Block Ciphers

CHAPTER 6. SYMMETRIC CIPHERS C = E(K2, E(K1, P))

Symmetric Key Algorithms. Definition. A symmetric key algorithm is an encryption algorithm where the same key is used for encrypting and decrypting.

Stream ciphers. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 91

Secret Key Algorithms (DES)

Secret Key Algorithms (DES) Foundations of Cryptography - Secret Key pp. 1 / 34

Data Encryption Standard (DES)

Differential-Linear Cryptanalysis of Serpent

CSC 474/574 Information Systems Security

EEC-484/584 Computer Networks

Cryptography and Network Security Block Ciphers + DES. Lectured by Nguyễn Đức Thái

CPSC 467: Cryptography and Computer Security

Stream Ciphers. Çetin Kaya Koç Winter / 13

SOLUTIONS FOR HOMEWORK # 1 ANSWERS TO QUESTIONS

Cyber Security Applied Cryptography. Dr Chris Willcocks

Attack on DES. Jing Li

Improved Truncated Differential Attacks on SAFER

Full Plaintext Recovery Attack on Broadcast RC4

CSC 474/574 Information Systems Security

On the Applicability of Distinguishing Attacks Against Stream Ciphers

Midterm Exam. CS381-Cryptography. October 30, 2014

Substitution Ciphers, continued. 3. Polyalphabetic: Use multiple maps from the plaintext alphabet to the ciphertext alphabet.

CRYPTOGRAPHIC ENGINEERING ASSIGNMENT II Theoretical: Design Weaknesses in MIFARE Classic

Stream Ciphers. Koç ( ucsb ccs 130h explore crypto fall / 13

Outline. Data Encryption Standard. Symmetric-Key Algorithms. Lecture 4

in a 4 4 matrix of bytes. Every round except for the last consists of 4 transformations: 1. ByteSubstitution - a single non-linear transformation is a

CSCI 454/554 Computer and Network Security. Topic 2. Introduction to Cryptography

An Efficient Stream Cipher Using Variable Sizes of Key-Streams

Secret Key Cryptography

CIS 4360 Introduction to Computer Security Fall WITH ANSWERS in bold. First Midterm

Classical Cryptography

Block Encryption and DES

Elastic Block Ciphers: Method, Security and Instantiations

Outline. Cryptography. Encryption/Decryption. Basic Concepts and Definitions. Cryptography vs. Steganography. Cryptography: the art of secret writing

Chapter 3 Block Ciphers and the Data Encryption Standard

Block Cipher Operation. CS 6313 Fall ASU

Double-DES, Triple-DES & Modes of Operation

Cryptography and Network Security. Sixth Edition by William Stallings

CPSC 467b: Cryptography and Computer Security

Elastic Block Ciphers: The Feistel Cipher Case

Enhancing Security of Improved RC4 Stream Cipher by Converting into Product Cipher

TWO GENERIC METHODS OF. Chinese Academy of Sciences

Hitag 2 Hell Brutally Optimizing Guess-and-Determine Attacks

Basic Concepts and Definitions. CSC/ECE 574 Computer and Network Security. Outline

Winter 2011 Josh Benaloh Brian LaMacchia

Introduction to Cryptology. Lecture 2

Dierential-Linear Cryptanalysis of Serpent? Haifa 32000, Israel. Haifa 32000, Israel

Some Aspects of Block Ciphers

Geldy : A New Modification of Block Cipher

Secret Key Cryptography

AES Advanced Encryption Standard

Don t Don t Trust Satellite Phones

Information Security CS526

Syrvey on block ciphers

L2. An Introduction to Classical Cryptosystems. Rocky K. C. Chang, 23 January 2015

Cryptography III: Symmetric Ciphers

Cryptanalysis of ORYX

Cryptography Functions

Once upon a time... A first-order chosen-plaintext DPA attack on the third round of DES

Dumb Crypto in Smart Grids

P2_L6 Symmetric Encryption Page 1

SAT Solvers in the Context of Cryptography

Introduction to Network Security Missouri S&T University CPE 5420 Data Encryption Standard

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some

CPSC 467b: Cryptography and Computer Security

On the Design of Secure Block Ciphers

Cryptography. What is Cryptography?

L3. An Introduction to Block Ciphers. Rocky K. C. Chang, 29 January 2015

Stream Ciphers An Overview

ENGI 8868/9877 Computer and Communications Security III. BLOCK CIPHERS. Symmetric Key Cryptography. insecure channel

H must be collision (2n/2 function calls), 2nd-preimage (2n function calls) and preimage resistant (2n function calls)

Cryptographic Concepts

Cryptography and Network Security 2. Symmetric Ciphers. Lectured by Nguyễn Đức Thái

CS6701- CRYPTOGRAPHY AND NETWORK SECURITY UNIT 2 NOTES

Conventional Encryption: Modern Technologies

Using block ciphers 1

6 Block Ciphers. 6.1 Block Ciphers CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

7. Symmetric encryption. symmetric cryptography 1

Differential Cryptanalysis

Elastic Block Ciphers: The Feistel Cipher Case

Stream Ciphers. Stream Ciphers 1

Network Security. Lecture# 6 Lecture Slides Prepared by: Syed Irfan Ullah N.W.F.P. Agricultural University Peshawar

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

2.3: FUNCTIONS. abs( x)

c Eli Biham - March 13, Cryptanalysis of Modes of Operation (4) c Eli Biham - March 13, Cryptanalysis of Modes of Operation (4)

Keccak discussion. Soham Sadhu. January 9, 2012

page 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas

CHAPTER 2 LITERATURE SURVEY

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

INTERNATIONAL JOURNAL OF PURE AND APPLIED RESEARCH IN ENGINEERING AND TECHNOLOGY

CPSC 467b: Cryptography and Computer Security

Trivium. 2 Specifications

New Kid on the Block Practical Construction of Block Ciphers. Table of contents

U-II BLOCK CIPHER ALGORITHMS

Primitive Specification for SOBER-128

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Enhanced Cryptanalysis of Substitution Cipher Chaining mode (SCC-128)

Symmetric Encryption Algorithms

A Simple Power Analysis Attack Against the Key Schedule of the Camellia Block Cipher

Lecture 2: Secret Key Cryptography

Transcription:

CHAPTER 2. KEYED NON-SURJECTIVE FUNCTIONS IN STREAM CIPHERS53 is 512. Λ This demonstrates the contribution to the security of RC4 made by the simple swapping of S table entries in the memory update function. 2.2.3 A Stream Cipher Allegedly Used in WordPerfect 6 In 1999, John Kuslich ofcrak Software, a password recovery company in the USA, posted an article to the Internet newsgroup sci.crypt describing a stream cipher that is allegedly used in a very well known word processor" [27]. The author of the posting was asking for help in the cryptanalysis of the cipher. We asked for more specific details about the cipher and Kuslich wrote that the cipher is used in the latest versions of the WordPerfect word processing software (versions 6, 7 and 8) for PCs for encrypting document files with a password [29]. The encryption algorithm was reverse engineered from the WordPerfect software. Kuslich was kind enough to provide us with a reasonably clear description of the stream cipher, but did not provide certain implementation details that would be necessary to: (1) verify that the stream cipher described is the same as the one used in WordPerfect; and (2) write a password cracker for WordPerfect. The encryption algorithm used to protect documents in WordPerfect versions 4.2 and 5.0 was cryptanalysed in 1987 and 1991 [3, 2], and there are currently a number of web pages that describe how to break the encryption in WordPerfect 5, which was based on a repeating-key cipher and could be broken by adapting classical methods of breaking Vigenere ciphers. On the other hand, whilst commercial password recovery software for WordPerfect 6 exists, to date there has been no published description of the cipher it uses or its cryptanalysis. WordPerfect offers two levels of protection to the user: regular or enhanced. Kuslich says: I believe, but would have to verify, that the only difference between enhanced and regular WP encryption is the case sensitivity ofthepassword. In other words, it adds nothing to the strength of the cipher." [29] What follows is a description of the cipher, based on the description in [27], and our cryptanalysis of the cipher. The memory state of the cipher is a 32-byte shift register. In each cycle, the register is shifted by one byte (the keystream byte) and a new byte is loaded into the empty end of the shift register, which is computed as follows:

CHAPTER 2. KEYED NON-SURJECTIVE FUNCTIONS IN STREAM CIPHERS54 All bytes in odd positions of the shift register are XORed and used as an index into a fixed 256-byte table T O, and all bytes in even positions of the shift register are XORed and used as an index into a different fixed 256-byte table T E. Both T O and T E are non-surjective functions on Z 256. The two values obtained, from T O and T E, are XORed and used as the new byte in the empty end of the shift register. Letting a i denote the (i +1)-th byte (from the left) in the shift register, we have (a 0 0 ;:::;a0 30 ;a0 31) = (a 1 ;:::;a 31 ;T O (Φ 15 i=0 a 2i+1) Φ T E (Φ 15 i=0 a 2i)) (2.7) The byte a 0 is the keystream byte, which isxored with the plaintext byte to give the ciphertext byte. Kuslich gave some more information about the problem: [T]he password is entered from an standard initial state (always the same for all files) as unicode data one byte at a time as the SR is cycled." [28] The password is XORed into the empty end of the shift register at a certain point in the shift cycle in a particular way (the password characters are not just XORed in directly, they have to be in a particular format first), secondly, there is a "magic number" Xored in in a similar fashion." [28] This suggests that the cipher has a special clocking rule when it is initialised, in which a password or salt" byte is XORed to the feedback byte in each clock cycle. The salt is a sequence of pseudo-random bytes prepended to the password to ensure that two identical files encrypted with the same password result in different ciphertexts. Let R =(r 0 ;r 1 ;:::;r N 1 ;r N ;:::;r N +P 1 ) be a sequence of bytes, in which the first N bytes are the salt and the subsequent P bytes represent the Unicode-encoded password string. Then, in clock cycle t of the initialisation phase, the shift register is updated by (a 0 0 ;:::;a0 30 ;a0 31) = (a 1 ;:::;a 31 ;T O (Φ 15 i=0 a 2i+1) Φ T E (Φ 15 j=0 a 2j) Φ r t ) (2.8) The shift register is initialised to a constant value (which we call the setup constant) at clock cycle t = 0, then clocked N times with the salt added into the update rule, clocked a further P times with the Unicode-encoded password added into the update rule, and clocked 128 N P times with the standard update rule. initialisation phase clocks the shift register 128 times [27]. In total, the We assume that the attacker has access to the keystream produced by this cipher (e.g., determined from known plaintext), and that the tables T E and T O, the setup constant and the salt are known (in WordPerfect, the salt is stored within the passwordprotected document file). The problem is to recover the password (i.e., the bytes

CHAPTER 2. KEYED NON-SURJECTIVE FUNCTIONS IN STREAM CIPHERS55 R N ;:::;R N +P 1 ) used within the initialisation phase. The length of the Unicodeencoded password P will be even, since every character encoded in Unicode uses 16 bits (ASCII uses only 7 bits). When encoding text, eight bits are set to zero, so we can expect the values r N +2i+1, where 0» i<p=2, to have avalue of zero. We present a fast method to recover the password, provided that the length of the password P is less than or equal to 32 bytes (16 text characters). Our method is a divide-and-conquer attack. Let the shift register at clock cycle t be denoted by A t. The first part of the attack determines the values of the shift register after the salt is loaded (at clock cycle t = N) and also 32 steps after the password is loaded (at t = N + 32). 1. Initialise a 32-byte register A 0 with the setup constant. 2. Clock the register N times with the salt (r 0 ;:::;r N 1 ) to obtain the value of A N. We store this value in a 32-byte register X. 3. Determine the value of A 128 from known plaintext. Any 32 consecutive keystream bytes reveal the state of the shift register. Even if the known keystream bytes are not the first 32 bytes generated directly after the cipher initialisation phase (when t =128),the shift register can be clocked backwards (more on this later) to obtain a list of possible values for A 128. 4. Clock the register backwards 96 N times to get A N +32. There are no salt or password bytes loaded into the register during this part of the cipher initialisation phase, so it is relatively straightforward to do this. We end up with a list of possible values of A N +32. We store this list of values in an array of 32-byte registers Y. Step 4 will only give us the correct value of A N +32 if the password is less than 32 bytes, because we are assuming that there werenounknown bytes r t loaded into the register in the last 96 N clock cycles of the cipher initialisation phase. The second part of the attack is an iterative algorithm that recovers the sequence of 32 bytes (r t ;:::;r t+32 )loadedbetween two states A t and A t+32. In this instance, t = N, so that the sequence recovered will be the password (assuming that the password is less than 32 bytes in length). The bytes r N +1 ;r N +3 ;:::;r N +31 will be equal to zero, since we expect the password to be Unicode-encoded text. The idea behind the following algorithm is that we compare portions of the registers in the list Y with the register X, exploiting the fact that in each clock cycle precisely one byte changes in the state.

CHAPTER 2. KEYED NON-SURJECTIVE FUNCTIONS IN STREAM CIPHERS56 We use this to discard register states in Y that could not have followed from the state X, and thus aim to converge the list Y on the state X. In this process, we will try possible values of the password bytes r t in order to successfully find the correct predecessor state (which would follow from the state X) and thus determine the actual or equivalent password bytes. In each iteration, the following algorithm examines one pair of possible states (i.e., the states in two clock cycles): one representing the zero byte of the encoded password, which is used to discard possible states, and the other is the state caused by a non-zero password character (e.g., alphabetic or numeric), which we use to deduce the password character. 1. Let t = 32, the number of clock cycles separating X and Y. 3. Decrement t by one. 2. Clock backwards each register in the list Y to obtain the list of states corresponding to A N +t. Let this list of states replace the current list Y. 4. Compare the first 32 t bytes of each register in Y with the last 32 t bytes of the register X. Remove any registers from Y that do not match, since they would not follow from X. 5. Decrement t by one. 6. For each possible non-zero value of the byte r N +t (alternatively: for all possible alphabetic, numeric and other byte values that would be normally be used in a password): 6.1. Let Z be a copy the list of states Y. We use Z as a temporary working copy of Y. 6.2. Clock backwards each register (using our guess for r N +t )inthelist Z to obtain the list of states corresponding to A N +t. 6.3. Compare the first 32 t bytes of each register in Z with the last 32 t bytes of the register X. Remove any registers from Z that do not match, since they would not follow fromx. If no registers in the list Z remain, then our guess r N +t is not valid. If some states in Z do exist, then we note that r N +t is a possible candidate for the actual r N +t in the password sequence. 7. For each register in the list Y :

CHAPTER 2. KEYED NON-SURJECTIVE FUNCTIONS IN STREAM CIPHERS57 7.1. Shift each byte to the rightby one (losing the rightmost byte) and let the leftmost byte equal the byte in position t of X (considering the leftmost byte as being in position 0). This has the effect of clocking the register backwards by one, giving us a list of of registers corresponding to A N +t. 8. If t is non-zero then go to Step 3. Earlier we explained that it was necessary to clock the shift register backwards and that doing so will result in a number of possible predecessor states (depending on how skewed the distribution of the T E and T O tables are). The memory update function is that of a non-linear feedback shift register and is not bijective. Given a 32-byte value A t+1,wemay find that either (1) there will be at least one possible value of A t which can produce the state A t+1 by the update function; or (2) there are no valid possibilities for the predecessor state A t (i.e., the state A t+1 cannot occur by the update function). From equation 2.8, we have a 0 31 = T E (a 0 Φ a 2 Φ :::Φ a 30 ) Φ T O (a 1 Φ a 3 Φ :::Φ a 31 ) Φ r t Substituting a 0 i 1 for a i: a 0 31 = T E (a 0 Φ a 0 1 Φ :::Φ a 0 29) Φ T O (a 0 0 Φ a 0 2 Φ :::Φ a 0 30) Φ r t Rearranging to give an equation for a 0 : a 0 = T 1 E (r t Φ a 0 31 Φ T O (a 0 0 Φ a 0 2 Φ :::Φ a 0 30)) Φ a 0 1 Φ :::Φ a 0 29 This equation is the basis for the shift register inversion algorithm. The function T 1 E may be undefined for certain inputs and may have many possible outputs for other inputs. If the value of T 1 (x) is undefined for a given x, then the shift register value E that we are trying to invert could not have occurred (otherwise we would expect at least one value for T 1 (x)), and so we immediately drop this search. Otherwise, we E continue computing the value or values for a 0 and invert each possibility in turn. First we build a special set of T E inversion tables. 1. Let C denote an array with 256 entries. Each entry in the array is initialised to zero (i.e., C(x) =0forallx =0;:::;255). 2. We prepare six T E inverse" tables T E;i, for i = 0;:::;5. Each table maps one byte to one byte. 3. For each byte x =0;:::;255:

CHAPTER 2. KEYED NON-SURJECTIVE FUNCTIONS IN STREAM CIPHERS58 3.1. Let T E;C(TE (x)) = x. 3.2. Increment C(T E (x)). The counter array C keeps track of the depth" of each entry in the T E inverse" tables. Once these tables have been computed, the algorithm to invert the shift register can be executed. The algorithm takes a list of 32-byte states Y and a one byte value r t (set to zero for reversing the normal clocking rule of equation 2.7), and generates a list of predecessor states. 1. For each 32-byte state A =(a 0 ;a 1 ;:::;a 31 ) in the list of states Y : 1.1. Let x = T O (Φ 15 i=0 a 2i) Φ a 31 Φ r t. 1.2. If C(x) equals zero then this state has no predecessors, so return to Step 1. 1.3. For each i =0;:::;C(x) 1: 1.3.1 Let z 0 = T E;i (x) Φ L 14 j=0 a 2j+1. 1.3.2 Let z j = a j 1 for j =1;:::;31. 1.3.3 Note that the array Z =(z 0 ;:::;z 31 ) is a predecessor state of A. 2.3 Non-Surjective Functions in Keystream Generators As already explained, the keystream generator should be a surjective function from the memory state to a keystream unit. Given the output of this function, i.e., a keystream unit, it should be difficult to determine precisely which input generated the output. A non-surjective function may be trivially created from a surjective one simply by extending the codomain (without changing the function itself), and our theory does not apply to such a general definition. This chapter specifically concentrates on nonsurjective functions in which the domain and codomain are finite and of the same size. Equivalently, the function would be non-bijective. To show that a function of this type is non-surjective, it suffices to show that collisions exist, i.e., that the function has two distinct inputs which result in the same output. Because the domain and codomain are the same size, this implies that there is some element in the codomain that has no preimage. The stream ciphers which areweakened by non-surjective keystream generators also introduce some key element inside or subsequent to the non-surjective function, which

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback