RC4. Invented by Ron Rivest. A stream cipher Generate keystream byte at a step

Similar documents
Stream Ciphers. Stream Ciphers 1

05 - WLAN Encryption and Data Integrity Protocols

Stream ciphers. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 91

Stream Ciphers - RC4. F. Sozzani, G. Bertoni, L. Breveglieri. Foundations of Cryptography - RC4 pp. 1 / 16

Information Security CS526

Double-DES, Triple-DES & Modes of Operation

Chapter 6 Contemporary Symmetric Ciphers

Analysis of Security or Wired Equivalent Privacy Isn t. Nikita Borisov, Ian Goldberg, and David Wagner

How crypto fails in practice? CSS, WEP, MIFARE classic. *Slides borrowed from Vitaly Shmatikov

Managing and Securing Computer Networks. Guy Leduc. Chapter 7: Securing LANs. Chapter goals: security in practice: Security in the data link layer

Overview of Security

Different attacks on the RC4 stream cipher

Network Security Essentials

Message Authentication Codes and Cryptographic Hash Functions

COSC4377. Chapter 8 roadmap

Cryptography. Summer Term 2010

Princess Nora Bint Abdulrahman University College of computer and information sciences Networks department Networks Security (NET 536)

Cryptography. Dr. Michael Schneider Chapter 10: Pseudorandom Bit Generators and Stream Ciphers

Network Security Essentials Chapter 2

Analyzing Wireless Security in Columbia, Missouri

AN INTEGRATED BLOCK AND STREAM CIPHER APPROACH FOR KEY ENHANCEMENT

Wireless Security. Comp Sci 3600 Security. Attacks WEP WPA/WPA2. Authentication Encryption Vulnerabilities

CSE 127: Computer Security Cryptography. Kirill Levchenko

Wireless Security Security problems in Wireless Networks

Stream Ciphers An Overview

EEC-682/782 Computer Networks I

Chapter 6: Contemporary Symmetric Ciphers

Information Security CS526

Cryptography Functions

Introduction to Software Security Hash Functions (Chapter 5)

Cryptography and Network Security Chapter 7

BCA III Network security and Cryptography Examination-2016 Model Paper 1

Chapter 8 Network Security

page 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas

Introduction to Cryptography. Vasil Slavov William Jewell College

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

David Wetherall, with some slides from Radia Perlman s security lectures.

Kurose & Ross, Chapters (5 th ed.)

Chapter 8 Security. Computer Networking: A Top Down Approach. 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012

Introduction to Cryptography. Lecture 3

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

CRYPTOLOGY KEY MANAGEMENT CRYPTOGRAPHY CRYPTANALYSIS. Cryptanalytic. Brute-Force. Ciphertext-only Known-plaintext Chosen-plaintext Chosen-ciphertext

CS-435 spring semester Network Technology & Programming Laboratory. Stefanos Papadakis & Manolis Spanakis

Encryption. INST 346, Section 0201 April 3, 2018

How many DES keys, on the average, encrypt a particular plaintext block to a particular ciphertext block?

ח'/סיון/תשע "א. RSA: getting ready. Public Key Cryptography. Public key cryptography. Public key encryption algorithms

Jaap van Ginkel Security of Systems and Networks

The Network Security Model. What can an adversary do? Who might Bob and Alice be? Computer Networks 12/2/2009. CSC 257/457 - Fall

Comp527 status items. Crypto Protocols, part 2 Crypto primitives. Bart Preneel July Install the smart card software. Today

CSC 8560 Computer Networks: Network Security

Computational Security, Stream and Block Cipher Functions

Introduction to Modern Cryptography. Lecture 2. Symmetric Encryption: Stream & Block Ciphers

Symmetric Encryption. Thierry Sans

Design Of High Performance Rc4 Stream Cipher For Secured Communication

Outline Basics of Data Encryption CS 239 Computer Security January 24, 2005

More on Cryptography CS 136 Computer Security Peter Reiher January 19, 2017

CE Advanced Network Security Wireless Security

Authentication Handshakes

Enhancing Security of Improved RC4 Stream Cipher by Converting into Product Cipher

PRNGs & DES. Luke Anderson. 16 th March University Of Sydney.

Ideal Security Protocol. Identify Friend or Foe (IFF) MIG in the Middle 4/2/2012

Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls

CPSC 467b: Cryptography and Computer Security

Great Theoretical Ideas in Computer Science. Lecture 27: Cryptography

CPSC 467b: Cryptography and Computer Security

CSC 474/574 Information Systems Security

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

CIS 6930/4930 Computer and Network Security. Topic 6.2 Authentication Protocols

Homework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

CIS 4360 Secure Computer Systems Symmetric Cryptography

Practical Aspects of Modern Cryptography

CS61A Lecture #39: Cryptography

n-bit Output Feedback

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 8

Security: Cryptography

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 11 Basic Cryptography

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

CSC 474/574 Information Systems Security

Cryptography [Symmetric Encryption]

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

Introduction to Cryptography CS 136 Computer Security Peter Reiher October 9, 2014

Presentation_ID. 2001, Cisco Systems, Inc. All rights reserved.

Weaknesses in the Key Scheduling Algorithm of RC4

14. Internet Security (J. Kurose)

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

Computer Security 3/23/18

CS Computer Networks 1: Authentication

Lecture 1 Applied Cryptography (Part 1)

Chapter 9 Public Key Cryptography. WANG YANG

Outline. Data Encryption Standard. Symmetric-Key Algorithms. Lecture 4

The Final Nail in WEP s Coffin

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some

Secret Key Cryptography (Spring 2004)

Hash Function. Guido Bertoni Luca Breveglieri. Fundations of Cryptography - hash function pp. 1 / 18

Cryptography (DES+RSA) by Amit Konar Dept. of Math and CS, UMSL

Computer Security: Principles and Practice

Ref:

Overview of Security Principles

Transcription:

RC4 RC4 1

RC4 Invented by Ron Rivest o RC is Ron s Code or Rivest Cipher A stream cipher Generate keystream byte at a step o Efficient in software o Simple and elegant o Diffie: RC4 is too good to be true Used lots of places: SSL, WEP, etc., etc. Most popular stream cipher in existence RC4 2

RC4 Initialization Array key contains N bytes of key Array S always has a permutation of 0,1,,255 for i = 0 to 255 S[i] = i K[i] = key[i (mod N)] next i j = 0 for i = 0 to 255 j = (j + S[i] + K[i]) (mod 256) swap(s[i],s[j]) next i i = j = 0 RC4 3

RC4 Keystream For each keystream byte, swap elements of array S and select a byte from the array: i = (i + 1) (mod 256) j = (j + S[i]) (mod 256) swap(s[i], S[j]) t = (S[i] + S[j]) (mod 256) keystreambyte = S[t] Use keystream bytes like a one-time pad o XOR to encrypt or decrypt RC4 4

WEP WEP == Wired Equivalent Privacy The stated goal of WEP is to make wireless LAN as secure as a wired LAN According to Tanenbaum: o The 802.11 standard prescribes a data link-level security protocol called WEP (Wired Equivalent Privacy), which is designed to make the security of a wireless LAN as good as that of a wired LAN. Since the default for a wired LAN is no security at all, this goal is easy to achieve, and WEP achieves it as we shall see. RC4 5

WEP Wired Equivalent Privacy WEP uses RC4 for confidentiality o Considered a strong cipher o But WEP introduces a subtle flaw WEP uses CRC for integrity o Should have used a crypto hash instead o CRC is for error detection, not cryptographic integrity RC4 6

WEP Integrity Problems WEP integrity does not provide integrity o CRC is linear, so is stream cipher XOR o Can change ciphertext and CRC so that checksum remains correct o Such introduced errors go undetected o This requires no knowledge of the plaintext! o Even worse if plaintext is known CRC does not provide a cryptographic integrity check! o CRC designed to detect random errors o Not designed to detect intelligent changes RC4 7

WEP Key WEP uses a long-term secret key: K RC4 is a stream cipher, so each packet must be encrypted using a different key o Initialization Vector (IV) sent with packet o Sent in the clear (IV is not secret) o IV has similar purpose as MI in WWII ciphers Actual RC4 key for packet is (IV,K) o That is, IV is pre-pended to K RC4 8

Initialization Vector Issue WEP uses 24-bit (3 byte) IV o Each packet gets a new IV o RC4 packet key: IV pre-pended to long-term key, K Long term key K seldom changes If long-term key and IV are same, then same keystream is used o This is bad! o It is at least as bad as reuse of one-time pad RC4 9

Initialization Vector Issue Assume 1500 byte packets, 11 Mbps link Suppose IVs generated in sequence o Then 1500 8/(11 10 6 ) 2 24 = 18,000 seconds o Implies IV must repeat in about 5 hours Suppose IVs generated at random o By birthday problem, some IV repeats in seconds Again, repeated IV (with same K) is bad! RC4 10

WEP Active Attacks WEP: Swiss cheese of security protocols If Trudy can insert traffic and observe corresponding ciphertext o Then she will know keystream for that IV o And she can decrypt next msg that uses that IV Spse Trudy knows destination IP address o She can change IP address in ciphertext o And modify CRC so it is correct o Then access point will decrypt and forward packet to the Trudy s selected IP address! o Requires no knowledge of the key K! RC4 11

WEP Cryptanalytic Attack WEP data encrypted using RC4 o Packet key is IV and long-term key K o 3-byte IV is pre-pended to K o Packet key is (IV,K) IV is sent in the clear (not secret) o New IV sent with every packet o Long-term key K seldom changes (maybe never) Assume Trudy knows IVs and ciphertext Trudy wants to find the key K RC4 12

RC4 in WEP 3-byte IV pre-pended to key We denote the RC4 key bytes o as K 0,K 1,K 2,K 3,K 4,K 5, o Where IV = (K 0,K 1,K 2 ), which Trudy knows o Trudy wants to find K 3,K 4,K 5, Given enough IVs, we show that Trudy can recover the long-term key o Regardless of the length of the key! o Provided Trudy knows first keystream byte o Known plaintext attack (1st byte of each packet) RC4 13

RC4 Initialization Recall that RC4 initialization is S i = i for i = 0,1,2,,255 j = 0 for i = 0 to 255 j = j + S i + K i swap(s i,s j ) next i RC4 14

RC4/WEP Attack Attack due to Fluher, Mantin and Shamir Trudy watches IVs until she sees 3-byte IV of the form: IV = (3,255,V) Where V can be anything (Trudy knows V) Then RC4 key for this packet is key = (3,255,V,K 3,K 4,K 5, ) Trudy wants to find (K 3,K 4,K 5, ) RC4 15

RC4/WEP Attack IV = (3,255,V) Key = (3,255,V,K 3,K 4, ) Trudy knows K 0 = 3, K 1 = 255, K 2 = V Other K i are long-term key o Which is unknown to Trudy Recall RC4 initialization: first, set S to RC4 16

RC4/WEP Attack IV = (3,255,V) Key = (3,255,V,K 3,K 4, ) RC4 initialization: let j = 0 then for i = 0 to 255 j = j + S i + K i swap(s i,s j ) next i At i = 0 step we have i = 0 j = j + S 0 + K 0 = 0 + 0 + 3 = 3 swap(s i,s j ) = swap(s 0,S 3 ) RC4 17

RC4/WEP Attack From previous slide At i = 0 step we have i = 0 j = j+s 0 +K 0 = 0+0+3 = 3 swap(s i,s j ) = swap(s 0,S 3 ) After this step, the table S is RC4 18

RC4/WEP Attack IV = (3,255,V) Key = (3,255,V,K 3,K 4, ) Continuing, at i = 1 step i = 1 j = j+s 1 +K 1 = 3+1+255 = 3 (mod 256) swap(s i,s j ) After this step, the table S is RC4 19

RC4/WEP Attack IV = (3,255,V) Key = (3,255,V,K 3,K 4, ) Continuing, at i = 2 step i = 2 j = j+s 2 +K 2 = 3+2+V = 5+V swap(s i,s j ) After this step, the table S is RC4 20

IV = (3,255,V) RC4/WEP Attack Key = (3,255,V,K 3,K 4, ) Continuing, at i = 3 step i = 3 j = j+s 3 +K 3 = 5+V+1+K 3 = 6+V+K 3 swap(s i,s j ) Assuming 6+V+K 3 > 5+V (mod 256), the table is Otherwise 6+V+K 3 will be to the left of 5+V RC4 21

RC4 Initialization Note that we have only considered the first 4 steps of initialization, i = 0,1,2,3 o In reality, there are 256 steps For now, assume that initialization stops after i = 3 step Then S is Next, we consider RC4 keystream algorithm RC4 22

RC4 Keystream After initialization, let i = j = 0 Then for each keystream byte i = i+1 j = j+s i swap(s i,s j ) t = S i +S j keystreambyte = S t RC4 23

RC4/WEP Attack Suppose initialization stopped with First keystream byte Let i = j = 0 Then i = i+1 = 1 j = j+s 1 = 0 t = S i +S j = S 1 +S 0 = 0+3 = 3 keystreambyte = S t = S 3 = 6+V+K 3 RC4 24

RC4/WEP Attack Note: keystreambyte = 6+V+K 3 If keystreambyte is known, we can solve for K 3 since K 3 = (keystreambyte 6 V) mod 256 But initialization does not stop at i=3 So can this attack really work? RC4 25

RC4/WEP Attack After i=3 initialization step, S is If elements at 0,1 and 3 not swapped in remaining initialization steps, attack works For remaining initialization steps o We have i = 4,5,6, so index i will not affect anything at indices 0,1 or 3 o But what about index j? RC4 26

RC4/WEP Attack Pretend index j selected at random o At each step, probability is 253/256 that j {0,1,3} o There are 252 steps after i = 3 Probability that 0,1 and 3 not affected by j index after i=3 step is (253/256) 252 = 0.0513 RC4 27

RC4/WEP Attack Can be shown that with about 60 IVs of the form (3,255,V) can find K 3 o Not so easy to prove that 60 is correct o Easy to verify empirically This is enough to show that a shortcut attack on WEP/RC4 exists Can Trudy really recover the key? If she sees enough IVs she gets K 3 RC4 28

RC4/WEP Attack Suppose Trudy has found K 3 Then how to find K 4? Consider IVs of the form: IV = (4,255,V) Then after initialization step i=4, we have RC4 29

RC4/WEP Attack If we now generate first keystream byte i = 1 j = S i = 0 t = S 1 +S 0 = 4 keystreambyte = S 4 = 10+V+K 3 +K 4 Then K 4 = (keystreambyte-10-v-k 3 ) mod 256 Probability of this is also about 0.05 RC4 30

RC4/WEP Attack If enough IVs are available o And corresponding 1st keystreambytes are known Then Trudy can recover the key o Finds K 3 then K 4 then K 5 and so on Get entire key, regardless of length! RC4 31

RC4/WEP Attack Can reduce number of IVs Trudy needs Consider again key K 3 Suppose IV = (2,253,0) Then after i=3 initialization step IVs other than (3,255,V) can work! Easy to determine which IVs are useful RC4 32

RC4/WEP Conclusions This attack is practical! This attack has been used to recover keys from real WEP traffic How to prevent this attack? o Discard first 256 bytes of keystream This attack on RC4 is just one of many security flaws in WEP RC4 33

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback