Chapter 6. Stream Cipher Design

Similar documents
3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some

GSM Security Overview

1-7 Attacks on Cryptosystems

(2½ hours) Total Marks: 75

Cryptography & Key Exchange Protocols. Faculty of Computer Science & Engineering HCMC University of Technology

Information Security CS526

CSC 580 Cryptography and Computer Security

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

Lecture 1 Applied Cryptography (Part 1)

Computer Security: Principles and Practice

Wireless Security Security problems in Wireless Networks

Stream Ciphers An Overview

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2

Cryptography MIS

GLOBAL SYSTEM FOR MOBILE COMMUNICATION (2) ETI2511 Friday, 31 March 2017

Public-key Cryptography: Theory and Practice

06/02/ Local & Metropolitan Area Networks. 0. Overview. Terminology ACOE322. Lecture 8 Network Security

Principles of Information Security, Fourth Edition. Chapter 8 Cryptography

An Efficient Stream Cipher Using Variable Sizes of Key-Streams

CIS 4360 Introduction to Computer Security Fall WITH ANSWERS in bold. First Midterm

CSC 474/574 Information Systems Security

1.264 Lecture 27. Security protocols Symmetric cryptography. Next class: Anderson chapter 10. Exercise due after class

2.1 Basic Cryptography Concepts

Computer Security 3/23/18

Protecting Information Assets - Week 11 - Cryptography, Public Key Encryption and Digital Signatures. MIS 5206 Protecting Information Assets

CUBE-TYPE ALGEBRAIC ATTACKS ON WIRELESS ENCRYPTION PROTOCOLS

CSC 474/574 Information Systems Security

NETWORK SECURITY & CRYPTOGRAPHY

ICT 6541 Applied Cryptography. Hossen Asiful Mustafa

PRNGs & DES. Luke Anderson. 16 th March University Of Sydney.

Distributed Systems. Lecture 14: Security. Distributed Systems 1

2 nd ETSI Security Workshop: Future Security. Smart Cards. Dr. Klaus Vedder. Chairman ETSI TC SCP Group Senior VP, Giesecke & Devrient

Distributed Systems. Lecture 14: Security. 5 March,

Basic Concepts and Definitions. CSC/ECE 574 Computer and Network Security. Outline

Chapter 3 Traditional Symmetric-Key Ciphers 3.1

Advanced WG and MOWG Stream Cipher with Secured Initial vector

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

KALASALINGAM UNIVERSITY

CSCE 813 Internet Security Symmetric Cryptography

Cryptography Introduction to Computer Security. Chapter 8

ON THE IMPACT OF GSM ENCRYPTION AND MAN-IN-THE-MIDDLE ATTACKS ON THE SECURITY OF INTEROPERATING GSM/UMTS NETWORKS

CSC 774 Network Security

CS 161 Computer Security

Cryptanalysis. Ed Crowley

Overview. Cryptographic key infrastructure Certificates. May 13, 2004 ECS 235 Slide #1. Notation

Cryptography ThreeB. Ed Crowley. Fall 08

Information Security CS526

ECE Lecture 2. Basic Concepts of Cryptology. Basic Vocabulary CRYPTOLOGY. Symmetric Key Public Key Protocols

Network Security: Cellular Security. Tuomas Aura T Network security Aalto University, Nov-Dec 2013

Lecture 2: Secret Key Cryptography

Contents. GSM and UMTS Security. Cellular Radio Network Architecture. Introduction to Mobile Telecommunications

Introduction to Cryptography CS 136 Computer Security Peter Reiher October 9, 2014

Unit 3: Cryptography Fundamentals

David Wetherall, with some slides from Radia Perlman s security lectures.

Cryptography and Network Security

Computers and Security

Past & Future Issues in Smartcard Industry

Security. Communication security. System Security

T Cryptography and Data Security

Syrvey on block ciphers

FPGA Implementation of WG Stream Cipher

Network Security Issues and Cryptography

CHAPTER 6 EFFICIENT TECHNIQUE TOWARDS THE AVOIDANCE OF REPLAY ATTACK USING LOW DISTORTION TRANSFORM

S. Erfani, ECE Dept., University of Windsor Network Security

Symmetric Encryption Algorithms

Outline Basics of Data Encryption CS 239 Computer Security January 24, 2005

SIDE CHANNEL ATTACKS AGAINST IOS CRYPTO LIBRARIES AND MORE DR. NAJWA AARAJ HACK IN THE BOX 13 APRIL 2017

Encryption Details COMP620

Cryptography BITS F463 S.K. Sahay

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

OVE EDFORS ELECTRICAL AND INFORMATION TECHNOLOGY

Security functions in mobile communication systems

Cryptography and Network Security. Sixth Edition by William Stallings

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

CSCI 454/554 Computer and Network Security. Topic 2. Introduction to Cryptography

Public Key Cryptography

Public-key encipherment concept

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

How crypto fails in practice? CSS, WEP, MIFARE classic. *Slides borrowed from Vitaly Shmatikov

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 11 Basic Cryptography

Outline. Cryptography. Encryption/Decryption. Basic Concepts and Definitions. Cryptography vs. Steganography. Cryptography: the art of secret writing

Cryptographic Concepts

EEC-682/782 Computer Networks I

A New Symmetric Key Algorithm for Modern Cryptography Rupesh Kumar 1 Sanjay Patel 2 Purushottam Patel 3 Rakesh Patel 4

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

NON LINEAR FEEDBACK STREAM CIPHER

EEC-484/584 Computer Networks

JNTU World JNTU World. JNTU World. Cryptography and Network Security. Downloaded From JNTU World ( )( )JNTU World

Anonymity. Assumption: If we know IP address, we know identity

Stream ciphers. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 91

Mobile Security Fall 2013

T Cryptography and Data Security

Cryptography and Network Security. Sixth Edition by William Stallings

Encryption I. An Introduction

Introduction to Cryptography. Ramki Thurimella

Overview of IEEE b Security

Stream Ciphers. Stream Ciphers 1

Goals for Today. Substitution Permutation Ciphers. Substitution Permutation stages. Encryption Details 8/24/2010

Transcription:

Chapter 6. Stream Cipher Design 1 Model for Secure Communications and Attacks 2 Shannon's Theory on Perfect Secrecy and Product Cryptosystems (self reading, Stinson s book, or Chapters 1 and 2 in Stalling's book) 3 One-time-pad and Design Principles of Stream Ciphers 4 Addressed Problems in Wireless Security 5 Some Concerns in Multimedia Security and Low Cost Cryptography 6 Case Study: A5 stream cipher for GSM 7 Case Study: w7, an Analogue Cipher of A5 8 Correlation Attack to Stream Ciphers (self reading) @G. Gong, 2003 1

6.1. Model for Secure Communications Three components of secure communications: Communication principles Trusted third party (or authority) Opponents (attackers) @G. Gong, 2003 2

Principal Trusted third party (i.e, arbiter, distributer of secret information) Principal Message Message Secret information Information channel Secret information Security-related transformation Security-related transformation Opponent Figure 1. Model for Secure Communications @G. Gong, 2003 3

Insecure information channel Sender Receiver Passive attacks Interception (confidentiality, privacy) Attacker Figure 2. Passive attacks

Insecure information channel Sender Receiver Active attacks (authentication) Attacker Interruption Modification Fabrication Figure 3. Active attacks

Shared key Plaintext Encryption algorithm Ciphertext Decryption algorithm Plaintext Figure 4. Simplified Model of Conventional Encryption @G. Gong, 2003 6

Cryptanalyst c^ k^ Message source m c Encrypter Decrypter Destination k Secure channel Key generator Figure 5. Model of Conventional Cryptosystem @G. Gong, 2003 7

6.3 One-time-pad and Design Principles of Stream Ciphers A. Model of Steam Ciphers B. One-time-pad C. Randomness Measurements for PRSG (Done in Chapter 2-4) D. Known Key Generators for Stream Ciphers (done in Chapter 5) @G. Gong, 2003 8

Model of Stream Cipher Message source m = m 1, m 2,... + Cipher c = c 1, c 2,... Key generation k = k 1, k 2,... K, seed @G. Gong, 2003 9

One-time-pad One-time-pad means that different messages are encrypted by different key streams. Shannon's Result (1948): One-time-pad is unbreakable. Request for large period. Massey's Discovery (1969): If a binary sequence has linear span n then the entire sequence can be reconstructed from 2n consecutive known bits by the Berlekamp-Massey algorithm. Request for large linear span. @G. Gong, 2003 10

Randomness Measurements Randomness Measurements for PSG: Long Period Balance Property Run Property n-tuple Distribution Two-level Auto Correlation and Low Cross Correlation Large Linear Span Indistiguinishability: it cannot be distiguinished from a truly random sequence in terms of polynomial algorithm. @G. Gong, 2003 11

Known Key Generators for Stream Ciphers (All LFSR based nonlinear generators in chapter 5) Linear Feedback Shift Registers(LFSR) (1948-1969) Filter Function Generators (Key: 1973) Combinatorial Function Generators (Groth: 1971) Clock Controlled Generators (Beth and Piper: 1984) Shrinking Generators (Coppersmith-Krawczys-Mansour, 1993) @G. Gong, 2003 12

6.4 Addressed Problems in Wireless Security Security Algorithms used in GSM Possible Interception Attacks in GSM Possible Interception Attacks in IS-95 CDM Security Issues in 3G Systems Security Trends in 3G Systems Security in 4G Systems @G. Gong, 2003 13

Security Algorithms used in GSM @G. Gong, 2003 14

Security Algorithms used in GSM (Cont.) Nearly every GSM operator in the world uses an algorithm called COMP128 for both A3 and A8 algorithms. COMP128 is the reference algorithm for the tasks pointed out by the GSM Consortium. Other algorithms have been named as well, but almost every operator uses the COMP128 except a couple of exceptions. The COMP128 generates both the SRES response (32 bits) and the session key, Kc, on one run. The last 54 bits of the COMP128 output form the session key, Kc, until the MS is authenticated again. Note that the key length at this point is 54 bits instead of 64 bits, which is the length of the key given as input to the A5 algorithm. Ten zerobits are appended to the key generated by the COMP128 algorithm. Thus, we have a key of 64 bits with the last ten bits zeroed out. The A5 algorithm is the stream cipher used to encrypt over-the-air transmissions, which will be discussed in detail in Section 6. @G. Gong, 2003 15

Possible Interception Attacks in GSM Accessing the Signaling Network The transmissions are encrypted only between the MS and the BTS. After the BTS, the traffic is transmitted in plain text within the operators network. The SS7 signaling network used in the operator's GSM network is completely insecure if the attacker gains direct access to it. @G. Gong, 2003 16

Possible Interception Attacks in GSM (Cont.) Retrieving the Key from the SIM The attack is based on a chosen-challenge attack that works, because the COMP128 algorithm is broken in such a way that it reveals information about the K i when the appropriate RANDs are given as arguments to the A8 algorithm. The SIM was accessed through a smartcard reader connected to a PC. The PC made about 150.000 challenges to the SIM and the SIM generated the SRES and the session key, K c, based on the challenge and the secret key. The secret key could be deduced from the SRES responses through differential cryptanalysis. The smartcard reader used in implementing the attack could make 6.25 queries per second to the SIM card. So the attack required about eight hours to conduct. @G. Gong, 2003 17

Possible Interception Attacks in GSM (Cont.) Retrieving the Key from the SIM over the Air The attack might be conducted in a subway, where the signal of the legitimate BTS is not available, but the phone is still turned on. The subscriber would be unaware of such an attack though the fact that the battery of the phone has run out slightly quicker than usual might make him suspicious. The attack can also be performed in parts: instead of performing an eight-hour attack, the attacker could tease the phone for twenty minutes every day on the victim's way to work. @G. Gong, 2003 18

Possible Interception Attacks in IS-95 CDMA A recent paper in SAC 2000 workshop showed that the eavesdropping the downlink traffic channel 1 second, the eavesdropper can get enough information to recover the voice privacy. @G. Gong, 2003 19

Security Issues in 3G Systems The level of protection One weakness in GSM security protocol is that mobile identity is not always encrypted when transmitted over the air interface. In IP-world, denial of service attacks cannot be made impossible, but they can be made more difficult to implement by using sophisticated firewalls, good network design, etc. The algorithms used should be made public so that they can be tested. System should also be modular so that an algorithm, if found flawed, could be replaced with a better algorithm. @G. Gong, 2003 20

Security Issues in 3G Systems (Cont.) Charging Nowadays the charge of the SMS (Short Message Service) or WAP (Wireless Application Protocol) based service is typically not indicated by the service provider to the user when he or she uses the service. Another issue is that the on-line indication of the charges could cut down the use of the services. This flaw has recently been criticized by the Finnish Consumer Office. @G. Gong, 2003 21

Security Issues in 3G Systems (Cont.) Privacy The location and consumer habits of users are valuable information for service creation and marketing purposes. A policy about the collection, storage, use, disclosure, and selling of this data is required. In Finland the constitution and different laws. @G. Gong, 2003 22

Security Issues in 3G Systems (Cont.) Terminal Security: Smart Card with PIN number has been used to protect terminal security Abbreviation Full Name Defining Standard SIM Subscriber Identity Module GSM UIM User Identity Module IS-95 USIM Universal SIM UMTS R-UIM Removable UIM CDMA2000 WIM Wireless Identity Module WAP @G. Gong, 2003 23

Security Issues in 3G Systems Lawful Interception The UMTS and GSM, like all telecom systems, allow lawful interception for authorized law and enforcement agencies. This is required by national laws and EU directives, and is used for crime investigation and national security. The Internet users have traditionally very negative attitudes towards monitoring of their communications, and lawful interception can become at least an image problem for the new IP-services of the telecom systems. @G. Gong, 2003 24

Security Trends in 3G Systems Offer complete security solutions-not just provide protection over the radio link Offer negotiation Offer mutual authentication Offer data confidentiality and data/signaling authentication Prevent replay attack on the signaling Provide period data authentication Use SIM card Mobile handset shows um-encrypted mode Universal roaming Continuously migrate to 4G systems in terms of enhanced security, services, access media, data rate, capabilities @G. Gong, 2003 25

Security in 4G Systems Use public-key algorithms for key agreement, privacy and authentication Provide non-repudiation services Provide key recovery (escrow) Universal access to any type of media and devices Integrate services, including payment and charging @G. Gong, 2003 26

6.5. Some Concerns in Multimedia Security and Low Cost Cryptography Adopt AES or Standardize a New Cipher: For multimedia encryption, the working group of multimedia security is in discussion of to adopt the AES (will be introduced in next chapter) or standard a particular cipher for that. The main concern here is the nature of multimedia signals, it may not need the cipher as strong as the AES. For example, for pay-for-view TV, if only partial of content of a movie is encrypted, then it is secure enough since human being s tolerance of eyes is limited. @G. Gong, 2003 27

6.6 Case Study: A5 Stream Cipher A. A5/1 stream cipher key generator for secure GSM conversations Note. A GSM conversation is sent as a sequence of frames per 4.6 millisecond, and each frame contains 228 bits. @G. Gong, 2003 28

Description of the A5/1 stream cipher: 64-bit key to generate a key stream where each 228- bit used for one frame (228-bit) encryption. A5 K,64-bit key 1-bit output 228-bit buffer GSM message: 228-bit 228-bit 1 frame Bitwise addition Output: 228-bit ciphertext, one frame of cipher @G. Gong, 2003 29

Construction of A5/1 Generator: Parameters: (a) Three LSFRs which generate m-sequences with periods 2 19-1, 2 22-1, 2 23-1, respectively. 1. LFSR 1: 19 5 2 f ( x) = x + x + x + x 1 generates a = {a(t)}. 1 + 22 2. LFSR 2: f ( x) = x + x 1 generates b = {b(t)}. 2 + 3. LFSR 3: 23 16 2 f ( x) = x + x + x + x 1 generates c = {c(t)}. 3 + 4. Tap positions: d 1 = 11, d 2 = 12 and d 3 = 13. @G. Gong, 2003 30

(b) Majority function f(x 1, x 2, x 3 ) = (y 1, y 2, y 3 ) is defined by f ( a( t + 11), b( t + 12), c( t + 13)) a ( t + 11) b( t + 12) c( t + 13) = ( y1, y2, y3) (1,1,1) 0 0 0 1 1 1 (1,1,0) 0 0 1 1 1 0 (0,1,1) 0 1 1 1 0 0 (1,0,1) 1 0 1 0 1 0 Output: The output sequence u = {u(t)} which performs at time t, u(t) = a(i 1 ) + b(i 2 ) + c(i 3 ), t = 0, 1,... where i 1, i 2, and i 3 are determined in a stop-and-go clock controlled model by the majority function f. @G. Gong, 2003 31

Stop/go control 0 1 2 5 11 18 output Stop/go control 0 1 2 12 21 y 2 y 1 f: Majority function y 3 Stop/go control 0 1 2 13 16 22 A5/1 Key Stream Generator @G. Gong, 2003 32

For example, at time t, if f(a(t+11), b(t+12), c(t+13)) = (1, 1, 0) i.e., (y 1, y 2, y 3 )=(1, 1, 0), then LFSR 1 and LFSR 2 are clocked and LFSR 3 has no clock pulse. Session key or seed: initial states for three LFSRs, a total of 64 bits. @G. Gong, 2003 33

Note 2. The first 'original' A5 algorithm was renamed A5/1. Other algorithms include A5/0, which means no encryption at all, and A5/2, a weaker over-the-air privacy algorithm. Generally, the A5 algorithms after A5/1 have been named A5/x. Most of the A5/x algorithms are considerably weaker than the A5/1, which has the time complexity of 254 at most as, shown above. The estimated time complexity of A5/2 is as low as 216. A5/3 is available in the work group of wireless communications @G. Gong, 2003 34

What does A5/1 suffer? It can be broken with few hours by a PC. Short period problem: Without stop/go operation, the period of sum of the three LFSRs is given by (2 19-1)( 2 22-1)(2 23-1). However, the experiement shows that the period of A5/1 is arround (4/3)(2 23-1). Collision problem: different seeds (i.e., different initial states of three LFSRs) may result in the same key stream (our new results shows that only 70% seeds produce different key streams.) The maority function is the worst function in terms of correlation with all affine functions. @G. Gong, 2003 35

Possible Attacks on A5/1 Brute-Force Attack against A5 If we have a Pentium III class chip with approximately 20 million transistors and the implementation of one set of LSFRs (A5/1) would require about 2000 transistors, we would have a set of 10,000 parallel A5/1 implementations on one chip. If the chip was clocked to 600 MHz, we could try approximately 2M keys per second per A5/1 implementation. A key space of 2 54 keys would thus require about 900,000 seconds, 250 hours, with one chip. Alex Biryukov and Adi Shamir (co-inventor of the RSA) claim to be able to penetrate the security of a A5/1 ciphered GSM call in less than one second using a PC with 128 MB RAM and large hard drives. @G. Gong, 2003 36

6.7. w7 -- an Analogue Cipher of A5 w7 stream cipher algorithm is proposed by S. Thomas, D. Anthony, T. Berson, and G. Gong published as an INTERNET DRAFT, April 2002. Description of w7: The w7 algorithm is a byte-wide, synchronous stream cipher optimized for efficient hardware implementation at very high data rates. It is a symmetric key algorithm supporting key lengths of 128 bits. It contains eight similar models, C1, C2,, C8 where C2 is illustrated as follows. @G. Gong, 2003 37

K,128-bit key K K C1 C2 C8 1-bit output 1-byte output @G. Gong, 2003 38

@G. Gong, 2003 39 0 k0... 4 k4... 7 k7 8 k8 9 k9 10 k10... 14 k14 15 k15 16 k16 17 k17 18 k18... 21 k21 22 k22 23 k23 24 k24... 27 k27 28 k28... 31 k31 32 k32... 35 k35 36 k36 37 k37 0 k0 2 k2 4 k4 5 k5... 16 k16... 24 k24... 29 k29 30 k30 31 k31 33 k33 34 k34 35 k35 36 k36 38 k38 39 k39 41 k41 42 k42 1 k1 3 k3 32 k32 37 k37 40 k40 0 k0... 4 k4... 18 k18... 22 k22... 27 k27... 32 k32 33 k33... 39 k39... 44 k44 45 k45 46 k46 26 k26 38 k38 Majority function The W7 Cipher Algorithm o u t p u t

6.8. Correlation Attack to Stream Ciphers Self reading. @G. Gong, 2003 40

References 1. GSM (and PCN ) security and encryption, at Brooksonhttp://www.brookson.com/gsm/gsmdoc.htm 2. GSM interception, at http://www.dia.unisa.it/ads.dir/corsosecurity/www/corso-9900/a5/netsec/netsec.html 3. Wireless security, http://www.compaq.ch/ins_wpwirelesssecurity.pdf 4. Security of mobile systems from user's point of view, at http://www.hut.fi/~hansen/papers/user-secu/ @G. Gong, 2003 41

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback