attack on broadcast rc4
play

Attack on Broadcast RC4 Revisited S. Maitra 1 G. Paul 2 S. Sen Gupta - PowerPoint PPT Presentation

Mar 30, 2024 •342 likes •739 views

Attack on Broadcast RC4 Revisited S. Maitra 1 G. Paul 2 S. Sen Gupta 1 1 Indian Statistical Institute, Kolkata 2 Jadavpur University, Kolkata FSE 2011, Lyngby, Denmark 15 February 2011 Outline of the Talk Introduction Basics of RC4 Stream

  1. Attack on Broadcast RC4 Revisited S. Maitra 1 G. Paul 2 S. Sen Gupta 1 1 Indian Statistical Institute, Kolkata 2 Jadavpur University, Kolkata FSE 2011, Lyngby, Denmark 15 February 2011

  2. Outline of the Talk Introduction Basics of RC4 Stream Cipher Motivation and Contribution Our Result: Bias of Output Bytes Computing the Bias Exploiting the Bias Attack on RC4 Broadcast Scheme Study: Non-Randomness of j Non-randomness in Different Rounds Conclusion Summary of the Paper 2 of 26

  3. Introduction RC4 Stream Cipher � Designed by Ron Rivest in 1987 Data Structure � S -array of size N = 256 bytes � Key k of size 5 to 16 bytes � Final key K of N = 256 bytes � Two indices i and j � Output: Stream of bytes Photo: http://people.csail.mit.edu/rivest/ 3 of 26

  4. Introduction RC4 Stream Cipher Key Scheduling Algo (KSA) j = j + S [ i ] + K [ i ] 0 1 2 i j 254 255 · · · · · · 4 of 26

  5. Introduction RC4 Stream Cipher Key Scheduling Algo (KSA) j = j + S [ i ] + K [ i ] 0 1 2 i j 254 255 · · · · · · Pseudo-Random Gen. Algo (PRGA) j = j + S [ i ] 0 1 2 S [ i ] + S [ j ] i j 254 255 · · · Z · · · · · · ⊞ 4 of 26

  6. Introduction Cryptanalysis of RC4 More than 20 years of cryptanalytic results � Finney Cycle [1994] � Key-Output Correlation [Roos, 1995] [Paul & Maitra, 2007, 2008] � Key-Permutation Correlation [Roos, 1995] [Paul & Maitra, 2007] � Non-Randomness of Permutation [Mantin, 2001] � Fault Attacks [Hoch & Shamir, 2004] [Mantin, 2005] [Biham et al, 2005] � State Recovery [Knudsen et al, 1998] [Tomasevic et al, 2004] [Maximov, 2008] � Non-random event: Glimpse Bias [Jenkins, 1996] 5 of 26

  7. Introduction Cryptanalysis of RC4 More than 20 years of cryptanalytic results � Finney Cycle [1994] � Key-Output Correlation [Roos, 1995] [Paul & Maitra, 2007, 2008] � Key-Permutation Correlation [Roos, 1995] [Paul & Maitra, 2007] � Non-Randomness of Permutation [Mantin, 2001] � Fault Attacks [Hoch & Shamir, 2004] [Mantin, 2005] [Biham et al, 2005] � State Recovery [Knudsen et al, 1998] [Tomasevic et al, 2004] [Maximov, 2008] � Non-random event: Glimpse Bias [Jenkins, 1996] � Distinguishing Attacks 5 of 26

  8. Introduction Distinguishing Attacks Goal: Find an event which occurs with different probability in RC4 than in case of a perfectly random source. Existing Distinguishers � Digraph Repetition Bias (Occurrence of ABTAB ) [Mantin, 2001] � Biased Second Output Byte ( z 2 = 0) [Mantin & Shamir, 2001] � A set of new linear biases of RC4 [Sepehrdad et al, 2010] � . . . a few more in this work 6 of 26

  9. Introduction Motivation for this Work FSE 2001. A Practical Attack on Broadcast RC4 . I. Mantin and A. Shamir. LNCS 2355, pp. 152–164, 2001. Main Claim: Pr( z 2 = 0) ≈ 2 N (bias of second byte) 7 of 26

  10. Introduction Motivation for this Work FSE 2001. A Practical Attack on Broadcast RC4 . I. Mantin and A. Shamir. LNCS 2355, pp. 152–164, 2001. Main Claim: Pr( z 2 = 0) ≈ 2 N (bias of second byte) Two related claims 1. Pr( z r = 0) ≈ 1 N at PRGA rounds 3 ≤ r ≤ 255. 2. Pr( z r = 0 | j r = 0) > 1 N and Pr( z r = 0 | j r � = 0) < 1 N for 3 ≤ r ≤ 255. These two biases, when combined, cancel each other to give no bias at z r = 0 for rounds 3 to 255. 7 of 26

  11. Introduction Contribution of this Work FSE 2011. Attack on Broadcast RC4 Revisited . 1. Pr( z r = 0) ≈ 1 N at PRGA rounds 3 ≤ r ≤ 255. Pr( z r = 0) �≈ 1 N for 3 ≤ r ≤ 255 Additional results exploiting the above bias 8 of 26

  12. Introduction Contribution of this Work FSE 2011. Attack on Broadcast RC4 Revisited . 1. Pr( z r = 0) ≈ 1 N at PRGA rounds 3 ≤ r ≤ 255. Pr( z r = 0) �≈ 1 N for 3 ≤ r ≤ 255 Additional results exploiting the above bias 2. Pr( z r = 0 | j r = 0) > 1 N and Pr( z r = 0 | j r � = 0) < 1 N for 3 ≤ r ≤ 255. These two biases, when combined, cancel each other to give no bias at z r = 0 for rounds 3 to 255. Further investigation of the events Careful analysis of non-randomness of j 8 of 26

  13. Our Result: Bias of Output Bytes Our Result Bias of Output Bytes 9 of 26

  14. Our Result: Bias of Output Bytes Our Result Output bytes 3 to 255 are also biased to Zero Theorem For 3 ≤ r ≤ 255 , the probability that the r-th RC4 keystream byte is equal to 0 is Pr( z r = 0) ≈ 1 N + c r N 2 . where c r is given by �� N − 1 � r + � N − 1 � N − r − 1 − � N − 1 �� N − 1 � r − 2 − � N − 1 � � 1 · . N − 1 N N N N 10 of 26

  15. Our Result: Bias of Output Bytes Motivation for Proof (our result) Proposition (Jenkins’ Correlation) After the r-th (r ≥ 1 ) round of the PRGA, Pr( S r [ j r ] = i r − z r ) = Pr( S r [ i r ] = j r − z r ) ≈ 2 N . Corollary After the r-th (r ≥ 1 ) round of the PRGA, Pr( z r = r − S r − 1 [ r ]) ≈ 2 N . 11 of 26

  16. Our Result: Bias of Output Bytes Motivation for Proof (our result) Proposition (Jenkins’ Correlation) After the r-th (r ≥ 1 ) round of the PRGA, Pr( S r [ j r ] = i r − z r ) = Pr( S r [ i r ] = j r − z r ) ≈ 2 N . Corollary After the r-th (r ≥ 1 ) round of the PRGA, Pr( z r = r − S r − 1 [ r ]) ≈ 2 N . How about Pr( S r − 1 [ r ] = r )? 11 of 26

  17. Our Result: Bias of Output Bytes Mantin’s Observation At the end of KSA, for 0 ≤ u ≤ N − 1, 0 ≤ v ≤ N − 1, �� N − 1 � v + � N − 1 � v � � N − 1 � � N − u − 1 � Pr( S 0 [ u ] = v ) = 1 1 − v ≤ u N N N N � N − u − 1 + �� N − 1 � N − 1 � v � Pr( S 0 [ u ] = v ) = 1 v > u N N N 12 of 26

  18. Our Result: Bias of Output Bytes Mantin’s Observation At the end of KSA, for 0 ≤ u ≤ N − 1, 0 ≤ v ≤ N − 1, �� N − 1 � v + � N − 1 � v � � N − 1 � � N − u − 1 � Pr( S 0 [ u ] = v ) = 1 1 − v ≤ u N N N N � N − u − 1 + �� N − 1 � N − 1 � v � Pr( S 0 [ u ] = v ) = 1 v > u N N N Does this propagate to PRGA? 12 of 26

  19. Our Result: Bias of Output Bytes Sketch of Proof (our result) � Mantin’s Observation: Bias for S 0 [ r ] = r � S r − 1 [ r ] = r may happen in two ways: 1. S 0 [ r ] = r and i , j never touches this cell 2. S 0 [ r ] � = r but S r − 1 [ r ] = r occurs at random 13 of 26

  20. Our Result: Bias of Output Bytes Sketch of Proof (our result) � Mantin’s Observation: Bias for S 0 [ r ] = r � S r − 1 [ r ] = r may happen in two ways: 1. S 0 [ r ] = r and i , j never touches this cell 2. S 0 [ r ] � = r but S r − 1 [ r ] = r occurs at random Lemma For r ≥ 3 , the probability that S r − 1 [ r ] = r is �� N − 1 � r − 1 � − 1 + 1 Pr( S r − 1 [ r ] = r ) ≈ Pr( S 0 [ r ] = r ) · N . N N 13 of 26

  21. Our Result: Bias of Output Bytes Sketch of the Proof (our result) z r = 0 can be branched as follows: � S r − 1 [ r ] = r ( lemma ) and z r = r − S r − 1 [ r ] ( Jenkin ) � S r − 1 [ r ] � = r ( lemma ) and z r = 0 ( random ) 14 of 26

  22. Our Result: Bias of Output Bytes Sketch of the Proof (our result) z r = 0 can be branched as follows: � S r − 1 [ r ] = r ( lemma ) and z r = r − S r − 1 [ r ] ( Jenkin ) � S r − 1 [ r ] � = r ( lemma ) and z r = 0 ( random ) Hence the result: Pr( z r = 0) ≈ 1 N + c r N 2 �� N − 1 � r + � N − 1 � N − r − 1 − � N − 1 � N − 1 � �� N − 1 � r − 2 − � 1 with c r = . N − 1 N N N N 14 of 26

  23. Our Result: Bias of Output Bytes Numerical Bound on c r 3 ≤ r ≤ 255 c r = c 3 = 0 . 98490994 and max 3 ≤ r ≤ 255 c r = c 255 = 0 . 36757467 min N + 0 . 98490994 1 N + 0 . 36757467 1 ≥ Pr( z r = 0) ≥ N 2 N 2 15 of 26

  24. Our Result: Bias of Output Bytes Experimental Verification � Number of trials = 1 Billion � Key size = 16 Bytes [Note: Sepehrdad et al (2010) do not cover these biases] 16 of 26

  25. Our Result: Bias of Output Bytes Applications Of the Biases Discovered 17 of 26

  26. Our Result: Bias of Output Bytes Appl. 1: A Class of New Distinguishers E occurs in X with probability p and in Y with probability p (1 + ǫ ) implies a possible distinguisher with O ( p − 1 ǫ − 2 ) required samples. In case of our E : z r = 0 for 3 ≤ r ≤ 255, � Random source: p = 1 N � RC4 Keystream: p (1 + ǫ ) = 1 � 1 + c r � N N 18 of 26

  27. Our Result: Bias of Output Bytes Appl. 1: A Class of New Distinguishers E occurs in X with probability p and in Y with probability p (1 + ǫ ) implies a possible distinguisher with O ( p − 1 ǫ − 2 ) required samples. In case of our E : z r = 0 for 3 ≤ r ≤ 255, � Random source: p = 1 N � RC4 Keystream: p (1 + ǫ ) = 1 � 1 + c r � N N We get 253 new distinguishers, each requiring O ( N 3 ) samples! [Note: Mantin & Shamir (2001) distinguisher is much stronger] 18 of 26

  28. Our Result: Bias of Output Bytes Appl. 2: Guessing State Information Idea: Guess S r − 1 [ r ] = r using output information z r = 0 Pr( S r − 1 [ r ] = r | z r = 0) = Pr( S r − 1 [ r ]= r ) · Pr( z r = 0 | S r − 1 [ r ] = r ) Pr( z r =0) � 1 � − 1 ≥ N + c r N − c r 1 + c r 2 � � ≈ 2 · · N 2 N N 19 of 26

  29. Our Result: Bias of Output Bytes Appl. 3: Attack on RC4 Broadcast Scheme Situation: Message M is broadcast to k parties (random keys) Attack: Reliably extract byte(s) of M from the k ciphertexts 20 of 26

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Broadcast Receiver Why do we need Broadcast Receiver? Broadcast Receivers Broadcast receiver

Broadcast Receiver Why do we need Broadcast Receiver? Broadcast Receivers Broadcast receiver

Broadcast Receiver Why do we need Broadcast Receiver? Broadcast Receivers Broadcast receiver (a BroadcastReceiver subclass) is one of the application's components. Broadcast receivers enable applications to receive intents that are

597 views • 17 slides
Broadcast Receiver Why do we need Broadcast Receiver? Broadcast Receivers Broadcast receiver

Broadcast Receiver Why do we need Broadcast Receiver? Broadcast Receivers Broadcast receiver

Broadcast Receiver Why do we need Broadcast Receiver? Broadcast Receivers Broadcast receiver (a BroadcastReceiver subclass) is one of the application's components. Broadcast receivers enable applications to receive intents that are

560 views • 18 slides
BROADCAST RECEIVER SERVICES Broadcast receiver A broadcast receiver is a dormant component of

BROADCAST RECEIVER SERVICES Broadcast receiver A broadcast receiver is a dormant component of

BROADCAST RECEIVER SERVICES Broadcast receiver A broadcast receiver is a dormant component of the Android system. Only an Intent (for which it is registered) can bring it into action. Using a Broadcast Receiver, applications can

789 views • 50 slides
BROADCAST RECEIVER SERVICE Broadcast receiver A broadcast receiver is a dormant component of

BROADCAST RECEIVER SERVICE Broadcast receiver A broadcast receiver is a dormant component of

BROADCAST RECEIVER SERVICE Broadcast receiver A broadcast receiver is a dormant component of the Android system. Only an Intent (for which it is registered) can bring it into action. Using a Broadcast Receiver, applications can

951 views • 51 slides
Attack on Traffic Systems These attack examples have happened in the past. We will take an

Attack on Traffic Systems These attack examples have happened in the past. We will take an

From start to finish how a cyber attack would be performed on traffic system, we will go over first day &gt;&gt; exploitation of the device &gt;&gt; the real-world aftermath. Mission Secure, Inc. Attack on Traffic Systems These attack examples

556 views • 18 slides
Broadcast Algorithms BJRN A. JOHNSSON Overview Best-Effort Broadcast (Regular) Reliable

Broadcast Algorithms BJRN A. JOHNSSON Overview Best-Effort Broadcast (Regular) Reliable

Broadcast Algorithms BJRN A. JOHNSSON Overview Best-Effort Broadcast (Regular) Reliable Broadcast (2) Uniform Reliable Broadcast (2) Stubborn Broadcast Logged Best-Effort Broadcast Logged Uniform Reliable Broadcast

438 views • 39 slides
Input from Finance Telenor Broadcast Q4 2009 10.2.2010 1 Q4 2 0 0 9 Telenor Broadcast

Input from Finance Telenor Broadcast Q4 2009 10.2.2010 1 Q4 2 0 0 9 Telenor Broadcast

Input from Finance Telenor Broadcast Q4 2009 10.2.2010 1 Q4 2 0 0 9 Telenor Broadcast Revenues ( NOKm ) and EBI TDA% 2 212 2167 2160 2102 2084 2022 + 16k cable Internet net adds in Norway reaching 13% market share. + 5%

392 views • 6 slides
Broadcast infrastructure Monitoring &amp; automation LoriotPro Broadcast Edition A Microsoft

Broadcast infrastructure Monitoring &amp; automation LoriotPro Broadcast Edition A Microsoft

Broadcast infrastructure Monitoring &amp; automation LoriotPro Broadcast Edition A Microsoft Windows compatible software with multi-user WEB access Real time monitoring Backbone, Datacenter, HFC Networks, Earth Station, Headends, DVB

544 views • 9 slides
Broadcast Encryption and Some Other Primitives Lecture 24 Broadcast Encryption Broadcast

Broadcast Encryption and Some Other Primitives Lecture 24 Broadcast Encryption Broadcast

Broadcast Encryption and Some Other Primitives Lecture 24 Broadcast Encryption Broadcast Encryption Encrypt to a subset of users in the system Broadcast Encryption Encrypt to a subset of users in the system e.g., subscribers who haven t

1.62k views • 113 slides
-Reliable Broadcast: A Probabilistic Measure of Broadcast Reliability Patrick Th. Eugster

-Reliable Broadcast: A Probabilistic Measure of Broadcast Reliability Patrick Th. Eugster

-Reliable Broadcast: A Probabilistic Measure of Broadcast Reliability Patrick Th. Eugster Rachid Guerraoui Petr Kouznetsov Sun Microsystems Distributed Programming Lab, EPFL Switzerland Switzerland ICDCS 2004 2/15 Outline 1. The

663 views • 17 slides
Telenor Broadcast Q2 - 2 0 0 8 July 23rd Broadcast Content investment to boost HDTV Revenues

Telenor Broadcast Q2 - 2 0 0 8 July 23rd Broadcast Content investment to boost HDTV Revenues

Telenor Broadcast Q2 - 2 0 0 8 July 23rd Broadcast Content investment to boost HDTV Revenues (NOKm)/ EBITDA% 2 066 1922 1898 1776 1763 1700 16% revenue growth More than doubled HD penetration in DTH subscriber base in 1H

219 views • 8 slides
Broadcasting your attack: Security testing DAB radio in cars Andy Davis, Research Director

Broadcasting your attack: Security testing DAB radio in cars Andy Davis, Research Director

Broadcasting your attack: Security testing DAB radio in cars Andy Davis, Research Director Image: computerworld.com.au Agenda Who am I and why am I interested in security testing DAB? Overview of DAB How do we broadcast DAB?

790 views • 33 slides
Thank you for joining us for this AmerisourceBergen webinar. The broadcast has not started yet.

Thank you for joining us for this AmerisourceBergen webinar. The broadcast has not started yet.

Thank you for joining us for this AmerisourceBergen webinar. The broadcast has not started yet. Both audio and visuals are available through the Skype Meeting Broadcast link and are accessible via any mobile browser. Second Manufacturer

175 views • 14 slides
Thank you for joining us for this AmerisourceBergen webinar. The broadcast has not started yet.

Thank you for joining us for this AmerisourceBergen webinar. The broadcast has not started yet.

Thank you for joining us for this AmerisourceBergen webinar. The broadcast has not started yet. Both audio and visuals are available through the Skype Meeting Broadcast link and are accessible via any mobile browser. Third Manufacturer

346 views • 22 slides
Thank you for joining us for this AmerisourceBergen webinar. The broadcast has not started yet.

Thank you for joining us for this AmerisourceBergen webinar. The broadcast has not started yet.

Thank you for joining us for this AmerisourceBergen webinar. The broadcast has not started yet. Both audio and visuals are available through the Skype Meeting Broadcast link and are accessible via any mobile browser. Fifth Manufacturer

372 views • 16 slides
www.sbe.org Society of Broadcast Engineers Ralph Beaver Society of Broadcast Engineers

www.sbe.org Society of Broadcast Engineers Ralph Beaver Society of Broadcast Engineers

www.sbe.org Society of Broadcast Engineers Ralph Beaver Society of Broadcast Engineers Society of Broadcast Engineers Ex-Frequency Coordination Chair Present sub-committee chair wireless mics NFL Gameday Frequency Coordinator NFL Gameday

507 views • 24 slides
Structure and randomness in the prime numbers A small selection of results in number theory

Structure and randomness in the prime numbers A small selection of results in number theory

Structure and randomness in the prime numbers A small selection of results in number theory Science colloquium January 17, 2007 Terence Tao (UCLA) 1 Prime numbers A prime number is a natural number larger than 1 which cannot be expressed

629 views • 37 slides
Normal numbers and automatic complexity alexander.shen@lirmm.fr, www.lirmm.fr/~ashen LIRMM CNRS

Normal numbers and automatic complexity alexander.shen@lirmm.fr, www.lirmm.fr/~ashen LIRMM CNRS

Normal numbers and automatic complexity alexander.shen@lirmm.fr, www.lirmm.fr/~ashen LIRMM CNRS &amp; University of Montpellier September 2017, FCT alexander.shen@lirmm.fr, www.lirmm.fr/~ashen Normal numbers and automatic complexity Individual

1.08k views • 70 slides
INFO 4300 / CS4300 Information Retrieval slides adapted from Hinrich Sch utzes, linked from

INFO 4300 / CS4300 Information Retrieval slides adapted from Hinrich Sch utzes, linked from

INFO 4300 / CS4300 Information Retrieval slides adapted from Hinrich Sch utzes, linked from http://informationretrieval.org/ IR 16: Citation Analysis and Link Analysis Paul Ginsparg Cornell University, Ithaca, NY 27 Oct 2009 1 / 40

511 views • 40 slides
random stepped surfaces Richard Kenyon (Yale) &lt;latexit

random stepped surfaces Richard Kenyon (Yale) &lt;latexit

&lt;latexit

535 views • 28 slides
Qualitative Research Theoretical Orientations ScWk 240 Week 10 Slides 1 Why Qualitative

Qualitative Research Theoretical Orientations ScWk 240 Week 10 Slides 1 Why Qualitative

Qualitative Research Theoretical Orientations ScWk 240 Week 10 Slides 1 Why Qualitative Research? Unlike quantitative research, qualitative research relies on reasons behind various aspects of behavior. Simply put, it

269 views • 16 slides
Perspectives on Network Calculus No Free Lunch but Still Good Value Florin Ciucu Jens

Perspectives on Network Calculus No Free Lunch but Still Good Value Florin Ciucu Jens

ACM Sigcomm 2012 Perspectives on Network Calculus No Free Lunch but Still Good Value Florin Ciucu Jens Schmitt T-Labs / TU Berlin TU Kaiserslautern Outline Network Calculus (NC): A Theory for System Performance Analysis Classic

467 views • 31 slides
Random Conical tilt 3D reconstruction Central section theorem Euler angles Principle

Random Conical tilt 3D reconstruction Central section theorem Euler angles Principle

Random Conical tilt 3D reconstruction Central section theorem Euler angles Principle of conical tilt series Missing cone artefact Multivariate statistical analysis Early 3D studies and negative staining problems

938 views • 47 slides
The Stieltjes Transform and its Role in Eigenvalue Behavior of Large Dimensional Random Matrices

The Stieltjes Transform and its Role in Eigenvalue Behavior of Large Dimensional Random Matrices

The Stieltjes Transform and its Role in Eigenvalue Behavior of Large Dimensional Random Matrices Jack W. Silverstein Department of Mathematics North Carolina State University 1. Introduction . Let M ( R ) denote the collection of all

1.68k views • 42 slides

More recommend