how to operationally detect the misuse of stream ciphers
play

How to Operationally Detect the Misuse of Stream Ciphers (and even - PowerPoint PPT Presentation

Feb 19, 2023 •167 likes •808 views

Introduction Cryptology Basics Detection Cryptanalysis The Word Case The Excel Case Conclusion How to Operationally Detect the Misuse of Stream Ciphers (and even Block Ciphers Sometimes) and Break them Eric Filiol, filiol@esiea.fr ESIEA -

  1. Introduction Cryptology Basics Detection Cryptanalysis The Word Case The Excel Case Conclusion How to Operationally Detect the Misuse of Stream Ciphers (and even Block Ciphers Sometimes) and Break them Eric Filiol, filiol@esiea.fr ESIEA - Laval Operational Cryptology and Virology Lab ( C + V ) O http://www.esiea-recherche.eu/ Black Hat Europe 2010 E. Filiol (Esiea - ( C + V ) O lab) Black Hat Europe 2010 1 / 64

  2. Introduction Cryptology Basics Detection Cryptanalysis The Word Case The Excel Case Conclusion Theoretical Crypto vs Real Crypto Secret key size is very often considered as a “key” security feature. Blind faith in cryptographic design. “AES-256 inside” marketing syndrom. Necessary but not sufficient condition. But what about implementation flaws ? Worse, what about intended trapdoors ? What about cryptographic misuses ? Crypto has been deregulated but users never educated. Confidence in cryptographic software can turn against users. Stream ciphers are still mainly used for sensitive traffics (e.g. perfect secrecy of Vernam ciphers). What is the impact of key misuses or encryption algorithm (e.g. message key generator module) partial failure ? E. Filiol (Esiea - ( C + V ) O lab) Black Hat Europe 2010 2 / 64

  3. Introduction Cryptology Basics Detection Cryptanalysis The Word Case The Excel Case Conclusion What are the Issues ? Dual issues of security. On the user’s side, the aim is to detect implementation flaws or trapdoors, without performing reverse-engineering (hard or soft) because it is horribly time-consuming and illegal ! On the attacker’s side, the aim is to detect and break any weak traffic, under the assumption that the cryptographic algorithm can be/remain unknown (e.g. satellite communications) ! This talk presents an operational solution to all these issues. Method developped by the author in 1994. E. Filiol (Esiea - ( C + V ) O lab) Black Hat Europe 2010 3 / 64

  4. Introduction Cryptology Basics Detection Cryptanalysis The Word Case The Excel Case Conclusion Existing Works NSA Venona Project (1943 - 1980) to break the Soviet telex traffic. Revealed by Peter Wright in 1987. The method and ciphertexts still classified nowadays. E. Dawson & L. Nielsen (1996). Very empiric study. Detection is not addressed. J. Mason & al. (2006). Detection is not addressed. Very limited scope (file type must be known) and approach. Complex method (HMM-based). Really implemented ? E. Filiol (Esiea - ( C + V ) O lab) Black Hat Europe 2010 4 / 64

  5. Introduction Cryptology Basics Detection Cryptanalysis The Word Case The Excel Case Conclusion Summary of the talk 1 Introduction 5 The Word Case 2 Cryptology Basics Introduction Encryption Office Encryption Stream/Block Ciphers Attacking RC4 Word Problem Formalization Encryption Detection Experimental Results 3 General Description The Excel Case 6 Detecting Parallel Texts Excel Specific Features Cryptanalysis Detecting Excel Parallel 4 Modelling the language Files Cryptanalysis general Excel Cryptanalysis algorithm Conclusion 7 Critical parameters and optimizations E. Filiol (Esiea - ( C + V ) O lab) Black Hat Europe 2010 5 / 64

  6. Introduction Cryptology Basics Detection Cryptanalysis The Word Case The Excel Case Conclusion Encryption Summary of the talk Introduction The Word Case 1 5 Cryptology Basics The Excel Case 2 6 Encryption Stream/Block Ciphers Conclusion 7 Problem Formalization 3 Detection 4 Cryptanalysis E. Filiol (Esiea - ( C + V ) O lab) Black Hat Europe 2010 6 / 64

  7. Introduction Cryptology Basics Detection Cryptanalysis The Word Case The Excel Case Conclusion Encryption Encryption To protect confidentiality of data → use symmetric encryption. Stream ciphers .- Bits (or bytes) are enciphered/deciphered on-the-fly. They offer the highest encryption speed. They are transmission error-resilient. Mainly used in telecommunication encryption, telephony encryption... Block ciphers .- Data are first split into blocks (usually 128-bit blocks). Output blocks (plaintext, respectively ciphertext) are produced from both the same secret key and the input block (ciphertext, respectively plaintext). They are not transmission error-resilient except in OFB mode. E. Filiol (Esiea - ( C + V ) O lab) Black Hat Europe 2010 7 / 64

  8. Introduction Cryptology Basics Detection Cryptanalysis The Word Case The Excel Case Conclusion Stream/Block Ciphers Stream Ciphers A truly random (Vernam ciphers) or a pseudo-random sequence (finite-state cryptosystems) σ is bitwise combined to the text. The sequence σ is as long as the text C i = σ i ⊕ P i where C i , σ i and P i are the ciphertext, pseudo-random and plaintext sequences respectively. In Vernam ciphers, σ is produced by hardware methods. The key is duplicated before use. Any reuse of the key, even with a phase τ ( σ ′ = σ i + τ ) has a dramatic impact on the expected perfect secrecy (see white paper). E. Filiol (Esiea - ( C + V ) O lab) Black Hat Europe 2010 8 / 64

  9. Introduction Cryptology Basics Detection Cryptanalysis The Word Case The Excel Case Conclusion Stream/Block Ciphers Stream Ciphers (2) For pseudo-random ciphers σ is produced by expanding a limited-size secret key by means of a finite-state algorithm σ = E ( K, K P ) where K P is a session or message key produced by the cryptosystem internals (message key generator module, software...). Strong requirement : the pair ( K, K P ) must never be reused (derived from the Shannon’s perfect secrecy). Most famous stream ciphers : E0 ( Bluetooth ), RC4, A5/1. Most stream ciphers are proprietary algorithms and thus are not public. E. Filiol (Esiea - ( C + V ) O lab) Black Hat Europe 2010 9 / 64

  10. Introduction Cryptology Basics Detection Cryptanalysis The Word Case The Excel Case Conclusion Stream/Block Ciphers Block Ciphers The reuse of the key from block to block is supposed to have no impact on the overall security ∗ . Block ciphers in output feedback mode (OFB) emulate stream ciphers. The secret key is the block s 0 and the pseudo-running sequence is made of blocks s 1 , s 2 , s 3 . . . Block ciphers in OFB mode are fully equivalent to stream ciphers. E. Filiol (Esiea - ( C + V ) O lab) Black Hat Europe 2010 10 / 64

  11. Introduction Cryptology Basics Detection Cryptanalysis The Word Case The Excel Case Conclusion Problem Formalization Problem Formalization Definition Two (or more) ciphertexts are said parallel if they are produced from the same running key produced either by a stream cipher (Vernam cipher or finite state machine) or by a block cipher in OFB mode. If ciphertexts c 1 , c 2 . . . c k are parallel, the parallelism depth is k . We have C 1 = M 1 ⊕ σ and C 2 = M 2 ⊕ σ. Two issues to solve : Detection issue .- Among a huge number of ciphertexts, how to detect 1 the different groups of parallel messages ? Cryptanalysis issue .- Once parallel messages have been detected, how 2 to break the encryption and recover the plaintexts ? E. Filiol (Esiea - ( C + V ) O lab) Black Hat Europe 2010 11 / 64

  12. Introduction Cryptology Basics Detection Cryptanalysis The Word Case The Excel Case Conclusion Problem Formalization Operational Requirements We do not care about the underlying cryptosystem (stream cipher or block cipher in OFB mode). The system can remain totally unknown. Consequently we do not care about the secret key used either. We do not need to perform a preliminary key recovery step. ⇒ key-independent cryptanalysis The cryptanalysis must be performed in polynomial time (e.g. within a reasonable amount of time). The parallelism depth must be at least equal to 2. E. Filiol (Esiea - ( C + V ) O lab) Black Hat Europe 2010 12 / 64

  13. Introduction Cryptology Basics Detection Cryptanalysis The Word Case The Excel Case Conclusion General Description Summary of the talk Introduction The Word Case 1 5 2 Cryptology Basics 6 The Excel Case 3 Detection 7 Conclusion General Description Detecting Parallel Texts Cryptanalysis 4 E. Filiol (Esiea - ( C + V ) O lab) Black Hat Europe 2010 13 / 64

  14. Introduction Cryptology Basics Detection Cryptanalysis The Word Case The Excel Case Conclusion General Description Weakness of Parallel Ciphertexts Let us consider two parallel ciphertexts c 1 = c 0 1 , c 1 1 , c 2 1 , c 3 1 . . . and c 2 = c 0 2 , c 1 2 , c 2 2 , c 3 2 . . . . Since they are parallel, they are enciphered with the same (pseudo-)running sequence σ = σ 0 , σ 1 , σ 2 , σ 3 . . . Let be m 1 = m 0 1 , m 1 1 , m 2 1 , m 3 1 . . . and m 2 = m 0 2 , m 1 2 , m 2 2 , m 3 2 . . . the corresponding plaintexts. We have i = σ j ⊕ p j c j for all i = 1 , 2 and j ≤ N i where N is the size of the common parts of c 1 and c 2 . E. Filiol (Esiea - ( C + V ) O lab) Black Hat Europe 2010 14 / 64

  15. Introduction Cryptology Basics Detection Cryptanalysis The Word Case The Excel Case Conclusion General Description Weakness of Parallel Ciphertexts (2) Let us bitwise xor the two encrypted texts c 1 and c 2 . Then we have : 1 ⊕ σ j ⊕ p j c j 1 ⊕ c j 2 = p j 2 ⊕ σ j for all j ≤ N Then, we have a quantity which no longer depends on the (pseudo-)running sequence : c j 1 ⊕ c j 2 = p j 1 ⊕ p j for all j ≤ N 2 Since it is the bitwise xor of two plaintexts, they have a very particular statistical profile. E. Filiol (Esiea - ( C + V ) O lab) Black Hat Europe 2010 15 / 64

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Stream Ciphers Stream Ciphers 1 Stream Ciphers Generalization of one-time pad Trade

Stream Ciphers Stream Ciphers 1 Stream Ciphers Generalization of one-time pad Trade

Stream Ciphers Stream Ciphers 1 Stream Ciphers Generalization of one-time pad Trade provable security for practicality Stream cipher is initialized with short key Key is stretched into long keystream Keystream is used like

512 views • 35 slides
B.e) Stream Ciphers W. Schindler: Cryptography, B-IT, winter 2006 / 2007 2 B.125 Stream Ciphers

B.e) Stream Ciphers W. Schindler: Cryptography, B-IT, winter 2006 / 2007 2 B.125 Stream Ciphers

1 B.e) Stream Ciphers W. Schindler: Cryptography, B-IT, winter 2006 / 2007 2 B.125 Stream Ciphers Normally, stream ciphers are symmetric algorithms with encryption = decryption In this course we only consider symmetric stream ciphers.

828 views • 44 slides
Stream Ciphers and Coding Theory Tor Helleseth University of Bergen Norway Outline Stream

Stream Ciphers and Coding Theory Tor Helleseth University of Bergen Norway Outline Stream

Stream Ciphers and Coding Theory Tor Helleseth University of Bergen Norway Outline Stream ciphers Building blocks in stream ciphers m-sequences Clock-control registers / Nonlinear combiner / Filter generator Correlation

666 views • 39 slides
Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2 . . . M N . Then, each block M i is encrypted to the

1.11k views • 63 slides
Secret Key: stream ciphers & block ciphers Stream Ciphers Idea: try to simulate one-time pad

Secret Key: stream ciphers & block ciphers Stream Ciphers Idea: try to simulate one-time pad

Secret Key: stream ciphers & block ciphers Stream Ciphers Idea: try to simulate one-time pad define a secret key (seed) Using the seed generates a byte stream ( Keystream): i-th byte is function only of the key

822 views • 69 slides
Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22 Overview What is a stream cipher? Classification of attacks Different Attacks Exhaustive Key Search Time Memory Tradeoffs

656 views • 22 slides
Recent Results on Stream Ciphers Willi Meier 1 / 47 Overview - Stream Ciphers with Small State

Recent Results on Stream Ciphers Willi Meier 1 / 47 Overview - Stream Ciphers with Small State

ASK 2018, ISI Kolkata November 13, 2018 Recent Results on Stream Ciphers Willi Meier 1 / 47 Overview - Stream Ciphers with Small State - A generic TMD tradeoff distinguisher - High-order differentials - Cryptanalysis with division property

944 views • 47 slides
T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher

T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher

T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher confidentiality modes of operation Kaufman et al: Ch 4 Stallings: Ch 6, Ch 3 1 Stream ciphers Stream ciphers are generally faster than block

535 views • 12 slides
B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a)

B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a)

1 B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a) Fundamentals 3 B.1 Definition A mapping Enc: P K C for which k := Enc( ,k): P C is bijective for each k K is called an

1.1k views • 32 slides
Pseudo-Random Numbers and Stream PRNG+Block Ciphers Stream Ciphers RC4 CSS441: Security and

Pseudo-Random Numbers and Stream PRNG+Block Ciphers Stream Ciphers RC4 CSS441: Security and

CSS441 Random Numbers Principles PRNGs Pseudo-Random Numbers and Stream PRNG+Block Ciphers Stream Ciphers RC4 CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven

460 views • 24 slides
Feedback shift register based stream ciphers Thomas Johansson, Lund University, Lund, Sweden

Feedback shift register based stream ciphers Thomas Johansson, Lund University, Lund, Sweden

Feedback shift register based stream ciphers Thomas Johansson, Lund University, Lund, Sweden 5/15/2007 1 CONTENTS Efficient encryption and possible solutions Stream ciphers Basic security analysis of stream ciphers LFSR sequences Design

497 views • 45 slides
Objectives Non-linear feedback shift registers Stream ciphers using LFSRs: Non-linear

Objectives Non-linear feedback shift registers Stream ciphers using LFSRs: Non-linear

Stream Ciphers (contd.) Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Non-linear feedback shift registers Stream ciphers using

445 views • 13 slides
Objectives Classifications Feedback Based Stream Ciphers Linear Feedback Shift

Objectives Classifications Feedback Based Stream Ciphers Linear Feedback Shift

Stream Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Classifications Feedback Based Stream Ciphers Linear Feedback

263 views • 15 slides
Symmetric Key Crypto, Part 1 Prof. Tom Austin San Jos State University Stream Ciphers &

Symmetric Key Crypto, Part 1 Prof. Tom Austin San Jos State University Stream Ciphers &

CS 166: Information Security Symmetric Key Crypto, Part 1 Prof. Tom Austin San Jos State University Stream Ciphers & Block Ciphers Stream ciphers based on the one-time pad Block ciphers based on codebook ciphers Symmetric

650 views • 52 slides
Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length

Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length

Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2 . . . M N . Then, each block M i is encrypted to the ciphertext block C i = E K ( M i ), and the results are concatenated to the

334 views • 8 slides
Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof.

Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof.

Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof. Raluca Ada Popa Jan 31, 2018 Announcements Project 1 is out, due Feb 14 midnight Recall: Block cipher A function E : {0, 1} k {0, 1} n

553 views • 32 slides
Chapter 3: Block Ciphers and the Data Encryption Standard Dr. Loai Tawalbeh Computer

Chapter 3: Block Ciphers and the Data Encryption Standard Dr. Loai Tawalbeh Computer

CPE 542: CRYPTOGRAPHY & NETWORK SECURITY Chapter 3: Block Ciphers and the Data Encryption Standard Dr. Loai Tawalbeh Computer Engineering Department Jordan University of Science and Technology Jordan Dr. Loai Tawalbeh Fall 2005

339 views • 23 slides
Fully Automated Differential Fault Analysis on Software Implementations of Block Ciphers Xiaolu

Fully Automated Differential Fault Analysis on Software Implementations of Block Ciphers Xiaolu

Fully Automated Differential Fault Analysis on Software Implementations of Block Ciphers Xiaolu Hou 1 , Jakub Breier 2 , Fuyuan Zhang 3 , and Yang Liu 2 1 National University of Singapore, Singapore 2 HP-NTU Digital Manufacturing Corporate Lab,

513 views • 26 slides
Cryptography and Cryptography and Network Security Network Security Chapter Chapter 3 3

Cryptography and Cryptography and Network Security Network Security Chapter Chapter 3 3

Cryptography and Cryptography and Network Security Network Security Chapter Chapter 3 3 Fourth Edition Fourth Edition by William Stallings by William Stallings Lecture slides by Lecture slides by Lawrie Lawrie Brown Brown Modern Block

1.07k views • 43 slides
BLOCK CIPHERS 1 / 1 Permutations and Inverses A function f : { 0 , 1 } { 0 , 1 } is a

BLOCK CIPHERS 1 / 1 Permutations and Inverses A function f : { 0 , 1 } { 0 , 1 } is a

BLOCK CIPHERS 1 / 1 Permutations and Inverses A function f : { 0 , 1 } { 0 , 1 } is a permutation if there is an inverse function f 1 : { 0 , 1 } { 0 , 1 } satisfying x { 0 , 1 } : f 1 ( f ( x )) = x

1.05k views • 62 slides
Structural attacks on block ciphers Sondre Rnjom NSM/UiB September 2, 2017 1 Preliminaries 2

Structural attacks on block ciphers Sondre Rnjom NSM/UiB September 2, 2017 1 Preliminaries 2

Structural attacks on block ciphers Sondre Rnjom NSM/UiB September 2, 2017 1 Preliminaries 2 Subspaces in block ciphers 3 From subspace trails to invariant subspaces in Simpira 4 Zero-di ff erence cryptanalysis of AES Preliminaries Block

2.18k views • 146 slides
Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers Thomas Peyrin 1

Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers Thomas Peyrin 1

TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers Thomas Peyrin 1 Yannick Seurin 2 1 NTU, Singapore 2 ANSSI, France August 15, 2016

1.29k views • 102 slides
1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

Course Overview Course Requirements EECS 498-7/8 Cryptography and Network Security: www.citi.umich.edu/u/honey/security Principles and Practice (Third Edition) Computer Security Monday & Friday, 9:00 10:30 William Stallings

670 views • 19 slides
The 128-bit Blockcipher CLEFIA Taizo Shirai 1 , Kyoji Shibutani 1 , Toru Akishita 1 Shiho

The 128-bit Blockcipher CLEFIA Taizo Shirai 1 , Kyoji Shibutani 1 , Toru Akishita 1 Shiho

The 128-bit Blockcipher CLEFIA Taizo Shirai 1 , Kyoji Shibutani 1 , Toru Akishita 1 Shiho Moriai 1 , Tetsu Iwata 2 1 Sony Corporation 2 Nagoya University Direction for designing a new blockcipher Priority for Choosing an algorithm 1.

464 views • 19 slides

More recommend