Stream Cipher One-time pad secure, however key as long as message - - PowerPoint PPT Presentation

stream cipher
SMART_READER_LITE
LIVE PREVIEW

Stream Cipher One-time pad secure, however key as long as message - - PowerPoint PPT Presentation

Apr 20, 2023 164 likes •372 views

Stream Cipher One-time pad secure, however key as long as message Obtain efficient cipher if we replace key with sequence which behaves as sequence of random numbers Algorithms which produce pseudo-random strings are called pseudo-random

slide-1
SLIDE 1

Stream Cipher

One-time pad secure, however key as long as message Obtain efficient cipher if we replace key with sequence which behaves as sequence of random numbers Algorithms which produce pseudo-random strings are called pseudo-random generators. Use seed (short random number) and produce keystream

Key/Seed generator Pseudo-random Keystream Plaintext Ciphertext

Eike Ritter Cryptography 2013/14 75

slide-2
SLIDE 2

Sources of randomness

Thermal noise in various electric circuits Radioactive decay Atmospheric noise measurement of times between user key-strokes time needed to access different sectors on hard-disk drive (air turbulence caused by spinning disk supposed to be random)

Eike Ritter Cryptography 2013/14 76

slide-3
SLIDE 3

RC4

Stream cipher invented 1987 by Ron Rivest Consists of tow phases: Initalisation phase (key schedule) Keystream generation phase Main datastructure is array S of 256 bytes

Eike Ritter Cryptography 2013/14 77

slide-4
SLIDE 4

Initialisation

for i := 0 to 255 do S[i] := i end j := 0 for i := 0 to 255 do j := (j + S[i] + K[i mod keylength]) mod 256 swap(S[i],S[j]) end

Eike Ritter Cryptography 2013/14 78

slide-5
SLIDE 5

Keystream generation

i := 0 j := 0 while GeneratingOutput: i := (i + 1) mod 256 j := (j + S[i]) mod 256 swap(S[i],S[j])

  • utput S[(S[i] + S[j]) mod 256]

end

Eike Ritter Cryptography 2013/14 79

slide-6
SLIDE 6

Graphical representation

Source: Wikipedia Eike Ritter Cryptography 2013/14 80

slide-7
SLIDE 7

LFSR

Linear Feedback Shift Register: Building block for many modern stream ciphers Can be implemented very efficiently Key idea: have register of single bit cells shifted by one at every clock cycle together with feedback function

Source: Wikipedia Eike Ritter Cryptography 2013/14 81

slide-8
SLIDE 8

Example:

Source: Wikipedia Eike Ritter Cryptography 2013/14 82

slide-9
SLIDE 9

Reasoning about LFSRs

Interesting property: Length of keystream period Reasoning works as follows: Have state vector s = [s1, . . . , sn] for shift register with n cells Have connection polynomial c(x) = cnxn + . . . + c1x + 1, where ci is 1 if the ith cell in s is used for feedback and 0 if not. a matrix M =        c1 c2 · · · cn−1 cn 1 · · · 1 · · · . . . ... ... . . . . . . · · · 1        Next state vector given by M · s.

Eike Ritter Cryptography 2013/14 83

slide-10
SLIDE 10

Combining LFSRs

LFSRs are insecure in practice (Connection polynomial can be computed fairly efficiently) Hence multiple LFSRs are combined in non-linear fashion

Source: Wikipedia Eike Ritter Cryptography 2013/14 84

slide-11
SLIDE 11

Keys for stream ciphers must not be reused. Formally, RC4 and LFSR as presented do not satisfy IND-CPA security. Need carefully used initialisation vectors or nonces to obtain IND-CPA.

Eike Ritter Cryptography 2013/14 85

slide-12
SLIDE 12

WEP

Old standard for encryption on wireless networks based on RC4, but seriously broken - don’t use

Source: Wikipedia Eike Ritter Cryptography 2013/14 86

slide-13
SLIDE 13

Weaknesses in WEP

Initialisation vector only 24 bits, hence keys repeat after at most 224 frames With certain initialisation vectors knowing m bytes of key and keystream means you can deduce byte m + 1 of key First bytes of key stream known because standard headers are always sent With this method, can crack the key in minutes on modern PC hardware

Eike Ritter Cryptography 2013/14 87

slide-14
SLIDE 14

CSS

CSS used to encrypt DVD for copy protection Following steps are taken: Check whether region code and code on DVD match Use player keys to extract disk key from DVD Use disk key to extract title key for track Use title key to extract for each sector a sector key, which is used to decrypt the sector.

Eike Ritter Cryptography 2013/14 88

slide-15
SLIDE 15

Sector encryption is combination of two LFSR’s added modulo 256

1||K2||K3||K4 seed 17 bit LFSR 25 bit LFSR add modulo 256 8 bit keystream 1||K0||K1 Eike Ritter Cryptography 2013/14 89

slide-16
SLIDE 16

Security of CSS

Can be broken in time 217: Idea: Because of structure of MP4, first 20 bytes of plaintext are known Hence also first 20 bytes of keystream are known Given output of 17 bit LFSR, can deduce output of 25 bit LFSR by subtraction Hence try all 217 possibilities for 17 bit LFSR and if generated 25 bit LFSR produces observed keystream, cipher is cracked

Eike Ritter Cryptography 2013/14 90

slide-17
SLIDE 17

A5/1

Stream cipher used in GSM mobile phone communication Became public knowledge through leaks and reverse engineering Built from three LFSRs with irregular clock cycle 54 bit secret key and 22 bit initialisation vector Shift register only shifted if clock bit is the same as majority of three clock bits

Eike Ritter Cryptography 2013/14 91

slide-18
SLIDE 18

Source: Wikipedia Eike Ritter Cryptography 2013/14 92

slide-19
SLIDE 19

Security of A5/1

Better design: Clock shift make cryptanalysis much harder However, advanced techniques means mainstream PC with terabytes of flash memory (to store pre-processed tables) can break A5/1 with probability ≥ 90% in a few seconds

Eike Ritter Cryptography 2013/14 93