RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.

Slides:



Advertisements
Similar presentations
Block Cipher Modes of Operation and Stream Ciphers
Advertisements

ECE454/CS594 Computer and Network Security
“Advanced Encryption Standard” & “Modes of Operation”
CS470, A.SelcukStream Ciphers1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Stream Ciphers Part 1  Cryptography 3 Stream Ciphers.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
Encryption/Decyprtion using RC4 Vivek Ramachandran.
Your Wireless Network has No Clothes CS 395T William A. Arbaugh, Narendar Shankar, Y.C. Justin Wan.
WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:
Chalmers University of Technology Wireless security Breaking WEP and WPA.
WEP Weaknesses Or “What on Earth does this Protect” Roy Werber.
How To Not Make a Secure Protocol WEP Dan Petro.
FEAL FEAL 1.
Wired Equivalent Privacy (WEP)
Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.
Sigaba 1 Sigaba Sigaba 2 Sigaba  Used by Americans during WWII o And afterwards (to about 1948)  Never broken o Germans quit collecting, considered.
Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.
Foundations of Network and Computer Security J J ohn Black Lecture #34 Dec 5 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
Wireless Security Presentation by Paul Petty and Sooner Brooks-Heath.
Foundations of Network and Computer Security J J ohn Black Lecture #24 Nov 23 rd 2004 CSCI 6268/TLEN 5831, Fall 2004.
Security – Wired Equivalent Privacy (WEP) By Shruthi B Krishnan.
Stream Ciphers 1 Stream Ciphers. Stream Ciphers 2 Stream Ciphers  Generalization of one-time pad  Trade provable security for practicality  Stream.
ORYX 1 ORYX ORYX 2 ORYX  ORYX not an acronym, but upper case  Designed for use with cell phones o To protect confidentiality of voice/data o For “data.
Computer Security CS 426 Lecture 3
Cryptography and Network Security Chapter 7 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
CS526Topic 3: One-time Pad and Perfect Secrecy 1 Information Security CS 526 Topic 3 Cryptography: One-time Pad, Information Theoretic Security, and Stream.
Wireless security & privacy Authors: M. Borsc and H. Shinde Source: IEEE International Conference on Personal Wireless Communications 2005 (ICPWC 2005),
CSC-682 Advanced Computer Security
A History of WEP The Ups and Downs of Wireless Security.
Cryptography and Network Security Chapter 6. Multiple Encryption & DES  clear a replacement for DES was needed theoretical attacks that can break it.
Slide 1 Stream Ciphers uBlock ciphers generate ciphertext Ciphertext(Key,Message)=Message  Key Key must be a random bit sequence as long as message uIdea:
COEN 350 Mobile Security. Wireless Security Wireless offers additional challenges: Physical media can easily be sniffed. War Driving Legal? U.S. federal.
CS555Spring 2012/Topic 51 Cryptography CS 555 Topic 5: Pseudorandomness and Stream Ciphers.
Intercepting Mobile Communications: The Insecurity of Nikita Borisov Ian Goldberg David Wagner UC Berkeley Zero-Knowledge Sys UC Berkeley Presented.
Stream Ciphers Making the one-time pad practical.
Stream Cipher July 2011.
NSRI1 Security of Wireless LAN ’ Seongtaek Chee (NSRI)
COEN 350 Mobile Security. Wireless Security Wireless offers additional challenges: Physical media can easily be sniffed. War Driving Legal? U.S. federal.
WEP AND WPA by Kunmun Garabadu. Wireless LAN Hot Spot : Hotspot is a readily available wireless connection.  Access Point : It serves as the communication.
3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.
Multiple Encryption & DES  clearly a replacement for DES was needed Vulnerable to brute-force key search attacks Vulnerable to brute-force key search.
Wired Equivalent Privacy (WEP): The first ‘confidentiality’ algorithm for the wireless IEEE standard. PRESENTED BY: Samuel Grush and Barry Preston.
無線網路安全 WEP. Requirements of Network Security Information Security Confidentiality Integrity Availability Non-repudiation Attack defense Passive Attack.
Intercepting Mobiles Communications: The Insecurity of ► Paper by Borisov, Goldberg, Wagner – Berkley – MobiCom 2001 ► Lecture by Danny Bickson.
Security Technologies built into std. Presented by T.R.Santhosh.
WEP – Wireless Encryption Protocol A. Gabriel W. Daleson CS 610 – Advanced Security Portland State University.
How To Not Make a Secure Protocol WEP Dan Petro.
Giuseppe Bianchi Warm-up example WEP. Giuseppe Bianchi WEP lessons  Good cipher is far from being enough  You must make good USAGE of cipher.
IEEE Security Specifically WEP, WPA, and WPA2 Brett Boge, Presenter CS 450/650 University of Nevada, Reno.
Wired Equivalent Privacy (WEP) Chris Overcash. Contents What is WEP? What is WEP? How is it implemented? How is it implemented? Why is it insecure? Why.
University of Malawi, Chancellor College
WLAN Security1 Security of WLAN Máté Szalay
1 A New Weakness in the RC4 Keystream Generator and an Approach to Improve the Security of the Cipher Souradyuti Paul and Bart Preneel K.U. Leuven, ESAT/COSIC.
Slide 1 Vitaly Shmatikov CS 378 Stream Ciphers. slide 2 Stream Ciphers uRemember one-time pad? Ciphertext(Key,Message)=Message  Key Key must be a random.
Prof. Reuven Aviv, Nov 2013 Public Key Infrastructure1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Problem Set 1: Cryptography.
Wireless LAN Security Daniel Reichle Seminar Security Protocols and Applications SS2003.
หัวข้อบรรยาย Stream cipher RC4 WEP (in)security LFSR CSS (in)security.
Cryptography CS 555 Topic 15: Stream Ciphers.
Wireless Security Ian Bodley.
ANALYSIS OF WIRED EQUIVALENT PRIVACY
Cryptography Lecture 16.
CSE 4905 WiFi Security I WEP (Wired Equivalent Privacy)
ADVANCED ENCRYPTION STANDARDADVANCED ENCRYPTION STANDARD
How crypto fails in practice? CSS and WEP
RC4 RC
Chapter -4 STREAM CIPHERS
Information and Computer Security CPIS 312 Lab 4 & 5
Intercepting Mobile Communications: The Insecurity of
The RC4 Algorithm Network Security.
By: Anthony Gervasi & Adam Dickinson
Presentation transcript:

RC4 1 RC4

RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient in software o Simple and elegant o Diffie: RC4 is “too good to be true”  Used lots of places: SSL, WEP, etc., etc.  Most popular stream cipher in existence

RC4 3 RC4 Initialization  Array key contains N bytes of key  Array S always has a permutation of 0,1,…,255 for i = 0 to 255 S[i] = i K[i] = key[i (mod N)] next i j = 0 for i = 0 to 255 j = (j + S[i] + K[i]) (mod 256) swap(S[i],S[j]) next i i = j = 0

RC4 4 RC4 Keystream  For each keystream byte, swap elements of array S and select a byte from the array: i = (i + 1) (mod 256) j = (j + S[i]) (mod 256) swap(S[i], S[j]) t = (S[i] + S[j]) (mod 256) keystreamByte = S[t]  Use keystream bytes like a one-time pad o XOR to encrypt or decrypt

RC4 5 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum: o “The standard prescribes a data link-level security protocol called WEP (Wired Equivalent Privacy), which is designed to make the security of a wireless LAN as good as that of a wired LAN. Since the default for a wired LAN is no security at all, this goal is easy to achieve, and WEP achieves it as we shall see.”

RC4 6 WEP  Wired Equivalent Privacy  WEP uses RC4 for confidentiality o Considered a strong cipher o But WEP introduces a subtle flaw  WEP uses CRC for “integrity” o Should have used a crypto hash instead o CRC is for error detection, not cryptographic integrity

RC4 7 WEP Integrity Problems  WEP “integrity” does not provide integrity o CRC is linear, so is stream cipher XOR o Can change ciphertext and CRC so that checksum remains correct o Such introduced errors go undetected o This requires no knowledge of the plaintext! o Even worse if plaintext is known  CRC does not provide a cryptographic integrity check! o CRC designed to detect random errors o Not designed to detect intelligent changes

RC4 8 WEP Key  WEP uses a long-term secret key: K  RC4 is a stream cipher, so each packet must be encrypted using a different key o Initialization Vector (IV) sent with packet o Sent in the clear (IV is not secret) o IV has similar purpose as “MI” in WWII ciphers  Actual RC4 key for packet is (IV, K ) o That is, IV is pre-pended to K

RC4 9 Initialization Vector “Issue”  WEP uses 24-bit (3 byte) IV o Each packet gets a new IV o RC4 packet key: IV pre-pended to long-term key, K  Long term key K seldom changes  If long-term key and IV are same, then same keystream is used o This is bad! o It is at least as bad as reuse of one-time pad

RC4 10 Initialization Vector “Issue”  Assume 1500 byte packets, 11 Mbps link  Suppose IVs generated in sequence o Then 1500  8/(11  10 6 )  2 24 = 18,000 seconds o Implies IV must repeat in about 5 hours  Suppose IVs generated at random o By birthday problem, some IV repeats in seconds  Again, repeated IV (with same K ) is bad!

RC4 11 WEP Active Attacks  WEP: “Swiss cheese” of security protocols  If Trudy can insert traffic and observe corresponding ciphertext o Then she will know keystream for that IV o And she can decrypt next msg that uses that IV  Spse Trudy knows destination IP address o She can change IP address in ciphertext o And modify CRC so it is correct o Then access point will decrypt and forward packet to the Trudy’s selected IP address! o Requires no knowledge of the key K !

RC4 12 WEP Cryptanalytic Attack  WEP data encrypted using RC4 o Packet key is IV and long-term key K o 3-byte IV is pre-pended to K o Packet key is ( IV,K)  IV is sent in the clear (not secret) o New IV sent with every packet o Long-term key K seldom changes (maybe never)  Assume Trudy knows IVs and ciphertext  Trudy wants to find the key K

RC4 13 RC4 in WEP  3-byte IV pre-pended to key  We denote the RC4 key bytes… o …as K 0,K 1,K 2,K 3,K 4,K 5,… o Where IV = ( K 0,K 1,K 2 ), which Trudy knows o Trudy wants to find K 3,K 4,K 5,…  Given enough IVs, we show that Trudy can recover the long-term key o Regardless of the length of the key! o Provided Trudy knows first keystream byte o Known plaintext attack (1st byte of each packet)

RC4 14 RC4 Initialization  Recall that RC4 initialization is… S i = i for i = 0,1,2,…,255 j = 0 for i = 0 to 255 j = j + S i + K i swap(S i,S j ) next i

RC4 15 RC4/WEP Attack  Attack due to Fluher, Mantin and Shamir  Trudy watches IVs until she sees 3-byte IV of the form: IV = (3,255,V)  Where V can be anything (Trudy knows V )  Then RC4 key for this packet is key = (3,255,V,K 3,K 4,K 5,…)  Trudy wants to find (K 3,K 4,K 5,…)

RC4 16 RC4/WEP Attack  IV = (3,255,V)  Key = (3,255,V,K 3,K 4,…)  Trudy knows K 0 = 3, K 1 = 255, K 2 = V  Other K i are long-term key o Which is unknown to Trudy  Recall RC4 initialization: first, set S to…

RC4 17 RC4/WEP Attack  IV = (3,255,V)  Key = (3,255,V,K 3,K 4,…)  RC4 initialization: let j = 0 then for i = 0 to 255 j = j + S i + K i swap(S i,S j ) next i  At i = 0 step we have i = 0 j = j + S 0 + K 0 = = 3 swap(S i,S j ) = swap(S 0,S 3 )

RC4 18 RC4/WEP Attack  From previous slide…  At i = 0 step we have i = 0 j = j+S 0 +K 0 = = 3 swap(S i,S j ) = swap(S 0,S 3 )  After this step, the table S is…

RC4 19 RC4/WEP Attack  IV = (3,255,V)  Key = (3,255,V,K 3,K 4,…)  Continuing, at i = 1 step i = 1 j = j+S 1 +K 1 = = 3 (mod 256) swap(S i,S j )  After this step, the table S is…

RC4 20 RC4/WEP Attack  IV = (3,255,V)  Key = (3,255,V,K 3,K 4,…)  Continuing, at i = 2 step i = 2 j = j+S 2 +K 2 = 3+2+V = 5+V swap(S i,S j )  After this step, the table S is…

RC4 21 RC4/WEP Attack  IV = (3,255,V)  Key = (3,255,V,K 3,K 4,…)  Continuing, at i = 3 step i = 3 j = j+S 3 +K 3 = 5+V+1+K 3 = 6+V+K 3 swap(S i,S j )  Assuming 6+V+K 3 > 5+V (mod 256), the table is  Otherwise 6+V+K 3 will be to the left of 5+V

RC4 22 RC4 Initialization  Note that we have only considered the first 4 steps of initialization, i = 0,1,2,3 o In reality, there are 256 steps  For now, assume that initialization stops after i = 3 step  Then S is  Next, we consider RC4 keystream algorithm

RC4 23 RC4 Keystream  After initialization, let i = j = 0  Then for each keystream byte i = i+1 j = j+S i swap(S i,S j ) t = S i +S j keystreamByte = S t

RC4 24 RC4/WEP Attack  Suppose initialization stopped with  First keystream byte  Let i = j = 0  Then i = i+1 = 1 j = j+S 1 = 0 t = S i +S j = S 1 +S 0 = 0+3 = 3 keystreamByte = S t = S 3 = 6+V+K 3

RC4 25 RC4/WEP Attack  Note: keystreamByte = 6+V+K 3  If keystreamByte is known, we can solve for K 3 since K 3 = (keystreamByte  6  V) mod 256  But initialization does not stop at i=3  So can this “attack” really work?

RC4 26 RC4/WEP Attack  After i=3 initialization step, S is  If elements at 0,1 and 3 not swapped in remaining initialization steps, attack works  For remaining initialization steps… o We have i = 4,5,6,… so index i will not affect anything at indices 0,1 or 3 o But what about index j ?

RC4 27 RC4/WEP Attack  Pretend index j selected at random o At each step, probability is 253/256 that j  {0,1,3} o There are 252 steps after i = 3  Probability that 0,1 and 3 not affected by j index after i=3 step is (253/256) 252 =

RC4 28 RC4/WEP Attack  Can be shown that with about 60 IVs of the form (3,255,V) can find K 3 o Not so easy to prove that 60 is correct o Easy to verify empirically  This is enough to show that a shortcut attack on WEP/RC4 exists  Can Trudy really recover the key?  If she sees enough IVs she gets K 3

RC4 29 RC4/WEP Attack  Suppose Trudy has found K 3  Then how to find K 4 ?  Consider IVs of the form: IV = (4,255,V)  Then after initialization step i=4, we have

RC4 30 RC4/WEP Attack  If we now generate first keystream byte i = 1 j = S i = 0 t = S 1 +S 0 = 4 keystreamByte = S 4 = 10+V+K 3 +K 4  Then K 4 = (keystreamByte-10-V-K 3 ) mod 256  Probability of this is also about 0.05

RC4 31 RC4/WEP Attack  If enough IVs are available o And corresponding 1st keystreamBytes are known  Then Trudy can recover the key o Finds K 3 then K 4 then K 5 and so on…  Get entire key, regardless of length!

RC4 32 RC4/WEP Attack  Can reduce number of IVs Trudy needs  Consider again key K 3  Suppose IV = (2,253,0)  Then after i=3 initialization step  IVs other than (3,255,V) can work!  Easy to determine which IVs are useful

RC4 33 RC4/WEP Conclusions  This attack is practical!  This attack has been used to recover keys from real WEP traffic  How to prevent this attack? o Discard first 256 bytes of keystream  This attack on RC4 is just one of many security flaws in WEP