ORYX 1 ORYX ORYX 2 ORYX  ORYX not an acronym, but upper case  Designed for use with cell phones o To protect confidentiality of voice/data o For “data.

Slides:



Advertisements
Similar presentations
DES The Data Encryption Standard (DES) is a classic symmetric block cipher algorithm. DES was developed in the 1970’s as a US government standard The block.
Advertisements

“Advanced Encryption Standard” & “Modes of Operation”
Stream Ciphers Part 1  Cryptography 3 Stream Ciphers.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
Intro 1 Introduction Intro 2 Good Guys and Bad Guys  Alice and Bob are the good guys  Trudy is the bad guy  Trudy is our generic “intruder”
WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:
Chalmers University of Technology Wireless security Breaking WEP and WPA.
PIITMadhumita Chatterjee Security 1 Hashes and Message Digests.
PKZIP Stream Cipher 1 PKZIP PKZIP Stream Cipher 2 PKZIP  Phil Katz’s ZIP program  Katz invented zip file format o ca 1989  Before that, Katz created.
FEAL FEAL 1.
Akelarre 1 Akelarre Akelarre 2 Akelarre  Block cipher  Combines features of 2 strong ciphers o IDEA — “mixed mode” arithmetic o RC5 — keyed rotations.
Sigaba 1 Sigaba Sigaba 2 Sigaba  Used by Americans during WWII o And afterwards (to about 1948)  Never broken o Germans quit collecting, considered.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.
Foundations of Network and Computer Security J J ohn Black Lecture #34 Dec 5 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
Intro To Encryption Exercise 1. Monoalphabetic Ciphers Examples:  Caesar Cipher  At Bash  PigPen (Will be demonstrated)  …
McGraw-Hill©The McGraw-Hill Companies, Inc., Security PART VII.
Stream Ciphers 1 Stream Ciphers. Stream Ciphers 2 Stream Ciphers  Generalization of one-time pad  Trade provable security for practicality  Stream.
Lecture 23 Symmetric Encryption
CMEA 1 CMEA. CMEA 2 CMEA  Cellular Message Encryption Algorithm  Designed for use with cell phones o To protect confidentiality of called number o For.
MD4 1 MD4. MD4 2 MD4  Message Digest 4  Invented by Rivest, ca 1990  Weaknesses found by 1992 o Rivest proposed improved version (MD5), 1992  Dobbertin.
Computer Security CS 426 Lecture 3
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Dan Boneh Stream ciphers The One Time Pad Online Cryptography Course Dan Boneh.
CS526Topic 3: One-time Pad and Perfect Secrecy 1 Information Security CS 526 Topic 3 Cryptography: One-time Pad, Information Theoretic Security, and Stream.
Dr. Khalid A. Kaabneh Amman Arab University
A History of WEP The Ups and Downs of Wireless Security.
Códigos y Criptografía Francisco Rodríguez Henríquez A Short Introduction to Stream Ciphers.
Cryptography and Network Security Chapter 6. Multiple Encryption & DES  clear a replacement for DES was needed theoretical attacks that can break it.
Slide 1 Stream Ciphers uBlock ciphers generate ciphertext Ciphertext(Key,Message)=Message  Key Key must be a random bit sequence as long as message uIdea:
One-Time Pad Or Vernam Cipher Sayed Mahdi Mohammad Hasanzadeh Spring 2004.
Chapter 20 Symmetric Encryption and Message Confidentiality.
CS555Spring 2012/Topic 51 Cryptography CS 555 Topic 5: Pseudorandomness and Stream Ciphers.
Information Security Lab. Dept. of Computer Engineering 182/203 PART I Symmetric Ciphers CHAPTER 7 Confidentiality Using Symmetric Encryption 7.1 Placement.
Stream Ciphers Making the one-time pad practical.
Chapter 20 Symmetric Encryption and Message Confidentiality.
CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.
1 Hashes and Message Digests. 2 Hash Also known as –Message digest –One-way function Function: input message -> output One-way: d=h(m), but not h’(d)
Module 3 – Cryptography Cryptography basics Ciphers Symmetric Key Algorithms Public Key Algorithms Message Digests Digital Signatures.
Stream Cipher July 2011.
Implementing the RC4 Algorithm
1 Lect. 7 : Data Encryption Standard. 2 Data Encryption Standard (DES)  DES - History 1976 – adopted as a federal standard 1977 – official publication.
3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.
Multiple Encryption & DES  clearly a replacement for DES was needed Vulnerable to brute-force key search attacks Vulnerable to brute-force key search.
Encryption Types & Modes Chapter 9 Encryption Types –Stream Ciphers –Block Ciphers Encryption Modes –ECB - Electronic Codebook –CBC - Cipher Block Chaining.
Wired Equivalent Privacy (WEP): The first ‘confidentiality’ algorithm for the wireless IEEE standard. PRESENTED BY: Samuel Grush and Barry Preston.
Public Key Systems 1 Merkle-Hellman Knapsack Public Key Systems 2 Merkle-Hellman Knapsack  One of first public key systems  Based on NP-complete problem.
Lecture 2: Introduction to Cryptography
Cryptography 1 Crypto Cryptography 2 Crypto  Cryptology  The art and science of making and breaking “secret codes”  Cryptography  making “secret.
NEW DIRECTIONS IN CRYPTOGRAPHY Made Harta Dwijaksara, Yi Jae Park.
Lecture 23 Symmetric Encryption
Fall 2006CS 395: Computer Security1 Confidentiality Using Symmetric Encryption.
Chapter 2 Symmetric Encryption.
DATA & COMPUTER SECURITY (CSNB414) MODULE 3 MODERN SYMMETRIC ENCRYPTION.
Hash Functions Ramki Thurimella. 2 What is a hash function? Also known as message digest or fingerprint Compression: A function that maps arbitrarily.
Key Management Network Systems Security Mort Anvari.
Giuseppe Bianchi Warm-up example WEP. Giuseppe Bianchi WEP lessons  Good cipher is far from being enough  You must make good USAGE of cipher.
Network Security Lecture 3 Secret Key Cryptography
Module :MA3036NI Symmetric Encryption -3 Lecture Week 4.
Wired Equivalent Privacy (WEP) Chris Overcash. Contents What is WEP? What is WEP? How is it implemented? How is it implemented? Why is it insecure? Why.
University of Malawi, Chancellor College
Slide 1 Vitaly Shmatikov CS 378 Stream Ciphers. slide 2 Stream Ciphers uRemember one-time pad? Ciphertext(Key,Message)=Message  Key Key must be a random.
1 CPCS425: Information Security (Topic 5) Topic 5  Symmetrical Cryptography  Understand the principles of modern symmetric (conventional) cryptography.
หัวข้อบรรยาย Stream cipher RC4 WEP (in)security LFSR CSS (in)security.
Substitution Ciphers.
Cryptography Lecture 16.
ADVANCED ENCRYPTION STANDARDADVANCED ENCRYPTION STANDARD
RC4 RC
Information and Computer Security CPIS 312 Lab 4 & 5
Presentation transcript:

ORYX 1 ORYX

ORYX 2 ORYX  ORYX not an acronym, but upper case  Designed for use with cell phones o To protect confidentiality of voice/data o For “data channel”, not “control channel” o Control channel encrypted with CMEA  Standard developed by o Telecommunications Industry Association (TIA) o Flaws in cipher discovered in 1997  Cipher design process not open o In violation of Kerckhoffs Principle

ORYX 3 Stream Cipher  ORYX is a stream cipher  Recall that a stream cipher can be viewed as a generalization of one-time pad  A stream cipher initialized with (short) key  Cipher then generates a long keystream  Keystream is used like a one-time pad o XOR with message to encrypt/decrypt

ORYX 4 ORYX  Stream cipher  Uses 3 shift registers, denoted X, A, B o Each holds 32 bits  Key is initial fill of registers  Therefore, ORYX has 96 bit key  ORYX also uses a lookup table L o Where L acts as IV (or MI)  Note that L is not secret

ORYX 5 ORYX  ORYX generates keystream 1 byte/step  Most stream ciphers generate 1 bit/step o RC4 stream cipher also generates bytes  ORYX is very weak o RC4 is weak due to the way it is used in WEP  What is wrong with ORYX? o Generates 1 byte of keystream o Too much of the internal state is exposed o Might be stronger if only generated 1 bit/step

ORYX 6 ORYX Shift Registers  Three shift registers, X, A, B, each 32 bits  Feedback functions (polynomials) o Register X uses feedback polynomial P X = x 0  x 4  x 5  x 8  x 9  x 10  x 13  x 15  x 17  x 18  x 27  x 31 o Register A uses two polynomial P A0 = a 0  a 1  a 3  a 4  a 6  a 7  a 9  a 10  a 11  a 15  a 21  a 22  a 25  a 31 P A1 = a 0  a 1  a 6  a 7  a 8  a 9  a 10  a 12  a 16  a 21  a 22  a 23  a 24  a 25  a 26  a 31 o Register B uses polynomial P B = b 0  b 2  b 5  b 14  b 15  b 19  b 20  b 30  b 31

ORYX 7 ORYX Lookup Table  Table L is different for each message o 1 byte in, 1 byte out  Consider L to left o L[5a] = ee  Row 5, column a o L[d2] = f5  Row d, column 2  Example lookup table L  Table is not secret

ORYX 8 ORYX Wiring Diagram  S determines whether to use P A0 or P A1  C determines whether B steps 1 or 2 times  L is a fixed (per msg), known lookup table

ORYX 9 ORYX Keystream Generator 1.Polynomial X steps once using P X 2.Polynomial A steps once using P A0 or P A1 As determined by bit 29 of X 3.Polynomial B steps 1 or 2 times using P B As determined by bit 26 of X 4.Byte: k i = H(X) + L[H(A)] + L[H(B)] mod 256 Where L is a known lookup table and H is “high” byte, i.e., bits 24 through 31 k i is i th keystream byte Note: Polynomials step before generating byte

ORYX 10 ORYX Keystream  Let k 0, k 1, k 2, … be keystream bytes  Then k 0 given by k 0 = H(X) + L[H(A)] + L[H(B)] mod 256 where X, A, B are fills after 1st iteration  Then k 1 given by k 1 = H(X) + L[H(A)] + L[H(B)] mod 256 where X, A, B are fills after 2nd iteration  And so on…

ORYX 11 ORYX Attack  Attack is not difficult  Idea of the attack o Suppose we know plaintext bytes p 0,p 1,…,p n o Then we know keystream bytes, k 0,k 1,…,k n o At each iteration, small change in internal state o Byte of output gives lots of info on state o Given enough plaintext, reconstruct initial fills  Only need small amount of known plaintext

ORYX 12 ORYX Attack  Table lists possible extensions of A,B  New bit(s) appear on left of H(A),H(B)  Given register fills A,B  Fill A can be extended in 2 ways: 0 or 1  Fill B can be extended 6 ways: 0,1,00,01,10,11

ORYX 13 ORYX Attack  Given keystream bytes k i where k i = H(X) + L[H(A)] + L[H(B)] mod 256  And X, A, B are fills after (i+1) st iteration  For each of 2 16 possible (H(A),H(B)) o Let H(X) = k 0  L[H(A)]  L[H(B)] mod 256 o For each of 12 extensions of (A,B) o Let Y = k 1  L[H(A)]  L[H(B)] mod 256 o Is Y a possible extension of H(X) ?  If yes, save result for testing with bytes k 2, k 3, … o If no valid extension, discard (H(A),H(B))

ORYX 14 ORYX Attack Example  Spse k 0 = da, k 1 = 31  Consider case where H(A) = b3, H(B) = 84  Then, modulo 256, H(X) = da  L[b3]  L[84] H(X) = da  ca  99 = 77  Can we extend H(X) = 77 to next iteration?  Must use k 1 and consider all 12 cases

ORYX 15 ORYX Attack Example  Have: k 1 = 31, H(A) = b3, H(B) = 84, H(X) = 77  Try extension where A  1A, B  0B  Then Y = 31  L[d9]  L[42] Y = 31  13  ce = 50  But H(X) = 77 can only be extended to 3b or bb  So this is not a valid extension  Must consider 11 more cases for (H(A),H(B)) pair

ORYX 16 ORYX Attack Example  Have: k 1 = 31, H(A) = b3, H(B) = 84, H(X) = 77  Try extension where A  0A, B  00B  Then Y = 31  L[59]  L[21] Y = 31  1e  58 = bb  Note that H(X) = 77 can be extended to bb  So this is a consistent extension of H(X)  Save it, and consider remaining extensions

ORYX 17 ORYX Attack  Attack algorithm o We have described a breadth first search o Depth-first search would work too  But is the attack practical? o Can we really determine correct initial fill? o How efficient is attack? o How much known plaintext is required?  We can easily answer these questions…

ORYX 18 ORYX Attack  Guess all pairs of initial (H(A),H(B)) o There are 2 16 = of these o For each, use k 0 to solve for H(X)  Have 2 16 putative triples (H(A),H(B),H(X))  For each of these o For each of 12 extensions of (H(A),H(B)), compute Y = k 1  L[H(A)]  L[H(B)] mod 256 o Note that Y is putative extension of X o So, 7 bits of Y must agree with 7 bits from H(X)  Expect (12  65536) / 128 = 6144 survivors

ORYX 19 ORYX Attack  Expect 6144 survivors using k 1  For each of these 6144, use k 2 and repeat the process… o Compute 12 extensions of (H(A),H(B)) o New Y must agree with 7 bits of putative X (previous Y ) o Expect (12  6144) / 128 = 576 survivors  Expected number of survivors decreases by factor greater that 10 at each step o Eventually, only 1 survivor is expected

ORYX 20 ORYX Attack  After 6 steps, expect only 1 survivor  Keep going…  After about 25 keystream bytes, X, A, B fills will be completely known o Not initial fills, but fills after 1st iteration o Easy to “back up” to initial fills, if desired  Suppose n keystream bytes used  Then work is on the order of 12  ( n)  2 20

ORYX 21 ORYX  ORYX is very insecure o Work of about 2 20 to recover 96-bit key!  What is the problem? o One iteration does not change internal state very much o Byte of keystream gives lots of info on state  Can it be improved? o Many alternatives…

ORYX 22 More Secure ORYX ?  ORYX does the following byte = H(X) + L[H(A)] + L[H(B)] mod 256 where H is high-order byte  Could instead do bit = s(X)  s(L[H(A)])  s(L[H(B)]) where s selects the high-order bit of a byte  Then previous attack does not work, since o Expect (12  2 16 ) / 1 = after k 1 o Expect (12  ) / 1 = after k 2, etc.  But this “secure” ORYX is very slow!  And may be other attacks to worry about…