RC4-Stream Ciphers Blowfish, RC5 Block Ciphers M. Sakalli, Marmara Univ. Chapter 6 of Cryptography and Network Security by William Stallings Modified from the original slides of Lawrie Brown

Stream Ciphers  process message bit by bit (as a stream)  have a pseudo random keystream  Idea of randomness of stream key is complete destroy of the statistically properties in message C i = M i  StreamKey i C i = M i  StreamKey i  but must never reuse stream key otherwise can recover messages (cf book cipher) otherwise can recover messages (cf book cipher) PT CT PRNG K k E CT PT K k D

Stream Cipher Properties  some design considerations are: long sequence with no periodicities long sequence with no periodicities statistically random statistically random depends on large enough key depends on large enough key large linear complexity large linear complexity correlation immunity correlation immunity confusion, diffusion (cryptographically) confusion, diffusion (cryptographically)  can be as secure as a block cipher with same size key  but simpler & faster

(Ron Rivest!!! Cipher) RC4  the period of the cipher is overwhelmingly likely to be greater than  Runs faster - five/fifteen times than DES/3DES  Used in SSL/TLS (Secure socket, transport layer security) between web browsers and servers, SSL/TLS (Secure socket, transport layer security) between web browsers and servers, IEEE wirelss LAN std: WEP (Wired Equivalent Privacy), WPA (WiFi Protocol Access) protocol IEEE wirelss LAN std: WEP (Wired Equivalent Privacy), WPA (WiFi Protocol Access) protocol  a proprietary cipher owned by RSA, kept secret, released at the sites of Cyberpunk r ers.  simple but effective, variable key length from 1 to 256 bytes; starts with an array S of numbers: and after initialization 0  S[.]  255..

(Ron Rivest!!! Cipher) RC4  key forms random permutation of all 8-bit values, scrambles input info a byte at a time  S internal state of the cipher, a byte k is generated from S by selecting one of the 255 entries in a systematic fashion.  Initialization and permutation of S state vector. Key length: 1  | K|  256 for i = 0 to 255 do S[i] = i// T[i] = K[i mod(|K|)]) j = 0 for i = 0 to 255 do j = (j + S[i] + T[i]) (mod 256) swap (S[i], S[j])

KSA Key scheduling  encryption continues shuffling array values  sum of shuffled pair selects "stream key" value from permutation  XOR S[t] with next byte of message to en/decrypt i = j = 0 for each message byte M i i = (i + 1) (mod 256) j = (j + S[i]) (mod 256) swap(S[i], S[j]) t = (S[i] + S[j]) (mod 256) C i = M i XOR S[t]

RC4 Encryption  claimed secure against known attacks have some analyses in a number of papers, but none to be practical with a reasonable key length, such as 128 bits. have some analyses in a number of papers, but none to be practical with a reasonable key length, such as 128 bits. In one authors demonstrate that in the case of WEP, it is vulnerable to a particular attack approach due to the initialization of the keys but not the RC4 itself but the way in which keys are generated. In one authors demonstrate that in the case of WEP, it is vulnerable to a particular attack approach due to the initialization of the keys but not the RC4 itself but the way in which keys are generated. Remedied by changing the way in which keys are generated. Remedied by changing the way in which keys are generated.  since RC4 is a stream cipher, must never reuse a key

Security issues of RC4  The keystream generated by RC4 is biased. The second byte is biased toward zero with high probability. The second byte is biased toward zero with high probability. The first few bytes are strongly non-random and leak information about the input key. The first few bytes are strongly non-random and leak information about the input key.  Defense: discard the initial n bytes of the keystream. Called “RC4-drop[n-bytes]”. Called “RC4-drop[n-bytes]”. Recommended values for n = 256, 768, or 3072 bytes. Recommended values for n = 256, 768, or 3072 bytes  WEP is a protocol using RC4 to encrypt packets for transmission over IEEE wireless LAN.  WEP requires each packet to be encrypted with a separate RC4 key.  The RC4 key for each packet is a concatenation of a 24-bit IV (initialization vector) and a 40 or 104-bit long-term key. l Header IV Packet ICV FCS encrypted frames using WEP

 Fluhrer, Mantin, and Shamir showed that:  If the same secret key is used with numerous IVs, and the attacker can obtain the first word of RC4 output (keystream) corresponding to each IV, then he can construct the secret key with little effort.  The first word is known for many plaintext packets.  Recall: Ciphertext = plaintext  keystream  So, the first word of RC output (keystream) can be obtained.  Tews, Weinmann, and Pyshkin wrote an article, “Breaking 104 bit WEP in less than 60 seconds,” discussing how to discover the RC4 key by analyzing the easily identified ARP packets. 9

Chapter 7: Confidentiality using Symmetric Encryption Which part to encrypt in a PSN Packet switching nw  traditionally symmetric encryption is used to provide message confidentiality  Vulnerable points: snooping, monitoring or modifying by using another workstation another workstation dial-in to LAN or server or external router dial-in to LAN or server or external router by physically taping line in wiring closet by physically taping line in wiring closet  end-to-end encryption (shared keys): protects data between source and destination, needs devices at each end.  link encryption, (paired keys): protects traffic monitoring, is considered over every link, requires many devices,  End [ Link [] Link ] End PSN

Placement of Encryption in the various levels of OSI Encapsulation Model (b) TCP Layer level (c) Link Layer Level

 The purpose of monitoring military & commercial military & commercial can also be used to create a covert channel if controlled can also be used to create a covert channel if controlled  Link encryption obscures header details  But overall traffic volumes in networks and at end- points will still be visible  Traffic padding can further obscure flows but at cost of continuous traffic.. Traffic monitoring

How to distribute key  symmetric schemes require to share a common secret key  often secure system failure due to a break in the key distribution scheme  given parties A and B have various key distribution alternatives: 1. Physically delivery from A to B 2. Third party can issue & deliver key to A & B, if A & B have secure communications with a third party C, C can relay key between A & B  Distribution of Key is based on a Hierarchy, at least two levels of keys are used temporary key referred as session key temporary key referred as session key used for the duration of a logical connection between usersused for the duration of a logical connection between users for one logical session then discardedfor one logical session then discarded master key master key used to encrypt session keysused to encrypt session keys shared by user & key distribution centershared by user & key distribution center

Key Distribution Scenario  Assume that user A wishes to establish a logical connection with B and requires a one-time session key to protect the data transmitted over the logical connection to B. A has a master key, K a, known only to itself and the KDC; similarly, B shares the master key K b with the KDC. The following steps occur:

a. A issues a request to the KDC for a session key to B including the identity of A and B and a unique session identifier, N 1, valid for this transaction, nonce: a timestamp, a counter, or a random number; differs with each request. I.e. to prevent masquerading, suppose something like, a random number. The nonce,that this is not a replay of some previous request b. The KDC’s response to A: K A Thus, only A can decrypt the message. One-time session key, K S, to be used for the session. Items for A: The original message so that, A can verify the original request not altered before reception by the KDC. The nonce, so that this is not a replay of some previous request. Items for B: The one time session key K S and ID SA (e.g., its network address), both encrypted with K B (the master key that the KDC shares with B).

c. A stores K S for use in the upcoming session and forwards to B the information originated from the KDC for B, namely, E(K B, [K S || ID A ]). Because this information is encrypted with K B, it is protected from eavesdropping. B knows the session key (K S ), and A, and the information that must have originated at the KDC K b. --A secure K S delivered to A and B, to proceed with protected exchange---. Protected exchange with sym key K S used by A and B for encryption. d. B sends a nonce, N 2, E(K S N 2 ). A responds with E(K S f(N 2 )). (e.g., adding one).. Last steps involve authentication.

Random Numbers  uses of random numbers: nonces in authentication protocols to prevent replay, session keys, public key generation  statistically random, uniform distribution, If a problem is to hard, time-consuming, then use randomization, i.e. RSA public key exchange, large prime number N, sqrt( ) If a problem is to hard, time-consuming, then use randomization, i.e. RSA public key exchange, large prime number N, sqrt( )  independent so that unpredictable (ie reciprocal authentication and session key generation), where the requirement is not so much that the numbers be statistically random but be unpredictable. (ie reciprocal authentication and session key generation), where the requirement is not so much that the numbers be statistically random but be unpredictable. With "true" random sequences, each number is statistically independent, therefore unpredictable. However used seldom. With "true" random sequences, each number is statistically independent, therefore unpredictable. However used seldom.  Often deterministic algorithmic techniques used to create “random numbers”. “Pseudorandom Number Generators (PRNGs)”. Care to be taken that an opponent not be able to predict future elements.

Linear Congruential Generator  The most common to produce random sequences and an iterative technique: X n+1 = (aX n + c) mod m  Only a small number of suitable values available: Consider the values a = 7, c = 0, m = 32, and X 0 = 1. This generates the sequence {7, 17, 23, 1, 7, etc.}, which is also clearly unsatisfactory. Of the 32 possible values, only 4 are used; thus, the sequence is said to have a period of 4. If, instead, we change the value of a to 5, then the sequence is {5, 25, 29, 17, 21, 9, 13, 1, 5, etc.}, which increases the period to 8.

Linear Congruential Generator  m to be very large, for producing a long series of distinct random numbers, nearly equal to the maximum representable nonnegative integer for a given computer, equal to m=2 31  m to be very large, for producing a long series of distinct random numbers, nearly equal to the maximum representable nonnegative integer for a given computer, equal to m= Function should generate a long full-period sequence between 0 and m, Function should generate a long full-period sequence between 0 and m, Generated deterministically, should appear random. Generated deterministically, should appear random. Efficient implementation with 32-bit. Efficient implementation with 32-bit.  an attacker can reconstruct sequence given a small number of values. 3 unknowns, a, c, m, 3 equations.  One solution is using internal system clock to modify the random number stream. Restart the sequence after every N numbers with the current clock value (mod m) as the new seed Restart the sequence after every N numbers with the current clock value (mod m) as the new seed Add the current clock value to each random number (mod m). Add the current clock value to each random number (mod m).

Cryptographically Generated Random Numbers  Use a block cipher to generate random numbers  often for creating session keys from master key which is protected, counter 56 key length, 2 56 possible c.. Counter Mode Counter Mode X i = E Km [i] Output Feedback Mode Output Feedback Mode X i = E Km [X i-1 ]

 One of the strongest  DT i, V i - Date/time, seed values at the beginning of i th generation stage  R i - Pseudorandom number produced by the i th generation stage  K 1, K 2 - DES keys used for each stage  R i = EDE([K 1, K 2 ], [V i EDE([K 1, K 2 ], DT i )])  V i+1 = EDE([K 1, K 2 ], [R i EDE([K 1, K 2 ], DT i )])  where EDE([K 1,K 2 ], X) Cryptographically Generated Random Numbers ANSI X9.17 PRNG

Blum Blum Shub Generator  based on public key algorithms  use least significant bit from iterative equation: x i = x i-1 2 mod n x i = x i-1 2 mod n where n=p.q, and primes p,q should be congruent to = 3 mod 4 = p, q and where n=p.q, and primes p,q should be congruent to = 3 mod 4 = p, q and gcd(φ(p-1), φ(q-1)) should be small gcd(φ(p-1), φ(q-1)) should be small  unpredictable, passes next-bit test  security rests on difficulty of factoring N  is unpredictable given any run of bits  slow, since very large numbers must be used  too slow for cipher use, good for key generation

Natural Random Noise  best source is natural randomness in real world  find a regular but random event and monitor  do generally need special h/w to do this eg. radiation counters, radio noise, audio noise, thermal noise in diodes, leaky capacitors, mercury discharge tubes etc eg. radiation counters, radio noise, audio noise, thermal noise in diodes, leaky capacitors, mercury discharge tubes etc  starting to see such h/w in new CPU's  problems of bias or uneven distribution in signal have to compensate for this when sample and use have to compensate for this when sample and use best to only use a few noisiest bits from each sample best to only use a few noisiest bits from each sample

Published Sources  a few published collections of random numbers  Rand Co, in 1955, published 1 million numbers generated using an electronic roulette wheel generated using an electronic roulette wheel has been used in some cipher designs cf Khafre has been used in some cipher designs cf Khafre  earlier Tippett in 1927 published a collection  issues are that: these are limited these are limited too well-known for most uses too well-known for most uses

A symmetric block cipher Blowfish  Designed by Bruce Schneier in 1993/94  characteristics fast implementation on 32-bit CPUs fast implementation on 32-bit CPUs compact in use of memory compact in use of memory simple structure for analysis/implementation simple structure for analysis/implementation variable security by varying key size variable security by varying key size  has been implemented in various products  uses a 32 to 448 bit key  used to generate bit subkeys stored in K-array K j bit subkeys stored in K-array K j four 8x32 S-boxes stored in S i,j four 8x32 S-boxes stored in S i,j  key schedule consists of: initialize P-array and then 4 S-boxes using pi initialize P-array and then 4 S-boxes using pi XOR P-array with key bits (reuse as needed) XOR P-array with key bits (reuse as needed) loop repeatedly encrypting data using current P & S and replace successive pairs of P then S values loop repeatedly encrypting data using current P & S and replace successive pairs of P then S values requires 521 encryptions, hence slow in re-keying requires 521 encryptions, hence slow in re-keying

 uses two primitives: addition & XOR  data is divided into two 32-bit halves L 0 & R 0 for i = 1 to 16 do R i = L i-1 XOR P i ; L i = F[R i ] XOR R i-1 ; L 17 = R 16 XOR P 18 ; R 17 = L 16 XOR i 17 ;  where F[a,b,c,d] = ((S 1,a + S 2,b ) XOR S 3,c ) + S 4,a  key dependent S-boxes and subkeys, makes cryptanalysis very difficult  changing both halves in each round increases security  provided key is large enough, brute-force key search is not practical, especially given the high key schedule cost

 a proprietary cipher owned by RSADSI  designed by Ronald Rivest (of RSA fame)  used in various RSADSI products  can vary key size / data size / no rounds  very clean and simple design  easy implementation on various CPUs  yet still regarded as secure  RC5 is a family of ciphers RC5-w/r/b w = word size in bits (16/32/64) nb data=2w w = word size in bits (16/32/64) nb data=2w r = number of rounds (0..255) r = number of rounds (0..255) b = number of bytes in key (0..255) b = number of bytes in key (0..255)  nominal version is RC5-32/12/16 ie 32-bit words so encrypts 64-bit data blocks ie 32-bit words so encrypts 64-bit data blocks using 12 rounds using 12 rounds with 16 bytes (128-bit) secret key with 16 bytes (128-bit) secret key  RFC2040 defines 4 modes used by RC5 RC5 Block Cipher, is ECB mode RC5 Block Cipher, is ECB mode RC5-CBC, is CBC mode RC5-CBC, is CBC mode RC5-CBC-PAD, is CBC with padding by bytes with value being the number of padding bytes RC5-CBC-PAD, is CBC with padding by bytes with value being the number of padding bytes RC5-CTS, a variant of CBC which is the same size as the original message, uses ciphertext stealing to keep size same as original RC5-CTS, a variant of CBC which is the same size as the original message, uses ciphertext stealing to keep size same as original RC5, ciphers, modes

RC5 Key Expansion and Encryption  RC5 uses 2r+2 subkey words (w-bits)  subkeys are stored in array S[i], i=0..t-1  then the key schedule consists of initializing S to a fixed pseudorandom value, based on constants e and phi initializing S to a fixed pseudorandom value, based on constants e and phi the byte key is copied (little-endian) into a c-word array L the byte key is copied (little-endian) into a c-word array L a mixing operation then combines L and S to form the final S array a mixing operation then combines L and S to form the final S array  split input into two halves A & B L 0 = A + S[0]; R 0 = B + S[1]; for i = 1 to r do L i = (( L i-1 XOR R i-1 ) <<< R i-1 ) + S[2 x i]; R i = (( R i-1 XOR L i ) <<< L i ) + S[2 x i + 1];  each round is like 2 DES rounds  note rotation is main source of non-linearity  need reasonable number of rounds (eg 12-16)

In summary  have considered: use and placement of symmetric encryption to protect confidentiality use and placement of symmetric encryption to protect confidentiality need for good key distribution need for good key distribution use of trusted third party KDC’s use of trusted third party KDC’s random number generation issues random number generation issues