Cryptography and Network Security Chapter 7 Fifth Edition by William Stallings

Chapter 7 – Pseudorandom Number Generation and Stream Ciphers John wrote the letters of the alphabet under the letters in its first lines and tried it against the message. Immediately he knew that once more he had broken the code. It was extraordinary the feeling of triumph he had. He felt on top of the world. For not only had he done it, had he broken the July code, but he now had the key to every future coded message, since instructions as to the source of the next one must of necessity appear in the current one at the end of each month. —Talking to Strange Men, Ruth Rendell

Random Numbers  many uses of random numbers in cryptography nonces in authentication protocols to prevent replay nonces in authentication protocols to prevent replay session keys session keys public key generation public key generation keystream for a one-time pad keystream for a one-time pad  in all cases its critical that these values be statistically random, uniform distribution, independent statistically random, uniform distribution, independent unpredictability of future values from previous values unpredictability of future values from previous values

Nonce – Fresh randomness coming from Cryptographically Strong (pseudo)Random Source

Nonce – Fresh randomness coming from Cryptographically Strong (pseudo)Random Source

Diffie-Hellman key exchange (production of a session key) need Fresh randomness coming from Cryptographically Strong (pseudo)Random Source

Salt – Fresh randomness coming from Cryptographically Strong (pseudo)Random Source (Block cipher in this case)

RSA – Fresh randomness coming from Cryptographically Strong (pseudo)Random Source

Skype and other VoIP applications that encrypt the communication One-time-pad fresh randomness coming from Cryptographically Strong (pseudo)Random Source

Skype and other VoIP applications that encrypt the communication One-time-pad fresh randomness coming from Cryptographically Strong (pseudo)Random Source

Skype and other VoIP applications that encrypt the communication One-time-pad fresh randomness coming from Cryptographically Strong (pseudo)Random Source

Slot machines for gambling need fresh randomness coming from Cryptographically Strong (pseudo)Random Source BIG money – STRONG LEGISLATIVE, STRONG CONTROLS

Online gambling needs fresh randomness coming from Cryptographically Strong (pseudo)Random Source BIG money – STRONG LEGISLATIVE, STRONG CONTROLS

Sources of Randomness  True Random Number Generator Entropy source (physical source – keystroke timings, disk activity, mouse movements, …) Entropy source (physical source – keystroke timings, disk activity, mouse movements, …)  Pseudo Random Number Generators Seed and then the output is coming from a deterministic algorithm Seed and then the output is coming from a deterministic algorithm  Pseudo Random Functions Seed + Context specific values and then the output is coming from a deterministic algorithm Seed + Context specific values and then the output is coming from a deterministic algorithm

Requirements  Must pass the NIST SP (A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Algorithms) 15 separate tests 15 separate tests  Unpredictability Forward unpredictability Forward unpredictability Backward unpredictability Backward unpredictability  Seed should come from secure source (TRNG or else – like huge pool of randomness)

Design methodologies for cryptographic sources of randomness  Designed specifically to be PRNGs (PRFs)  Using the existing cryptographic algorithms Symmetric block ciphers Symmetric block ciphers Asymmetric ciphers Asymmetric ciphers Hash functions and message authentication codes Hash functions and message authentication codes

Pseudorandom Number Generators (PRNGs)  often use deterministic algorithmic techniques to create “random numbers” although are not truly random although are not truly random can pass many tests of “randomness” can pass many tests of “randomness”  known as “pseudorandom numbers”  created by “ Pseudorandom Number Generators (PRNGs)”

Pseudorandom Number Generators (PRNGs)  The following two criteria are used to validate that a sequence of numbers is random: Uniform distribution: The distribution of numbers in the sequence should be uniform; that is, the frequency of occurrence of each of the numbers should be approximately the same. Uniform distribution: The distribution of numbers in the sequence should be uniform; that is, the frequency of occurrence of each of the numbers should be approximately the same. Independence: No one value in the sequence can be inferred from the others. Independence: No one value in the sequence can be inferred from the others.

Linear Congruential Generator  common iterative technique using: X n+1 = (aX n + c) mod m  given suitable values of parameters can produce a long random-like sequence  suitable criteria to have are: function generates a full-period function generates a full-period generated sequence should appear random generated sequence should appear random efficient implementation with 32-bit arithmetic efficient implementation with 32-bit arithmetic  note that an attacker can reconstruct sequence given a small number of values  have possibilities for making this harder

Blum Blum Shub Generator  based on public key algorithms  use least significant bit from iterative equation: x i = x i-1 2 mod n x i = x i-1 2 mod n where n=p.q, and primes p,q=3 mod 4 where n=p.q, and primes p,q=3 mod 4  unpredictable, passes next-bit test  security rests on difficulty of factoring N  is unpredictable given any run of bits  slow, since very large numbers must be used  too slow for cipher use, good for key generation  Example: n=192649=383x503, s=101355

Using Block Ciphers as PRNGs  for cryptographic applications, can use a block cipher to generate random numbers  often for creating session keys from master key  Counter Mode X i = E Km [i]  Output Feedback Mode X i = E Km [X i-1 ]

ANSI X9.17 PRG

Published Sources  a few published collections of random numbers  Rand Co, in 1955, published 1 million numbers generated using an electronic roulette wheel generated using an electronic roulette wheel has been used in some cipher designs cf Khafre has been used in some cipher designs cf Khafre  earlier Tippett in 1927 published a collection  issues are that: these are limited these are limited too well-known for most uses too well-known for most uses

Stream Ciphers  process message bit by bit (as a stream)  have a pseudo random keystream  combined (XOR) with plaintext bit by bit  randomness of stream key completely destroys statistically properties in message C i = M i XOR StreamKey i C i = M i XOR StreamKey i  but must never reuse stream key otherwise can recover messages (cf book cipher) otherwise can recover messages (cf book cipher)

Stream Cipher Structure

Stream Cipher Properties  some design considerations are: long period with no repetitions long period with no repetitions statistically random statistically random depends on large enough key depends on large enough key large non-linear complexity large non-linear complexity  properly designed, can be as secure as a block cipher with same size key  but usually simpler & faster

RC4  a proprietary cipher owned by RSA DSI  another Ron Rivest design, simple but effective  variable key size, byte-oriented stream cipher  widely used (web SSL/TLS, wireless WEP)  key forms random permutation of all 8-bit values  uses that permutation to scramble input info processed a byte at a time

RC4 Key Schedule  starts with an array S of numbers:  use key to well and truly shuffle  S forms internal state of the cipher for i = 0 to 255 do S[i] = i T[i] = K[i mod keylen]) j = 0 for i = 0 to 255 do j = (j + S[i] + T[i]) (mod 256) swap (S[i], S[j])

RC4 Encryption  encryption continues shuffling array values  sum of shuffled pair selects "stream key" value from permutation  XOR S[t] with next byte of message to en/decrypt i = j = 0 for each message byte M i i = (i + 1) (mod 256) j = (j + S[i]) (mod 256) swap(S[i], S[j]) t = (S[i] + S[j]) (mod 256) C i = M i XOR S[t]

RC4 Overview

RC4 Security  claimed secure against known attacks have some analyses, none practical have some analyses, none practical  result is very non-linear  since RC4 is a stream cipher, must never reuse a key  have a concern with WEP, but due to key handling rather than RC4 itself  RC4 is theoretically considered as broken but practically it is not

True Random Number Generators  best source is natural randomness in real world  find a regular but random event and monitor  do generally need special h/w to do this eg. radiation counters, radio noise, audio noise, thermal noise in diodes, leaky capacitors, mercury discharge tubes etc eg. radiation counters, radio noise, audio noise, thermal noise in diodes, leaky capacitors, mercury discharge tubes etc  starting to see such h/w in new CPU's  problems of bias (skew) or uneven distribution in signal have to compensate for this when sample and use have to compensate for this when sample and use only use a few noisiest bits from each sample only use a few noisiest bits from each sample Hash the output of the biased source by cryptographic hash function (MD5, SHA-1, SHA-2,...) Hash the output of the biased source by cryptographic hash function (MD5, SHA-1, SHA-2,...) RFC 4086 – recommends collecting input from multiple sources and then hashing RFC 4086 – recommends collecting input from multiple sources and then hashing

Summary  have considered: Random Number Generation issues Random Number Generation issues Stream Ciphers Stream Ciphers