slide 1 Stream Ciphers uBlock ciphers generate ciphertext Ciphertext(Key,Message)=Message  Key Key must be a random bit sequence as long as message uIdea: replace “random” with “pseudo-random” Encrypt with pseudo-random number generator (PRNG) PRNG takes a short, truly random secret seed (key) and expands it into a long “random-looking” sequence –E.g., 128-bit key into a bit pseudo-random sequence uCiphertext(Key,Message)=Message  PRNG(Key) Message processed bit by bit, not in blocks Randomness amplification (remember HMAC?)

slide 2 Properties of Stream Ciphers uUsually very fast Used where speed is important: WiFi, SSL, DVD uUnlike one-time pad, stream ciphers do not provide perfect secrecy Only as secure as the underlying PRNG If used properly, can be as secure as block ciphers uPRNG must be unpredictable Given the stream of PRNG output (but not the seed!), it’s hard to predict what the next bit will be –If PRNG(unknown seed)=b 1 …b i, then b i+1 is “0” with probability ½, “1” with probability ½

slide 3 Weaknesses of Stream Ciphers uNo integrity Associativity & commutativity: (X  Y)  Z=(X  Z)  Y (M 1  PRNG(key))  M 2 = (M 1  M 2 )  PRNG(key) uKnown-plaintext attack is very dangerous if keystream is ever repeated Self-cancellation property of XOR: X  X=0 (M 1  PRNG(key))  (M 2  PRNG(key)) = M 1  M 2 If attacker knows M 1, then easily recovers M 2 –Most plaintexts contain enough redundancy that knowledge of M 1 or M 2 is not even necessary to recover both from M 1  M 2

slide 4 Stream Cipher Terminology uSeed of pseudo-random generator often consists of initialization vector (IV) and key IV is usually sent with the ciphertext The key is a secret known only to the sender and the recipient, not sent with the ciphertext uThe pseudo-random bit stream produced by PRNG(IV,key) is referred to as keystream uEncrypt message by XORing with keystream ciphertext = message  keystream

slide 5 RC4 uDesigned by Ron Rivest for RSA in 1987 uSimple, fast, widely used SSL/TLS for Web security, WEP for wireless Byte array S[256] contains a permutation of numbers from 0 to 255 i = j := 0 loop i := (i+1) mod 256 j := (j+S[i]) mod 256 swap(S[i],S[j]) output (S[i]+S[j]) mod 256 end loop

slide 6 RC4 Initialization Divide key K into L bytes for i = 0 to 255 do S[i] := i j := 0 for i = 0 to 255 do j := (j+S[i]+K[i mod L]) mod 256 swap(S[i],S[j]) Key can be any length up to 2048 bits Generate initial permutation from key K uTo use RC4, usually prepend initialization vector (IV) to the key IV can be random or a counter IV is often sent in the clear with the ciphertext uRC4 is not random enough! 1 st byte of generated sequence depends only on 3 cells of state array S. This can be used to extract the key. To use RC4 securely, RSA suggests discarding first 256 bytes Fluhrer-Mantin- Shamir attack

slide 7 Modes of Operation ublock ciphers encrypt fixed size blocks ueg. DES encrypts 64-bit blocks, with 56-bit key uneed way to use in practise, given usually have arbitrary amount of information to encrypt ufour were defined for DES in ANSI standard ANSI X Modes of Use usubsequently now have 5 for DES and AES uhave block and stream modes

slide 8 Electronic Codebook Book (ECB) umessage is broken into independent blocks which are encrypted ueach block is a value which is substituted, like a codebook, hence name ueach block is encoded independently of the other blocks C i = DES K1 (P i ) uuses: secure transmission of single values

slide 9 Electronic Codebook Book (ECB)

slide 10 Advantages and Limitations of ECB urepetitions in message may show in ciphertext if aligned with message block particularly with data such graphics or with messages that change very little, which become a code-book analysis problem uweakness due to encrypted message blocks being independent umain use is sending a few blocks of data

slide 11 Cipher Block Modes of Operation uCipher Block Chaining Mode (CBC) The input to the encryption algorithm is the XOR of the current plaintext block and the preceding ciphertext block. Repeating pattern of 64-bits are not exposed

slide 12 Cipher FeedBack (CFB) umessage is treated as a stream of bits uadded to the output of the block cipher uresult is feed back for next stage (hence name) ustandard allows any number of bit (1,8 or 64 or whatever) to be feed back denoted CFB-1, CFB-8, CFB-64 etc uis most efficient to use all 64 bits (CFB-64) C i = P i XOR DES K1 (C i-1 ) C -1 = IV uuses: stream data encryption, authentication

slide 13 Cipher FeedBack (CFB)

slide 14 Advantages and Limitations of CFB uappropriate when data arrives in bits/bytes umost common stream mode ulimitation is need to stall while do block encryption after every n-bits unote that the block cipher is used in encryption mode at both ends uerrors propagate for several blocks after the error

slide 15 Location of Encryption Device uLink encryption: A lot of encryption devices High level of security Decrypts each packet at every switch uEnd-to-end encryption The source encrypts and the receiver decrypts Payload encrypted Header in the clear uHigh Security: Both link and end-to-end encryption are needed (see Figure 2.9)

slide 16

slide 17 Key Distribution 1.A key could be selected by A and physically delivered to B. 2.A third party could select the key and physically deliver it to A and B. 3.If A and B have previously used a key, one party could transmit the new key to the other, encrypted using the old key. 4.If A and B each have an encrypted connection to a third party C, C could deliver a key on the encrypted links to A and B.

slide 18 Key Distribution (See Figure 2.10) uSession key: Data encrypted with a one-time session key. At the conclusion of the session the key is destroyed uPermanent key: Used between entities for the purpose of distributing session keys

slide 19