Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptography Lecture 16.

Published byBarrie O’Connor’ Modified over 6 years ago

Similar presentations

Presentation on theme: "Cryptography Lecture 16."— Presentation transcript:

1 Cryptography Lecture 16

2 RC4 Designed in 1987 Designed to have good performance in software, rather than hardware No longer considered secure, but still interesting to study Simple description; not LFSR-based Still encountered in practice Interesting attacks

3 RC4

4 RC4 Not designed to take an IV, but often used with an IV anyway
E.g., prepend IV to the key

5 Attack 1: bias in 2nd output byte
Let St denote permutation after t steps Treat S0 as uniform for simplicity Say X = S0[1]  2 and S0[2] = 0 Occurs with probability ~1/256 Then: After 1 step, S1[X]=X, i=1, j=X After 2 steps, j=X, output S2[X]=0 Otherwise, S2[X] is uniform Overall probability of 2nd byte 0 is about 2/256

6 Attack 2 If first t bytes of key are known, can learn (t+1)st byte of key from the output Assume t=3, and initial 3 bytes of the key are (3, 255, X) for simplicity Occurs with probability 1/2562 Observation: After first 4 steps of Init: S[0]=3, S[1]=0, S[3] = X+6+K[3] mod 256

7 Attack 2, continued Look at remaining 252 iterations of Init:
i will never affect S[0], S[1], S[3] Treating j as random, the probability that j never affects those entries is (253/256)252 > 0.05 This can be experimentally verified …in which case the first byte output will be X+6+K[3] So we get an estimate for K[3] that is 5% accurate Random guessing is 0.4% accurate

8 Detour: attacks on WEP

9 Wired equivalent privacy (WEP)
Part of original standard, 1997 Still found in use today Considered a canonical example of poor security design

10 Encryption in WEP Client and access point share a key k
By default (but not necessarily) a 40-bit key Use unsynchronized stream-cipher mode: IV, RC4(IV, k)  (m, c(m)), where IV is a 24-bit IV and c is a 4-byte, linear (noncryptographic) checksum Claimed to give 64-bit security since |IV|+|k|=64

11 Authentication in WEP Access point sends a random challenge; client sends back an encryption of the challenge Is this secure? What is the right primitive to use here?

12 IV re-use If IV is re-used (with the same key), same keystream is re-generated How often until we expect IV re-use to occur? Note: chosen-plaintext attacks are particularly easy in this context, making IV re-use worse

13 Checksum Intended to provide integrity
But only detects random errors, not malicious attacks Unkeyed! Checksum is linear (i.e., c(x)  c(y) = c(x  y)) Attacks can effect known shifts of (known or unknown) plaintext

14 “Padding-oracle attack”
Say t>3 bytes of RC4 output are known for some IV (e.g., due to known headers) Take arbitrary message M of length t-3, append first 3 bytes of c(M), and XOR with known output Enumerate over final byte of ciphertext;  when decryption succeeds, learn the (t+1)st byte of RC4 output

15 Attacking RC4 in WEP Note that first 3 bytes of effective key are known (since they are the IV)! Apply attack discussed previously

16 Block ciphers

17 Recall… Want keyed permutation F: {0,1}n x {0,1}l  {0,1}l
n = key length, l = block length Want Fk (for uniform, unknown key k) to be indistinguishable from a uniform permutation over {0,1}l

18 Attack models A block cipher is not an encryption scheme!!
Nevertheless, some of the terminology used in the same (for historical reasons) “known-plaintext attack”: attacker given {(x, Fk(x)} for random x (outside control of the attacker) “chosen-plaintext attack”: attacker can query Fk(.) This is the default model we have been using “chosen-ciphertext attack”: attacker can query Fk(.) and Fk-1(.)

19 Concrete security (As in the case of stream ciphers) we are interested in concrete security for a given key length n Best attack should take time  2n If there is an attack taking time 2n/2 then the cipher is considered insecure

20 Designing block ciphers
Want Fk (for uniform, unknown key k) to be indistinguishable from a uniform permutation over {0,1}l If x and x’ differ in one bit, what should be the relation between Fk(x) and Fk(x’)? How many bits should change (on average)? Which bits should change? How to achieve this?

21 Confusion/diffusion “Confusion” “Diffusion”
Small change in input should result in local, “random” change in output “Diffusion” Local change in output should be propagated to entire output

22 Design paradigms Two design paradigms
Substitution-permutation networks (SPNs) Feistel networks

23 SPNs Build “random-looking” permutation on large input from random permutations on small inputs E.g., assume 8-byte block length Fk(x) = fk1(x1) fk2(x2) … fk8(x8), where each f is a random permutation How long is k?

24 SPN fk1 fk2 Is this a pseudorandom function?

Download ppt "Cryptography Lecture 16."

Similar presentations

“Advanced Encryption Standard” & “Modes of Operation”

“Advanced Encryption Standard” & “Modes of Operation”
CS470, A.SelcukStream Ciphers1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukStream Ciphers1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:

WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:
Cryptography1 CPSC 3730 Cryptography Chapter 6 Triple DES, Block Cipher Modes of Operation.

Cryptography1 CPSC 3730 Cryptography Chapter 6 Triple DES, Block Cipher Modes of Operation.
Wired Equivalent Privacy (WEP)

Wired Equivalent Privacy (WEP)
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.

RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.
Lecture 23 Symmetric Encryption

Lecture 23 Symmetric Encryption
6. Practical Constructions of Symmetric-Key Primitives

6. Practical Constructions of Symmetric-Key Primitives
Computer Security CS 426 Lecture 3

Computer Security CS 426 Lecture 3
Cryptography and Network Security Chapter 6. Multiple Encryption & DES  clear a replacement for DES was needed theoretical attacks that can break it.

Cryptography and Network Security Chapter 6. Multiple Encryption & DES  clear a replacement for DES was needed theoretical attacks that can break it.
Stream Cipher July 2011.

Stream Cipher July 2011.
2001. 9. 20NSRI1 Security of Wireless LAN ’01. 9. 20 Seongtaek Chee (NSRI)

NSRI1 Security of Wireless LAN ’ Seongtaek Chee (NSRI)
CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.

CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.
Multiple Encryption & DES  clearly a replacement for DES was needed Vulnerable to brute-force key search attacks Vulnerable to brute-force key search.

Multiple Encryption & DES  clearly a replacement for DES was needed Vulnerable to brute-force key search attacks Vulnerable to brute-force key search.
Stream Ciphers and Block Ciphers A stream cipher is one that encrypts a digital data stream one bit or one byte at a time. Examples of classical stream.

Stream Ciphers and Block Ciphers A stream cipher is one that encrypts a digital data stream one bit or one byte at a time. Examples of classical stream.
Class 3 Cryptography Refresher II CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman

Class 3 Cryptography Refresher II CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman
Lecture 23 Symmetric Encryption

Lecture 23 Symmetric Encryption
Privacy and Integrity: “ Two Essences of Network Security” Presenter Prosanta Gope Advisor Tzonelih Hwang Quantum Information and Network Security Lab,

Privacy and Integrity: “ Two Essences of Network Security” Presenter Prosanta Gope Advisor Tzonelih Hwang Quantum Information and Network Security Lab,

Similar presentations

Ads by Google