Presentation is loading. Please wait.

Presentation is loading. Please wait.

PKZIP Stream Cipher 1 PKZIP PKZIP Stream Cipher 2 PKZIP  Phil Katz’s ZIP program  Katz invented zip file format o ca 1989  Before that, Katz created.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "PKZIP Stream Cipher 1 PKZIP PKZIP Stream Cipher 2 PKZIP  Phil Katz’s ZIP program  Katz invented zip file format o ca 1989  Before that, Katz created."— Presentation transcript:

1

2 PKZIP Stream Cipher 1 PKZIP

3 PKZIP Stream Cipher 2 PKZIP  Phil Katz’s ZIP program  Katz invented zip file format o ca 1989  Before that, Katz created PKARC utility o ARC compression was patented by SEA, Inc. o SEA successfully sued Katz  Katz then invented zip o ZIP was much better than SEA’s ARC o He started his own company, PKWare  Katz died of alcohol abuse at age 37 in 2000

4 PKZIP Stream Cipher 3 PKZIP  PKZIP compresses files using zip  Optionally, it encrypts compressed file o Uses a homemade stream cipher o PKZIP cipher due to Roger Schlafly o Schlafly has PhD in math (Berkeley, 1980)  PKZIP cipher is susceptible to attack o Attack is nontrivial, has significant work factor, lots of memory required, etc.

5 PKZIP Stream Cipher 4 PKZIP Cipher  Generates 1 byte of keystream per step  96 bit internal state o State: 32-bit words, which we label X,Y,Z o Initial state derived from a password  Of course, password guessing is possible o We do not consider password guessing here  Cipher design seems somewhat ad hoc o No clear design principles o Uses shifts, arithmetic operations, CRC, etc.

6 PKZIP Stream Cipher 5 PKZIP Encryption  Given o Current state: X, Y, Z (32-bit words) o p = byte of plaintext to encrypt o Note: upper case for 32-bit words, lower case bytes  Then the algorithm is… k = getKeystreamByte(Z) c = p  k update(X, Y, Z, p)  Next, we define getKeystreamByte, update

7 PKZIP Stream Cipher 6 PKZIP getKeystreamByte  Let “  ” be binary OR  Define  X  i…j as bits i thru j (inclusive) of X o As usual, bits numbered left-to-right from 0  Shift X by n bits to right: X  n  Then… getKeystreamByte(Z) t =  Z  3  16…31 k =  (t  (t  1))  8  24…31 return(k) end getKeystreamByte

8 PKZIP Stream Cipher 7 PKZIP update  Given current state X, Y, Z and p update(X, Y, Z, p) X = CRC(X, p) Y = (Y +  X  24…31 )  134775813 + 1 (mod 2 32 ) Z = CRC(Z,  Y  0…7 ) end update  CRC function defined on next slide

9 PKZIP Stream Cipher 8 PKZIP CRC  Let X be 32-bit word, b a byte CRC(X, b) X = X  b for i = 0 to 7 if X is odd X = (X  1)  0xedb88320 else X = (X  1) end if next i return(X) end CRC

10 PKZIP Stream Cipher 9 CRCTable and CRCinverse  For efficiency, define CRCtable so that CRC(X,b) =  X  0…23  CRCtable[  X  24…31  b]  Inverse table, CRCinverse, exists in the following sense:  If B =  A  0…23  CRCtable[  A  24…31  b]  Then A = (B  8)  CRCinverse[  B  0…7 ]  b  Inverse table is useful in attack

11 PKZIP Stream Cipher 10 Lists  Let (X i,Y i,Z i ) be internal state used to generate i th keystream byte  Let k i be the i th keystream byte  Let p i be i th plaintext byte  Define “ X -list” to be X 0,X 1,…X n o Note that n+1 elements in this list  Similar definition for k -list, p -list, etc.

12 PKZIP Stream Cipher 11 Outline of PKZIP Attack  Assume k -list and p -list are known o This is a known plaintext attack  Want to find state (X i,Y i,Z i ) for some i o Then all keystream bytes are known  Executive summary of the attack 1. Use k -list to find a set of Z -lists 2. For each Z -list, find multiple Y -lists 3. For each Y -list, use p -list to obtain one X -list 4. True X -list is among X -lists in 3. Find X -list using p -list. From X -list, obtain state and keystream  Details of steps 1 thru 4 on following slides

13 PKZIP Stream Cipher 12 Step 1: Z-lists  Assume keystream bytes k 0,k 1,…,k n known  Keystream byte k i computed as k i =  (t  (t  1))  8  24…31 Where t =  Z i  3  16…31  Given k n, there are 64 possible t o Due to the “  3 ”  This gives 64 putative  Z n  16…29  Similarly, we find 64 putative  Z n  1  16…29

14 PKZIP Stream Cipher 13 Step 1: Z-lists  Have 64 putative  Z n  16…29 and  Z n  1  16…29  Implies there are 2 22 putative  Z n  0…29  By update we have Z n = CRC(Z n  1,  Y  0…7 )  By CRC inversion formula Z n  1 = (Z n  8)  CRCinverse[  Z n  0…7 ]   Y n  0…7  For each of 2 22 putative  Z n  0…29 o Know bits 0 thru 21 on RHS, bits 16 to 29 on LHS o For correct Z n and Z n  1, bits 16 thru 21 must agree o Since 6 bits, 1/64 chance of a random match o Since 64 Z n  1, for each Z n expect 1 matching Z n  1 o Since there are 2 22 Z n  1 we obtain 2 22 Z n  1

15 PKZIP Stream Cipher 14 Step 1: Z-lists  Repeat for  Z n  2  0…29 then  Z n  3  0…29 etc.  Bottom Line o We obtain about 2 22 Z -lists o Each of the form  Z i  0…29, for i = 1,2,…,n  Possible to extend each of these to “full” Z i o That is, Z i bits 0 thru 31, not just bits 0 thru 29 o We omit details here (see text)  We have 2 22 Z -lists,  Z i  0…29, for i = 1,2,…,n

16 PKZIP Stream Cipher 15 Step 1 Refinement  Possible to reduce number of Z -lists  Requires additional known plaintext  Reduces overall work factor  For example o 28 more bytes, we can reduce number of Z -lists (and overall work) by a factor of 2 4 o 1000 additional bytes can reduce number of lists to a range by 2 11 to 2 14  We ignore refinement, so 2 22 Z -lists

17 PKZIP Stream Cipher 16 Step 2: Y-lists  We have about 2 22 putative Z -lists o Each consisting of putative Z 1,Z 2,…,Z n  We use these to find consistent Y -lists  From update, we can write CRC inverse as  Y i  0…7 = Z i  1  (Z i  8)  CRCinverse[  Z i  0…7 ]  For each Z -list, have  Y 2  0…7,  Y 3  0…7, …,  Y n  0…7  How to find remaining 24 bits of each Y i ? o This is a bit tricky…

18 PKZIP Stream Cipher 17 Step 2: Y-lists  From update we have Y i = (Y i  1 +  X i  24…31 )  134775813 + 1 (mod 2 32 )  Rewrite this as (Y i  1)  C = Y i  1 +  X i  24…31  Where C = 134775813  1 (mod 2 32 )  Then with very high probability  (Y i  1)  C  0…7 =  Y i  1  0…7  Letting i = n, we have  (Y n  1)  C  0…7 =  Y n  1  0…7

19 PKZIP Stream Cipher 18 Step 2: Y-lists  We have  (Y n  1)  C  0…7 =  Y n  1  0…7 o Where both  Y n  0…7 and  Y n  1  0…7 known  Test all 2 24 choices for  Y n  8…31 o For each, compute  (Y n  1)  C  0…7 o And compare to known  Y n  1  0…7 o Probability of a match is 1/2 8  Bottom line: Obtain 2 16 Y n per Z -list  Since 2 22 Z -lists, we have 2 38 Y n

20 PKZIP Stream Cipher 19 Step 2: Y-lists  We have (Y n  1)  C = Y n  1 +  X n  24…31  Rewrite as Y n  1 = (Y n  1)  C   X n  24…31  Let a =  X n  24…31  Then Y n  1 = (Y n  1)  C  a  For some unknown byte a

21 PKZIP Stream Cipher 20 Step 2: Y-lists  We have Y n  1 = (Y n  1)  C  a o For some unknown byte a  For each Y n, compute Y n  1 for all possible a o Test whether  (Y n  1  1)  C  0…7 =  Y n  2  0…7 o Recall that  Y n  2  0…7 is known o Try all 256 a, each has 1/2 8 probability of match o Expect one Y n  1 for each Y n  Can be made efficient using lookup tables o Given  Y n  2  0…7 lookup consistent  Y n  1  0…7

22 PKZIP Stream Cipher 21 Step 2: Y-lists  Repeat for Y n  2,Y n  3,…,Y 3  Bottom line o Expect to obtain 2 38 Y -lists o Each of the form Y 3,Y 4,…,Y n  Remaining steps in the attack o Find X -lists (step 3) o Find correct X -list from set of X -lists (step 4) o Then some (X i,Y i,Z i ) known and msg is broken!

23 PKZIP Stream Cipher 22 Step 3: X-lists  We have about 2 38 putative Y -lists o Each is of the form Y 3,Y 4,…,Y n  How to find corresponding X -lists?  Consider the formula  X i  24…31 = (Y i  1)  C  Y i  1  Use this to obtain  X i  24…31 for i = 4,5,…,n  How to find remaining bits of each X i ?

24 PKZIP Stream Cipher 23 Step 3: X-lists  From update function X i = CRC(X i  1, p i )  Using CRC table, X i =  X i  1  0…23  CRCtable[  X i  1  24…31  p i ]  Implications?  If we know one complete X i and all p j then we can compute all (complete) X j o CRC inverse allows us to find X i-1 from X i  So how to find one complete X i ?

25 PKZIP Stream Cipher 24 Step 3: X-lists  We know  X i  24…31 and p i for each i  From update: X i =  X i  1  0…23  CRCtable[  X i  1  24…31  p i ]  This implies 1.  X i  0…23 = X i+1  CRCtable[  X i  24…31  p i+1 ] 2.  X i+1  0…23 = X i+2  CRCtable[  X i+1  24…31  p i+2 ] 3.  X i+2  0…23 = X i+3  CRCtable[  X i+2  24…31  p i+3 ]  From  X i+3  24…31,  X i+2  24…31 and 3, get  X i+2  16…31  From  X i+2  16…31,  X i+1  24…31 and 2, get  X i+1  8…31  From  X i+1  8…31,  X i  24…31 and 1, get X i =  X i  0…31

26 PKZIP Stream Cipher 25 Step 3: X-lists  Using X i found on previous slide and X i =  X i  1  0…23  CRCtable[  X i  1  24…31  p i ]  We can find the complete X- list  Repeat this for each putative Y -list o Gives us about 2 38 putative X- lists  Correct X -list will (almost certainly) be among these 2 38 X -lists  How to select the “winning” X -list?

27 PKZIP Stream Cipher 26 Step 4: Correct X-lists  How to select correct X -list?  We can compute  X i  24…31 in two ways: X i =  X i  1  0…23  CRCtable[  X i  1  24…31  p i ]  X i  24…31 = (Y i  1)  C  Y i  1  These two results must agree!  Since testing 1 byte o Probability of random match about 1/2 8  We have about 2 38 putative X -lists, so…  About 5 such comparisons and we’re done!

28 PKZIP Stream Cipher 27 Step 4: Recover Keystream  Once we have found correct X -list o We know corresponding Y -list, Z -list  For some i  n, we know state (X i,Y i,Z i )  From (X i,Y i,Z i ) we generate k j for j  i  We have the keystream and msg is broken  Trudy wins again!

29 PKZIP Stream Cipher 28 How Much Plaintext?  Trudy wants to minimize known plaintext  Require plaintext bytes p 0,p 1,…,p n o So, how small can n be?  Need  X i  24…31,  X i+1  24…31,  X i+2  24…31,  X i+3  24…31 to determine X i o We can assume i+3 = n, so n,n  1,n  2,n  3 needed  And we need five more X i to find true X -list o Can assume we use i = n  4,n  5,n  6,n  7,n  8  Cannot use X i, i=0,1,2,3, for any of the above o Since these are not found by the attack

30 PKZIP Stream Cipher 29 How Much Plaintext?  Bottom line o Need 13 consecutive known plaintext bytes o Since 4 + 5 + 4 = 13 (from previous slide)  Can reduce the work (step 1 refinement) o Requires more known plaintext o “Work” determined by number of lists o 28 additional known plaintext bytes reduces number of lists from 2 38 to 2 34 o About 1000 additional plaintext bytes reduces number of lists to a range of 2 27 to 2 24

31 PKZIP Stream Cipher 30 Slightly Simplified Attack  If we do not reduce number of lists (i.e., we do not implement step 1 refinement) o Then work is on order of 2 38  In this case, a simpler attack is possible  “Simpler” means easier to program o We do not have to save large number of lists o Instead, we process each lists as generated

32 PKZIP Stream Cipher 31 Simplified Attack  Suppose we have 13 known plaintexts o That is, p 0,p 1,…,p 12 o Then we know keystream bytes k 0,k 1,…,k 12  From step 1, we first do the following: for i = 0 to 12 Find all  Z i  16…29 consistent with k i next i  Expect 64  Z i  16…29 for each i  Remainder of attack is on the next slide

33 PKZIP Stream Cipher 32 for each  Z 12  16…29 // expect 64 for each  Z 12  0…15 // 2 16 choices for i = 11,10,…,0 Find  Z i  16…29 consistent with  Z i+1  0…29 Extend  Z i  16…29 to  Z i  0…29 next i Complete to Z -list (solve for bits 30 and 31) Solve for  Y i  0…7 Solve for all bits of Y -lists // expect 2 16 lists for each Y -list Solve for  X i  24…31 Solve for X 9 using  X 9  24…31,  X 10  24…31,  X 11  24…31,  X 12  24…31 Solve for X -list if  X i  24…31 verified for i=8,7,6,5,4, return (X,Y,Z) -list next Y -list next  Z 12  0…15 next  Z 12  16…29 Simplified Attack

34 PKZIP Stream Cipher 33 PKZIP Conclusions  PKZIP cipher is somewhat complex and difficult to analyze  PKZIP cipher design o Appears to be ad hoc o Violated Kerckhoffs Principle o Mixed-mode arithmetic is interesting  The bottom line… o PKZIP cipher is insecure o But not trivial to attack o An interesting and unusual cipher!

Download ppt "PKZIP Stream Cipher 1 PKZIP PKZIP Stream Cipher 2 PKZIP  Phil Katz’s ZIP program  Katz invented zip file format o ca 1989  Before that, Katz created."

Similar presentations

Lecture 5: Cryptographic Hashes

Lecture 5: Cryptographic Hashes
Week 3. Assembly Language Programming  Difficult when starting assembly programming  Have to work at low level  Use processor instructions >Requires.

Week 3. Assembly Language Programming  Difficult when starting assembly programming  Have to work at low level  Use processor instructions >Requires.
Xiutao Feng Institute of Software Chinese Academy of Sciences A Byte-Based Guess and Determine Attack on SOSEMANUK.

Xiutao Feng Institute of Software Chinese Academy of Sciences A Byte-Based Guess and Determine Attack on SOSEMANUK.
Michael Alves, Patrick Dugan, Robert Daniels, Carlos Vicuna

Michael Alves, Patrick Dugan, Robert Daniels, Carlos Vicuna
Recursively Defined Functions

Recursively Defined Functions
The Binary Numbering Systems

The Binary Numbering Systems
CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.
Simplifying CFGs There are several ways in which context-free grammars can be simplified. One natural way is to eliminate useless symbols those that cannot.

Simplifying CFGs There are several ways in which context-free grammars can be simplified. One natural way is to eliminate useless symbols those that cannot.
Block Ciphers and the Data Encryption Standard

Block Ciphers and the Data Encryption Standard
WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:

WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:
Algebra Problems… Solutions Algebra Problems… Solutions © 2007 Herbert I. Gross Set 4 By Herb I. Gross and Richard A. Medeiros next.

Algebra Problems… Solutions Algebra Problems… Solutions © 2007 Herbert I. Gross Set 4 By Herb I. Gross and Richard A. Medeiros next.
Introduction to Cryptography and Security Mechanisms: Unit 5 Theoretical v Practical Security Dr Keith Martin McCrea 34901784 443099

Introduction to Cryptography and Security Mechanisms: Unit 5 Theoretical v Practical Security Dr Keith Martin McCrea
FEAL FEAL 1.

FEAL FEAL 1.
Akelarre 1 Akelarre Akelarre 2 Akelarre  Block cipher  Combines features of 2 strong ciphers o IDEA — “mixed mode” arithmetic o RC5 — keyed rotations.

Akelarre 1 Akelarre Akelarre 2 Akelarre  Block cipher  Combines features of 2 strong ciphers o IDEA — “mixed mode” arithmetic o RC5 — keyed rotations.
Sigaba 1 Sigaba Sigaba 2 Sigaba  Used by Americans during WWII o And afterwards (to about 1948)  Never broken o Germans quit collecting, considered.

Sigaba 1 Sigaba Sigaba 2 Sigaba  Used by Americans during WWII o And afterwards (to about 1948)  Never broken o Germans quit collecting, considered.
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
Factoring 1 Factoring Factoring 2 Factoring  Security of RSA algorithm depends on (presumed) difficulty of factoring o Given N = pq, find p or q and.

Factoring 1 Factoring Factoring 2 Factoring  Security of RSA algorithm depends on (presumed) difficulty of factoring o Given N = pq, find p or q and.
RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.

RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.
Intro To Encryption Exercise 1. Monoalphabetic Ciphers Examples:  Caesar Cipher  At Bash  PigPen (Will be demonstrated)  …

Intro To Encryption Exercise 1. Monoalphabetic Ciphers Examples:  Caesar Cipher  At Bash  PigPen (Will be demonstrated)  …
Hellman’s TMTO 1 Hellman’s TMTO Attack. Hellman’s TMTO 2 Popcnt  Before we consider Hellman’s attack, consider simpler Time-Memory Trade-Off  “Population.

Hellman’s TMTO 1 Hellman’s TMTO Attack. Hellman’s TMTO 2 Popcnt  Before we consider Hellman’s attack, consider simpler Time-Memory Trade-Off  “Population.

Similar presentations

Ads by Google