Presentation is loading. Please wait.

Presentation is loading. Please wait.

ORYX 1 ORYX ORYX 2 ORYX  ORYX not an acronym, but upper case  Designed for use with cell phones o To protect confidentiality of voice/data o For “data.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "ORYX 1 ORYX ORYX 2 ORYX  ORYX not an acronym, but upper case  Designed for use with cell phones o To protect confidentiality of voice/data o For “data."— Presentation transcript:

1

2 ORYX 1 ORYX

3 ORYX 2 ORYX  ORYX not an acronym, but upper case  Designed for use with cell phones o To protect confidentiality of voice/data o For “data channel”, not “control channel” o Control channel encrypted with CMEA  Standard developed by o Telecommunications Industry Association (TIA) o Flaws in cipher discovered in 1997  Cipher design process not open o In violation of Kerckhoffs Principle

4 ORYX 3 Stream Cipher  ORYX is a stream cipher  Recall that a stream cipher can be viewed as a generalization of one-time pad  A stream cipher initialized with (short) key  Cipher then generates a long keystream  Keystream is used like a one-time pad o XOR with message to encrypt/decrypt

5 ORYX 4 ORYX  Stream cipher  Uses 3 shift registers, denoted X, A, B o Each holds 32 bits  Key is initial fill of registers  Therefore, ORYX has 96 bit key  ORYX also uses a lookup table L o Where L acts as IV (or MI)  Note that L is not secret

6 ORYX 5 ORYX  ORYX generates keystream 1 byte/step  Most stream ciphers generate 1 bit/step o RC4 stream cipher also generates bytes  ORYX is very weak o RC4 is weak due to the way it is used in WEP  What is wrong with ORYX? o Generates 1 byte of keystream o Too much of the internal state is exposed o Might be stronger if only generated 1 bit/step

7 ORYX 6 ORYX Shift Registers  Three shift registers, X, A, B, each 32 bits  Feedback functions (polynomials) o Register X uses feedback polynomial P X = x 0  x 4  x 5  x 8  x 9  x 10  x 13  x 15  x 17  x 18  x 27  x 31 o Register A uses two polynomial P A0 = a 0  a 1  a 3  a 4  a 6  a 7  a 9  a 10  a 11  a 15  a 21  a 22  a 25  a 31 P A1 = a 0  a 1  a 6  a 7  a 8  a 9  a 10  a 12  a 16  a 21  a 22  a 23  a 24  a 25  a 26  a 31 o Register B uses polynomial P B = b 0  b 2  b 5  b 14  b 15  b 19  b 20  b 30  b 31

8 ORYX 7 ORYX Lookup Table  Table L is different for each message o 1 byte in, 1 byte out  Consider L to left o L[5a] = ee  Row 5, column a o L[d2] = f5  Row d, column 2  Example lookup table L  Table is not secret

9 ORYX 8 ORYX Wiring Diagram  S determines whether to use P A0 or P A1  C determines whether B steps 1 or 2 times  L is a fixed (per msg), known lookup table

10 ORYX 9 ORYX Keystream Generator 1.Polynomial X steps once using P X 2.Polynomial A steps once using P A0 or P A1 As determined by bit 29 of X 3.Polynomial B steps 1 or 2 times using P B As determined by bit 26 of X 4.Byte: k i = H(X) + L[H(A)] + L[H(B)] mod 256 Where L is a known lookup table and H is “high” byte, i.e., bits 24 through 31 k i is i th keystream byte Note: Polynomials step before generating byte

11 ORYX 10 ORYX Keystream  Let k 0, k 1, k 2, … be keystream bytes  Then k 0 given by k 0 = H(X) + L[H(A)] + L[H(B)] mod 256 where X, A, B are fills after 1st iteration  Then k 1 given by k 1 = H(X) + L[H(A)] + L[H(B)] mod 256 where X, A, B are fills after 2nd iteration  And so on…

12 ORYX 11 ORYX Attack  Attack is not difficult  Idea of the attack o Suppose we know plaintext bytes p 0,p 1,…,p n o Then we know keystream bytes, k 0,k 1,…,k n o At each iteration, small change in internal state o Byte of output gives lots of info on state o Given enough plaintext, reconstruct initial fills  Only need small amount of known plaintext

13 ORYX 12 ORYX Attack  Table lists possible extensions of A,B  New bit(s) appear on left of H(A),H(B)  Given register fills A,B  Fill A can be extended in 2 ways: 0 or 1  Fill B can be extended 6 ways: 0,1,00,01,10,11

14 ORYX 13 ORYX Attack  Given keystream bytes k i where k i = H(X) + L[H(A)] + L[H(B)] mod 256  And X, A, B are fills after (i+1) st iteration  For each of 2 16 possible (H(A),H(B)) o Let H(X) = k 0  L[H(A)]  L[H(B)] mod 256 o For each of 12 extensions of (A,B) o Let Y = k 1  L[H(A)]  L[H(B)] mod 256 o Is Y a possible extension of H(X) ?  If yes, save result for testing with bytes k 2, k 3, … o If no valid extension, discard (H(A),H(B))

15 ORYX 14 ORYX Attack Example  Spse k 0 = da, k 1 = 31  Consider case where H(A) = b3, H(B) = 84  Then, modulo 256, H(X) = da  L[b3]  L[84] H(X) = da  ca  99 = 77  Can we extend H(X) = 77 to next iteration?  Must use k 1 and consider all 12 cases

16 ORYX 15 ORYX Attack Example  Have: k 1 = 31, H(A) = b3, H(B) = 84, H(X) = 77  Try extension where A  1A, B  0B  Then Y = 31  L[d9]  L[42] Y = 31  13  ce = 50  But H(X) = 77 can only be extended to 3b or bb  So this is not a valid extension  Must consider 11 more cases for (H(A),H(B)) pair

17 ORYX 16 ORYX Attack Example  Have: k 1 = 31, H(A) = b3, H(B) = 84, H(X) = 77  Try extension where A  0A, B  00B  Then Y = 31  L[59]  L[21] Y = 31  1e  58 = bb  Note that H(X) = 77 can be extended to bb  So this is a consistent extension of H(X)  Save it, and consider remaining extensions

18 ORYX 17 ORYX Attack  Attack algorithm o We have described a breadth first search o Depth-first search would work too  But is the attack practical? o Can we really determine correct initial fill? o How efficient is attack? o How much known plaintext is required?  We can easily answer these questions…

19 ORYX 18 ORYX Attack  Guess all pairs of initial (H(A),H(B)) o There are 2 16 = 65536 of these o For each, use k 0 to solve for H(X)  Have 2 16 putative triples (H(A),H(B),H(X))  For each of these 65536 o For each of 12 extensions of (H(A),H(B)), compute Y = k 1  L[H(A)]  L[H(B)] mod 256 o Note that Y is putative extension of X o So, 7 bits of Y must agree with 7 bits from H(X)  Expect (12  65536) / 128 = 6144 survivors

20 ORYX 19 ORYX Attack  Expect 6144 survivors using k 1  For each of these 6144, use k 2 and repeat the process… o Compute 12 extensions of (H(A),H(B)) o New Y must agree with 7 bits of putative X (previous Y ) o Expect (12  6144) / 128 = 576 survivors  Expected number of survivors decreases by factor greater that 10 at each step o Eventually, only 1 survivor is expected

21 ORYX 20 ORYX Attack  After 6 steps, expect only 1 survivor  Keep going…  After about 25 keystream bytes, X, A, B fills will be completely known o Not initial fills, but fills after 1st iteration o Easy to “back up” to initial fills, if desired  Suppose n keystream bytes used  Then work is on the order of 12  (65536 + 6144 + 576 + 54 + n)  2 20

22 ORYX 21 ORYX  ORYX is very insecure o Work of about 2 20 to recover 96-bit key!  What is the problem? o One iteration does not change internal state very much o Byte of keystream gives lots of info on state  Can it be improved? o Many alternatives…

23 ORYX 22 More Secure ORYX ?  ORYX does the following byte = H(X) + L[H(A)] + L[H(B)] mod 256 where H is high-order byte  Could instead do bit = s(X)  s(L[H(A)])  s(L[H(B)]) where s selects the high-order bit of a byte  Then previous attack does not work, since o Expect (12  2 16 ) / 1 = 2 19.6 after k 1 o Expect (12  2 19.6 ) / 1 = 2 23.2 after k 2, etc.  But this “secure” ORYX is very slow!  And may be other attacks to worry about…

Download ppt "ORYX 1 ORYX ORYX 2 ORYX  ORYX not an acronym, but upper case  Designed for use with cell phones o To protect confidentiality of voice/data o For “data."

Similar presentations

DES The Data Encryption Standard (DES) is a classic symmetric block cipher algorithm. DES was developed in the 1970’s as a US government standard The block.

DES The Data Encryption Standard (DES) is a classic symmetric block cipher algorithm. DES was developed in the 1970’s as a US government standard The block.
“Advanced Encryption Standard” & “Modes of Operation”

“Advanced Encryption Standard” & “Modes of Operation”
Stream Ciphers Part 1  Cryptography 3 Stream Ciphers.

Stream Ciphers Part 1  Cryptography 3 Stream Ciphers.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
Intro 1 Introduction Intro 2 Good Guys and Bad Guys  Alice and Bob are the good guys  Trudy is the bad guy  Trudy is our generic “intruder”

Intro 1 Introduction Intro 2 Good Guys and Bad Guys  Alice and Bob are the good guys  Trudy is the bad guy  Trudy is our generic “intruder”
WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:

WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:
Chalmers University of Technology Wireless security Breaking WEP and WPA.

Chalmers University of Technology Wireless security Breaking WEP and WPA.
PIITMadhumita Chatterjee Security 1 Hashes and Message Digests.

PIITMadhumita Chatterjee Security 1 Hashes and Message Digests.
PKZIP Stream Cipher 1 PKZIP PKZIP Stream Cipher 2 PKZIP  Phil Katz’s ZIP program  Katz invented zip file format o ca 1989  Before that, Katz created.

PKZIP Stream Cipher 1 PKZIP PKZIP Stream Cipher 2 PKZIP  Phil Katz’s ZIP program  Katz invented zip file format o ca 1989  Before that, Katz created.
FEAL FEAL 1.

FEAL FEAL 1.
Akelarre 1 Akelarre Akelarre 2 Akelarre  Block cipher  Combines features of 2 strong ciphers o IDEA — “mixed mode” arithmetic o RC5 — keyed rotations.

Akelarre 1 Akelarre Akelarre 2 Akelarre  Block cipher  Combines features of 2 strong ciphers o IDEA — “mixed mode” arithmetic o RC5 — keyed rotations.
Sigaba 1 Sigaba Sigaba 2 Sigaba  Used by Americans during WWII o And afterwards (to about 1948)  Never broken o Germans quit collecting, considered.

Sigaba 1 Sigaba Sigaba 2 Sigaba  Used by Americans during WWII o And afterwards (to about 1948)  Never broken o Germans quit collecting, considered.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.

RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.
Foundations of Network and Computer Security J J ohn Black Lecture #34 Dec 5 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Foundations of Network and Computer Security J J ohn Black Lecture #34 Dec 5 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
Intro To Encryption Exercise 1. Monoalphabetic Ciphers Examples:  Caesar Cipher  At Bash  PigPen (Will be demonstrated)  …

Intro To Encryption Exercise 1. Monoalphabetic Ciphers Examples:  Caesar Cipher  At Bash  PigPen (Will be demonstrated)  …
McGraw-Hill©The McGraw-Hill Companies, Inc., 2004 1 Security PART VII.

McGraw-Hill©The McGraw-Hill Companies, Inc., Security PART VII.
Stream Ciphers 1 Stream Ciphers. Stream Ciphers 2 Stream Ciphers  Generalization of one-time pad  Trade provable security for practicality  Stream.

Stream Ciphers 1 Stream Ciphers. Stream Ciphers 2 Stream Ciphers  Generalization of one-time pad  Trade provable security for practicality  Stream.
Lecture 23 Symmetric Encryption

Lecture 23 Symmetric Encryption
CMEA 1 CMEA. CMEA 2 CMEA  Cellular Message Encryption Algorithm  Designed for use with cell phones o To protect confidentiality of called number o For.

CMEA 1 CMEA. CMEA 2 CMEA  Cellular Message Encryption Algorithm  Designed for use with cell phones o To protect confidentiality of called number o For.

Similar presentations

Ads by Google