Presentation is loading. Please wait.

Presentation is loading. Please wait.

9/01/2010CS 686 Stream Cipher EJ Jung CS 686 Special Topics in CS Privacy and Security.

Published byMerry Ellis Modified over 9 years ago

Similar presentations

Presentation on theme: "9/01/2010CS 686 Stream Cipher EJ Jung CS 686 Special Topics in CS Privacy and Security."— Presentation transcript:

1 9/01/2010CS 686 Stream Cipher EJ Jung ejung@cs.usfca.edu CS 686 Special Topics in CS Privacy and Security

2 9/01/2010CS 686 Announcements  Course Questionnaire and Consent Form No submission, no grades  Service Lab community partners are coming  Reading assignment in schedule read “ahead”

3 9/01/2010CS 686 Course questionnaire results  20 students  Previous courses 13 networks, 10 OS, 3 crypto, 1 security  Familiar technology 13 hash, 10 proxy, 9 SSL/TLS, 9 PKC, 3 TOR, 2 PGP, 1 IPsec,

4 9/01/2010CS 686 Current challenging problems  Conflicting goals: privacy vs. utility, anonymity vs. authenticity safety vs. convenience, usability right to opt-out happy medium  Hackers  User education and admin education  Data sharing among many parties  Data leak from social networks

5 9/01/2010CS 686 Want to solve  Hacking prevention, Server protection, Data protection  Vulnerability (loophole) analysis and mitigation  Intrusion detection packet sniffing and monitoring  User education, usability  Malware, e.g. virus, key-loggers, prevention&detection  Identity theft, Phishing prevention/detection  Right to opt-out, Pay for privacy  Anonymity, Finding happy medium between anonymity and authenticity TOR  Security software development  Secure data sharing among multiple parties, Data tracing

6 9/01/2010CS 686 After this course  Become knowledgeable  Find vulnerabilities  Protect systems and websites without hurting performance and usability too much  Work as security specialist

7 9/01/2010CS 686 slide 7 Basic Problem ? ----- Given: both parties already know the same secret How is this achieved in practice? Goal: send a message confidentially Any communication system that aims to guarantee confidentiality must solve this problem

8 9/01/2010CS 686 slide 8 One-Time Pad = 10111101… ----- = 00110010… 10001111…  00110010… =  10111101… Key is a random bit sequence as long as the plaintext Encrypt by bitwise XOR of plaintext and key: ciphertext = plaintext  key Decrypt by bitwise XOR of ciphertext and key: ciphertext  key = (plaintext  key)  key = plaintext  (key  key) = plaintext Cipher achieves perfect secrecy if and only if there are as many possible keys as possible plaintexts, and every key is equally likely (Claude Shannon)

9 9/01/2010CS 686 slide 9 Advantages of One-Time Pad  Easy to compute Encryption and decryption are the same operation Bitwise XOR is very cheap to compute  As secure as theoretically possible Given a ciphertext, all plaintexts are equally likely, regardless of attacker’s computational resources …as long as the key sequence is truly random –True randomness is expensive to obtain in large quantities …as long as each key is same length as plaintext –But how does the sender communicate the key to receiver?

10 9/01/2010CS 686 slide 10 Problems with One-Time Pad  Key must be as long as plaintext Impractical in most realistic scenarios Still used for diplomatic and intelligence traffic  Does not guarantee integrity One-time pad only guarantees confidentiality Attacker cannot recover plaintext, but can easily change it to something else  Insecure if keys are reused Attacker can obtain XOR of plaintexts

11 9/01/2010CS 686 Stream Ciphers  One-time pad Ciphertext(Key,Message)=Message  Key Key must be a random bit sequence as long as message  Idea: replace “random” with “pseudo-random” Encrypt with pseudo-random number generator (PRNG) PRNG takes a short, truly random secret seed (key) and expands it into a long “random-looking” sequence –E.g., 128-bit key into a 10 6 -bit pseudo-random sequence  Ciphertext(Key,Message)=Message  PRNG(Key) Message processed bit by bit, not in blocks

12 9/01/2010CS 686

13 9/01/2010CS 686

14 9/01/2010CS 686 Properties of Stream Ciphers  Usually very fast Used where speed is important: WiFi, SSL, DVD  Unlike one-time pad, stream ciphers do not provide perfect secrecy Only as secure as the underlying PRNG If used properly, can be as secure as block ciphers  PRNG must be unpredictable Given the stream of PRNG output (but not the seed!), it’s hard to predict what the next bit will be –If PRNG(unknown seed)=b 1 …b i, then b i+1 is “0” with probability ½, “1” with probability ½

15 9/01/2010CS 686 Weaknesses of Stream Ciphers  No integrity Associativity & commutativity: (X  Y)  Z=(X  Z)  Y (M 1  PRNG(key))  M 2 = (M 1  M 2 )  PRNG(key)  Known-plaintext attack is very dangerous if keystream is ever repeated Self-cancellation property of XOR: X  X=0 (M 1  PRNG(key))  (M 2  PRNG(key)) = M 1  M 2 If attacker knows M 1, then easily recovers M 2 –Most plaintexts contain enough redundancy that knowledge of M 1 or M 2 is not even necessary to recover both from M 1  M 2

16 9/01/2010CS 686 Stream Cipher Terminology  Seed of pseudo-random generator often consists of initialization vector (IV) and key IV is usually sent with the ciphertext The key is a secret known only to the sender and the recipient, not sent with the ciphertext  The pseudo-random bit stream produced by PRNG(IV,key) is referred to as keystream  Encrypt message by XORing with keystream ciphertext = message  keystream

17 9/01/2010CS 686 RC4  Designed by Ron Rivest for RSA in 1987  Simple, fast, widely used SSL/TLS for Web security, WEP for wireless Byte array S[256] contains a permutation of numbers from 0 to 255 i = j := 0 loop i := (i+1) mod 256 j := (j+S[i]) mod 256 swap(S[i],S[j]) output (S[i]+S[j]) mod 256 end loop

18 9/01/2010CS 686 Each DVD is encrypted with a disk-specific 40-bit DISK KEY Each player has its own PLAYER KEY (409 player manufacturers, each has its player key) Content Scrambling System (CSS)  DVD encryption scheme from Matsushita and Toshiba KEY DATA BLOCK contains disk key encrypted with 409 different player keys: Encrypt DiskKey (DiskKey) Encrypt PlayerKey1 (DiskKey) … Encrypt PlayerKey409 (DiskKey) This helps attacker verify his guess of disk key What happens if even a single player key is compromised?

19 9/01/2010CS 686 Generic LFSR output Feedback Function feedback path taps The register is seeded with an initial value. At each clock tick, the feedback function is evaluated using the input from the tapped bits. The result is shifted into the leftmost bit of the register. The rightmost bit is shifted into the output.

20 9/01/2010CS 686

21 9/01/2010CS 686 Linear Feedback Shift Register  Pseudo-random bit stream  Linear Feedback Shift Register (LFSR) The LFSR is one popular technique for generating a pseudo-random bit stream. After the LFSR is seeded with a value, it can be clocked to generate a stream of bits. Unfortunately, LFSRs aren’t truly random – they are periodic and will eventually repeat. In general, the larger the LFSR, the greater its period. There period also depends on the particular configuration of the LFSR. If the initial value of an LFSR is 0, it will produce only 0’s, this is sometimes called null cycling

22 9/01/2010CS 686 CSS: LFSR Addition LFSR-17 LFSR-25 1 byte first 2 bytes of key + 4 th bit 1 last 3 bytes of key + 4 th bit 1 Optional bit-wise inverter + 8-bit add carry-out Output byte carry-out from prior addition 8 ticks Optional bit-wise inverter

23 9/01/2010CS 686 Weakness #1: LFSR Cipher  Brainless: disk key is 40 bit long 2 40 isn’t really very big – just brainlessly brute-force the keys  With 6 Output Bytes O(2 16 ) : Guess the initial state of LFSR-17 O(2 16 ). Clock out 4 bytes. Use those 4 bytes to determine the corresponding 4 bytes of output from LFSR-25. Use the LFSR-25 output to determine LFSR-25’s state. Clock out 2 bytes on both LFSRs. Verify these two bytes. Celebrate or guess again.

24 9/01/2010CS 686 CSS: LFSR Addition LFSR-17 LFSR-25 1 byte first 2 bytes of key + 4 th bit 1 last 3 bytes of key + 4 th bit 1 Optional bit-wise inverter + 8-bit add carry-out Output byte carry-out from prior addition 8 ticks Optional bit-wise inverter

25 9/01/2010CS 686

26 9/01/2010CS 686 Weakness #1: LFSR Cipher (Cont.)  With 5 Output Bytes O(2 17 ) : Guess the initial state of LFSR-17 O(2 16 ) Clock out 3 bytes Determine the corresponding output bytes from LFSR-25 This reveals all but the highest-order bit of LFSR-25 Try both possibilities: O(2) –Clock back 3 bytes –Select the setting where bit 4 is 1 (remember this is the initial case). –It is possible that both satisfy this – try both. Clock out 2 bytes on both LFSRs. Verify these two bytes. Celebrate or guess again.

27 9/01/2010CS 686

28 9/01/2010CS 686 Weakness #2: Mangled Output  With Known ciphertext and plainttext Guess L k (1 byte) Work backward and verify input byte This is a O(2 8 ) attack. Repeat for all 5 bytes – this gives you the 5 bytes of known output for prior weakness.

29 9/01/2010CS 686 CSS decryption algorithm 1 3 0 2 4 2 4 1 3 5 Bytes of Ciphertext Bytes of Plaintext Table lookup + ++ + + + ++ + + LkLk LkLk LkLk LkLk LkLk LkLk LkLk LkLk LkLk LkLk

30 9/01/2010CS 686 Attack on CSS Decryption Scheme  Knowing encrypted and decrypted title key, try 256 possibilities to recover 40 output bits of the LFSRs – this takes O(2 8 )  Guess 16 bits of the key contained in LFSR-17 – this takes O(2 16 )  Clock out 24 bits out of LFSR-17, use them to determine the corresponding output bits of LFSR-25 (this reveals all of LFSR-25 except the highest bit)  Clock back 24 bits, try both possibilities – this takes O(2)  Verify the key … … LFSR-17 disk key LFSR-25 24 key bits 16 key bits “1” seeded in 4 th bit invert + mod 256 carry Encrypted title key Table-based “mangling” Decrypted title key      Encrypt DiskKey (DiskKey) stored on disk  This attack takes O(2 25 ) [due to Frank Stevenson]

31 9/01/2010CS 686 Reading assignment  Aircrack-ng http://www.aircrack-ng.org/doku.php

Download ppt "9/01/2010CS 686 Stream Cipher EJ Jung CS 686 Special Topics in CS Privacy and Security."

Similar presentations

Block Cipher Modes of Operation and Stream Ciphers

Block Cipher Modes of Operation and Stream Ciphers
ECE454/CS594 Computer and Network Security

ECE454/CS594 Computer and Network Security
CS470, A.SelcukStream Ciphers1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukStream Ciphers1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Modern Symmetric-Key Ciphers

Modern Symmetric-Key Ciphers
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
Content Scrambling System (CSS) Gregory Kesden, Carnegie Mellon University, 15-412/Fall 2000 This is a draft document. Please report errors, omissions,

Content Scrambling System (CSS) Gregory Kesden, Carnegie Mellon University, /Fall 2000 This is a draft document. Please report errors, omissions,
Digital Kommunikationselektroink TNE027 Lecture 6 (Cryptography) 1 Cryptography Algorithms Symmetric and Asymmetric Cryptography Algorithms Data Stream.

Digital Kommunikationselektroink TNE027 Lecture 6 (Cryptography) 1 Cryptography Algorithms Symmetric and Asymmetric Cryptography Algorithms Data Stream.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:

WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:
1 MD5 Cracking One way hash. Used in online passwords and file verification.

1 MD5 Cracking One way hash. Used in online passwords and file verification.
1 The AES block cipher Niels Ferguson. 2 What is it? Block cipher: encrypts fixed-size blocks. Design by two Belgians. Chosen from 15 entries in a competition.

1 The AES block cipher Niels Ferguson. 2 What is it? Block cipher: encrypts fixed-size blocks. Design by two Belgians. Chosen from 15 entries in a competition.
First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown and edited by Archana Chidanandan Cryptographic Tools.

First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown and edited by Archana Chidanandan Cryptographic Tools.
How To Not Make a Secure Protocol 802.11 WEP Dan Petro.

How To Not Make a Secure Protocol WEP Dan Petro.
Wireless Security In wireless networks. Security and Assurance - Goals Integrity Modified only in acceptable ways Modified only by authorized people Modified.

Wireless Security In wireless networks. Security and Assurance - Goals Integrity Modified only in acceptable ways Modified only by authorized people Modified.
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.

BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
20-751 ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
Security in Wireless LAN 802.11 Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.

Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.
RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.

RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.
Foundations of Network and Computer Security J J ohn Black Lecture #34 Dec 5 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Foundations of Network and Computer Security J J ohn Black Lecture #34 Dec 5 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

Similar presentations

Ads by Google