RC4-Stream CiphersRC4-Stream CiphersBlowfish, RC5 Block Ciphers Blowfish, RC5 Block Ciphers

M. Sakalli, Marmara Univ. M. Sakalli, Marmara Univ. Chapter 6 of Cryptography and Network Security Chapter 6 of Cryptography and Network Security

by William Stallingsby William StallingsModified from the original slides of Lawrie BrownModified from the original slides of Lawrie Brown

Stream CiphersStream Ciphers

process message bit by bit (as a stream) process message bit by bit (as a stream) have a pseudo random have a pseudo random keystreamkeystream Idea of randomness of Idea of randomness of stream keystream key is complete is complete

destroy of the statistically propertiesdestroy of the statistically properties in message in message CCii = M = Mii StreamKey StreamKeyii

but must never reuse stream keybut must never reuse stream key otherwise can recover messages (cf book cipher)otherwise can recover messages (cf book cipher)

PTPT CTCT

PRNG

K

k

ECTCT PTPT

PRNG

K

k

D

Stream Cipher PropertiesStream Cipher Properties some design considerations are:some design considerations are:

long sequence with no periodicities long sequence with no periodicities statistically random statistically random depends on large enough keydepends on large enough key large linear complexitylarge linear complexity correlation immunity correlation immunity confusion, diffusion (cryptographically)confusion, diffusion (cryptographically)

can be as secure as a block cipher with same can be as secure as a block cipher with same size keysize key

but simpler & fasterbut simpler & faster

(Ron Rivest!!! Cipher) RC4(Ron Rivest!!! Cipher) RC4 the period of the cipher is overwhelmingly likely to be the period of the cipher is overwhelmingly likely to be

greater than 10greater than 10100100 Runs faster - five/fifteen times than DES/3DES Runs faster - five/fifteen times than DES/3DES Used in Used in

SSL/TLS (Secure socket, transport layer security) between SSL/TLS (Secure socket, transport layer security) between web browsers and servers, web browsers and servers,

IEEE 802.11 wirelss LAN std: WEP (Wired Equivalent IEEE 802.11 wirelss LAN std: WEP (Wired Equivalent Privacy), WPA (WiFi Protocol Access) protocol Privacy), WPA (WiFi Protocol Access) protocol

a proprietary cipher owned by RSA, kept secret, a proprietary cipher owned by RSA, kept secret, released at the sites of Cyberpunk remailers. released at the sites of Cyberpunk remailers.

simple but effective, variable key length from 1 to 256 simple but effective, variable key length from 1 to 256 bytes; starts with an array S of numbers: 0..255 and bytes; starts with an array S of numbers: 0..255 and after initialization 0after initialization 0 S[.] S[.] 255..255..

(Ron Rivest!!! Cipher) RC4(Ron Rivest!!! Cipher) RC4 key forms random permutation of all 8-bit values, key forms random permutation of all 8-bit values,

scrambles input info a byte at a time scrambles input info a byte at a time S S internal stateinternal state of the cipher of the cipher, a byte k is generated , a byte k is generated

from S by selecting one of the 255 entries from S by selecting one of the 255 entries in a in a systematic fashionsystematic fashion. .

Initialization and permutation of S state vector. Key Initialization and permutation of S state vector. Key length: 1length: 1 | |K|K|256 256

for i = 0 to 255 dofor i = 0 to 255 doS[i] = iS[i] = i ////T[i] = K[i mod(|K|)])T[i] = K[i mod(|K|)])

j = 0j = 0for i = 0 to 255 do for i = 0 to 255 do

j = (j + S[i] + T[i]) (mod 256) j = (j + S[i] + T[i]) (mod 256) swap (S[i], S[j])swap (S[i], S[j])

KSA Key schedulingKSA Key scheduling

encryption continues shuffling array valuesencryption continues shuffling array values sum of shuffled pair selects "stream key" value sum of shuffled pair selects "stream key" value

from permutationfrom permutation XOR S[t] with next byte of message to XOR S[t] with next byte of message to

en/decrypten/decrypti = j = 0 i = j = 0

for each message byte Mfor each message byte Mii

i = (i + 1) (mod 256)i = (i + 1) (mod 256)

j = (j + S[i]) (mod 256)j = (j + S[i]) (mod 256)

swap(S[i], S[j])swap(S[i], S[j])

t = (S[i] + S[j]) (mod 256) t = (S[i] + S[j]) (mod 256)

CCii = M = Mii XOR S[t] XOR S[t]

RC4 EncryptionRC4 Encryption claimed secure against known attacksclaimed secure against known attacks

have some analyses inhave some analyses in a number of papers, a number of papers, but none to but none to be practical be practical with a reasonable key length, such as 128 with a reasonable key length, such as 128 bits. bits.

In one authors demonstrate that in the case of WEP, it In one authors demonstrate that in the case of WEP, it is vulnerable to a particular attack approach due to the is vulnerable to a particular attack approach due to the initialization of the keys but not the RC4 itself but the initialization of the keys but not the RC4 itself but the way in which keys are generated. way in which keys are generated.

Remedied by changing the way in which keys are Remedied by changing the way in which keys are generated. generated.

since RC4 is a stream cipher, must since RC4 is a stream cipher, must never reuse a never reuse a keykey

Security issues of RC4Security issues of RC4 The keystream generated by RC4 is biased. The keystream generated by RC4 is biased.

The second byte is biased toward zero with high probability.The second byte is biased toward zero with high probability. The first few bytes are strongly non-random and leak information about the The first few bytes are strongly non-random and leak information about the

input key. input key.

Defense: discard the initial n bytes of the keystream. Defense: discard the initial n bytes of the keystream. Called “RC4-drop[n-bytes]”.Called “RC4-drop[n-bytes]”. Recommended values for n = 256, 768, or 3072 bytes.Recommended values for n = 256, 768, or 3072 bytes.

----------------------------------------------------------

WEP is a protocol using RC4 to encrypt packets for transmission over WEP is a protocol using RC4 to encrypt packets for transmission over

IEEE 802.11 wireless LAN. IEEE 802.11 wireless LAN.

WEP requires each packet to be encrypted with a separate RC4 key. WEP requires each packet to be encrypted with a separate RC4 key.

The RC4 key for each packet is a concatenation of a 24-bit IV The RC4 key for each packet is a concatenation of a 24-bit IV

(initialization vector) and a 40 or 104-bit long-term key. (initialization vector) and a 40 or 104-bit long-term key.

lHeader IV Packet ICV FCSHeader IV Packet ICV FCS

encryptedencrypted802.11 frames using WEP802.11 frames using WEP

Fluhrer, Mantin, and Shamir showed that: Fluhrer, Mantin, and Shamir showed that: If the same secret key is used with numerous IVs, and the If the same secret key is used with numerous IVs, and the

attacker can obtain the first word of RC4 output attacker can obtain the first word of RC4 output (keystream) corresponding to each IV, then he can (keystream) corresponding to each IV, then he can construct the secret key with little effort.construct the secret key with little effort.

The first word is known for many plaintext packets.The first word is known for many plaintext packets.

Recall: Ciphertext = plaintext Recall: Ciphertext = plaintext keystream keystream

So, the first word of RC output (keystream) can be So, the first word of RC output (keystream) can be obtained.obtained.

Tews, Weinmann, and Pyshkin wrote an article, “Tews, Weinmann, and Pyshkin wrote an article, “Breaking Breaking

104 bit WEP in less than 60 seconds104 bit WEP in less than 60 seconds,” discussing how to ,” discussing how to

discover the RC4 key by analyzing the easily identified discover the RC4 key by analyzing the easily identified

ARP packets.ARP packets.9

Chapter 7: Confidentiality using Symmetric EncryptionChapter 7: Confidentiality using Symmetric EncryptionWhich part to encrypt in a PSN Which part to encrypt in a PSN Packet switching nwPacket switching nw

traditionally symmetric encryption is used to provide message confidentialitytraditionally symmetric encryption is used to provide message confidentiality Vulnerable points: snooping, monitoring or modifying by usingVulnerable points: snooping, monitoring or modifying by using

another workstationanother workstation dial-in to LAN or server or external routerdial-in to LAN or server or external router by physically taping line in wiring closetby physically taping line in wiring closet

end-to-end encryption (end-to-end encryption (shared keysshared keys): ): protects data between source and protects data between source and destination, needs devices at each end. destination, needs devices at each end.

link encryption, (paired keys)link encryption, (paired keys): protects traffic monitoring, is considered over : protects traffic monitoring, is considered over every link, requires many devices, every link, requires many devices,

End [ Link [] Link ] EndEnd [ Link [] Link ] End

PSN

Placement of Encryption in the various Placement of Encryption in the various levels of OSI Encapsulation Modellevels of OSI Encapsulation Model

(b) TCP Layer level(b) TCP Layer level

(c) Link Layer Level(c) Link Layer Level

The purpose of monitoringThe purpose of monitoring military & commercial military & commercial can also be used to create a covert channel if controlledcan also be used to create a covert channel if controlled

Link encryption obscures Link encryption obscures header detailsheader details But overall traffic volumes in networks and But overall traffic volumes in networks and at end-at end-

pointspoints will still be visible will still be visible Traffic paddingTraffic padding can further obscure flows but at cost can further obscure flows but at cost

of continuous traffic.. of continuous traffic..

Traffic monitoringTraffic monitoring

How to distribute keyHow to distribute key symmetric schemes require to share a common secret keysymmetric schemes require to share a common secret key often secure system failure due to a break in the key distribution often secure system failure due to a break in the key distribution

schemescheme given parties A and B have various given parties A and B have various key distributionkey distribution

alternatives:alternatives:1.1. Physically delivery from A to BPhysically delivery from A to B2.2. Third party can issue & deliver key to A & B, if A & B have secure Third party can issue & deliver key to A & B, if A & B have secure

communications with a third party C, C can relay key between A & Bcommunications with a third party C, C can relay key between A & B Distribution of Key is based on a Distribution of Key is based on a Hierarchy, at least two levels Hierarchy, at least two levels

of keys are usedof keys are used temporary key referred as session keytemporary key referred as session key

• used for the duration of a logical connection between usersused for the duration of a logical connection between users• for one logical session then discardedfor one logical session then discarded

master keymaster key• used to encrypt session keysused to encrypt session keys• shared by user & key distribution centershared by user & key distribution center

Key Distribution ScenarioKey Distribution Scenario Assume that user A wishes to establish a logical connection with B and Assume that user A wishes to establish a logical connection with B and

requires a one-time session key to protect the data transmitted over the requires a one-time session key to protect the data transmitted over the logical connection to B. A has a logical connection to B. A has a master key, Kmaster key, Kaa, known only to itself and the , known only to itself and the KDC; similarly, B shares the KDC; similarly, B shares the master key Kmaster key Kbb with the KDC. The following with the KDC. The following steps occur:steps occur:

a.a. A issues a request to the KDC for a session key to B A issues a request to the KDC for a session key to B including the including the identity of Aidentity of A and Band B and a unique and a unique session session identifier, identifier, NN11,, valid for this transaction, valid for this transaction, nonce: nonce: a timestamp, a counter, or a random a timestamp, a counter, or a random number; differs with each request. I.e. to prevent number; differs with each request. I.e. to prevent masquerading, suppose something like, a random masquerading, suppose something like, a random number.number.

b. The KDC’s response to A: KA Thus, only A can decrypt the message. One-time session key, KS, to be used for the session. Items for A: The original message so that, A can verify the original request not altered before reception by the KDC. The nonceThe nonce,, so that this is that this is not not a replay of some previous requesta replay of some previous request. Items for B: The one time session key KS and IDSA (e.g., its network address), both encrypted with KB (the master key that the KDC shares with B).

c. A stores KS for use in the upcoming session and forwards to B the information originated from the KDC for B, namely, E(KB, [KS || IDA]). Because this information is encrypted with KB, it is protected from eavesdropping. B knows the session key (KS), and A, and the information that must have originated at the KDC Kb.--A secure KS delivered to A and B, to proceed with protected exchange---.

Protected exchange with sym key KS used by A and B for encryption.

d. B sends a nonce, N2, E(KS N2). A responds with E(KS f(N2)). (e.g., adding one).. Last steps involve authentication.

Random NumbersRandom Numbers uses of uses of random numbers: random numbers: nonces in authentication protocols nonces in authentication protocols

to prevent replay, to prevent replay, session keys, public key generationsession keys, public key generation statistically statistically random, uniform distributionrandom, uniform distribution,,

If a problem is to hard, time-consuming, then use randomization, i.e. If a problem is to hard, time-consuming, then use randomization, i.e. RSA public key exchange, large prime number N, sqrt(10RSA public key exchange, large prime number N, sqrt(10150150))

independentindependent so that unpredictable so that unpredictable (ie reciprocal authentication and session key generation), where the (ie reciprocal authentication and session key generation), where the

requirement is not so much that the numbers be statistically random but requirement is not so much that the numbers be statistically random but be unpredictable. be unpredictable.

With "true" random sequences, each number is statistically independent, With "true" random sequences, each number is statistically independent, therefore unpredictable. However used seldom.therefore unpredictable. However used seldom.

Often deterministic algorithmic techniques used to create Often deterministic algorithmic techniques used to create “random numbers”. ““random numbers”. “Pseudorandom Number Generators Pseudorandom Number Generators (PRNGs)”. (PRNGs)”. Care to be taken that an opponent not be able to Care to be taken that an opponent not be able to predict future elements.predict future elements.

Linear Congruential GeneratorLinear Congruential Generator

The most common to produce random sequences and an The most common to produce random sequences and an iterative technique:iterative technique:XXnn+1+1 = ( = (aXaXnn + + cc) mod ) mod mm

Only a small number of suitable values available: Only a small number of suitable values available: Consider the values a = 7, c = 0, m = 32, and Consider the values a = 7, c = 0, m = 32, and XX00 = 1. = 1. This generates the sequence {7, 17, 23, 1, 7, etc.}, which This generates the sequence {7, 17, 23, 1, 7, etc.}, which is also clearly unsatisfactory. Of the 32 possible values, is also clearly unsatisfactory. Of the 32 possible values, only 4 are used; thus, the sequence is said to have a only 4 are used; thus, the sequence is said to have a period of 4. If, instead, we change the value of a to 5, period of 4. If, instead, we change the value of a to 5, then the sequence is {5, 25, 29, 17, 21, 9, 13, 1, 5, etc.}, then the sequence is {5, 25, 29, 17, 21, 9, 13, 1, 5, etc.}, which increases the period to 8. which increases the period to 8.

Linear Congruential GeneratorLinear Congruential Generator m to be very large, for producing a long series of distinct m to be very large, for producing a long series of distinct

random numbers, nearly equal to the maximum random numbers, nearly equal to the maximum representable nonnegative integer for a given computer, representable nonnegative integer for a given computer, equal to m=2equal to m=23131-1. Function should generate a long full-period sequence between 0 Function should generate a long full-period sequence between 0

and m, and m, Generated deterministically, should appear random. Generated deterministically, should appear random. Efficient implementation with 32-bit.Efficient implementation with 32-bit.

an attacker can reconstruct sequence given a small an attacker can reconstruct sequence given a small number of values. 3 unknowns, a, c, m, 3 equations.number of values. 3 unknowns, a, c, m, 3 equations.

One solution is using internal system clock to modify the One solution is using internal system clock to modify the random number stream. random number stream. Restart the sequence after every N numbers with the current Restart the sequence after every N numbers with the current

clock value (mod m) as the new seed clock value (mod m) as the new seed Add the current clock value to each random number (mod m). Add the current clock value to each random number (mod m).

Cryptographically Generated Random Numbers Cryptographically Generated Random Numbers Use a block cipher to generate Use a block cipher to generate

random numbersrandom numbers often for creating session keys often for creating session keys

from master key which is from master key which is protected, counter 56 key length, protected, counter 56 key length, 225656 possible c.. possible c.. Counter ModeCounter Mode

XXii = E = EKmKm[i][i] Output Feedback ModeOutput Feedback Mode

XXii = E = EKmKm[[XXi-1i-1]]

One of the strongestOne of the strongest DTDTii, , VVii - -

Date/time, seed Date/time, seed values at the values at the beginning of beginning of iithth generation stage generation stage

RRii - - Pseudorandom Pseudorandom number produced number produced by the by the iithth generation stage generation stage

KK11, K, K22 - DES keys - DES keys used for each used for each stagestage

RRii = EDE([K = EDE([K11, K, K22], [V], [Vii EDE([K EDE([K11, K, K22], DT], DTii)]))]) VVi+1i+1 = EDE([K = EDE([K11, K, K22], [R], [Rii EDE([K EDE([K11, K, K22], DT], DTii)]))]) where EDE([Kwhere EDE([K11,K,K22], X) ], X)

Cryptographically Generated Random Numbers Cryptographically Generated Random Numbers

ANSI X9.17 PRNGANSI X9.17 PRNG

Blum Blum Shub GeneratorBlum Blum Shub Generator

based on public key algorithmsbased on public key algorithms use least significant bit from iterative equation:use least significant bit from iterative equation:

xxii = x = xi-1i-122 mod n mod n

where where n=p.qn=p.q, and primes , and primes p,q should be p,q should be congruent to = 3 mod 4 = p, q and congruent to = 3 mod 4 = p, q and

gcd(φ(gcd(φ(pp-1), φ(-1), φ(qq-1)) should be small-1)) should be small unpredictable, passes unpredictable, passes next-bitnext-bit test test security rests on difficulty of factoring N security rests on difficulty of factoring N is unpredictable given any run of bits is unpredictable given any run of bits slow, since very large numbers must be usedslow, since very large numbers must be used too slow for cipher use, good for key generation too slow for cipher use, good for key generation

Natural Random NoiseNatural Random Noise best source is natural randomness in real world best source is natural randomness in real world find a regular but random event and monitor find a regular but random event and monitor do generally need special h/w to do this do generally need special h/w to do this

eg. radiation counters, radio noise, audio noise, eg. radiation counters, radio noise, audio noise, thermal noise in diodes, leaky capacitors, mercury thermal noise in diodes, leaky capacitors, mercury discharge tubes etc discharge tubes etc

starting to see such h/w in new CPU's starting to see such h/w in new CPU's problems of problems of biasbias or uneven distribution in or uneven distribution in

signal signal have to compensate for this when sample and use have to compensate for this when sample and use best to only use a few noisiest bits from each sample best to only use a few noisiest bits from each sample

Published SourcesPublished Sources

a few published collections of random a few published collections of random numbers numbers

Rand Co, in 1955, published 1 million Rand Co, in 1955, published 1 million numbers numbers generated using an electronic roulette wheel generated using an electronic roulette wheel has been used in some cipher designs cf Khafre has been used in some cipher designs cf Khafre

earlier Tippett in 1927 published a collection earlier Tippett in 1927 published a collection issues are that:issues are that:

these are limitedthese are limited too well-known for most uses too well-known for most uses

A symmetric block cipher BlowfishA symmetric block cipher Blowfish Designed by Bruce Schneier in 1993/94Designed by Bruce Schneier in 1993/94 characteristicscharacteristics

fast implementation on 32-bit CPUsfast implementation on 32-bit CPUs compact in use of memorycompact in use of memory simple structure for analysis/implementationsimple structure for analysis/implementation variable security by varying key sizevariable security by varying key size

has been implemented in various productshas been implemented in various products uses a 32 to 448 bit key uses a 32 to 448 bit key used to generate used to generate

18 32-bit subkeys stored in K-array 18 32-bit subkeys stored in K-array KKjj four 8x32 S-boxes stored in four 8x32 S-boxes stored in SSi,ji,j

key schedule consists of:key schedule consists of: initialize P-array and then 4 S-boxes using piinitialize P-array and then 4 S-boxes using pi XOR P-array with key bits (reuse as needed)XOR P-array with key bits (reuse as needed) loop repeatedly encrypting data using current P & S and replace loop repeatedly encrypting data using current P & S and replace

successive pairs of P then S valuessuccessive pairs of P then S values requires 521 encryptions, hence slow in re-keyingrequires 521 encryptions, hence slow in re-keying

uses two primitives: addition & XORuses two primitives: addition & XOR data is divided into two 32-bit halves data is divided into two 32-bit halves LL00 & & RR00

for for i i = 1 to 16 do= 1 to 16 doRRii = = LLi-1i-1 XOR XOR PPii;;

LLii = F[= F[RRii] XOR ] XOR RRi-1i-1;;

LL1717 = = RR1616 XOR XOR PP1818;;

RR1717 = = LL1616 XOR i XOR i1717;; wherewhere

F[F[aa,,bb,,cc,,dd] = ((S] = ((S1,1,aa + S+ S2,b2,b) XOR S) XOR S3,c3,c) + S) + S4,4,aa

key dependent S-boxes and subkeys, makes key dependent S-boxes and subkeys, makes cryptanalysis very difficultcryptanalysis very difficult

changing both halves in each round increases securitychanging both halves in each round increases security provided key is large enough, brute-force key search is provided key is large enough, brute-force key search is

not practical, especially given the high key schedule costnot practical, especially given the high key schedule cost

a proprietary cipher owned by RSADSI a proprietary cipher owned by RSADSI designed by Ronald Rivest (of RSA fame) designed by Ronald Rivest (of RSA fame) used in various RSADSI products used in various RSADSI products can vary key size / data size / no rounds can vary key size / data size / no rounds very clean and simple designvery clean and simple design easy implementation on various CPUseasy implementation on various CPUs yet still regarded as secure yet still regarded as secure RC5 is a family of ciphers RC5-w/r/bRC5 is a family of ciphers RC5-w/r/b

w = word size in bits (16/32/64) nb data=2ww = word size in bits (16/32/64) nb data=2w r = number of rounds (0..255)r = number of rounds (0..255) b = number of bytes in key (0..255)b = number of bytes in key (0..255)

nominal version is RC5-32/12/16nominal version is RC5-32/12/16 ie 32-bit words so encrypts 64-bit data blocksie 32-bit words so encrypts 64-bit data blocks using 12 roundsusing 12 rounds with 16 bytes (128-bit) secret keywith 16 bytes (128-bit) secret key

RFC2040 defines 4 modes used by RC5RFC2040 defines 4 modes used by RC5 RC5 Block Cipher, is ECB modeRC5 Block Cipher, is ECB mode RC5-CBC, is CBC modeRC5-CBC, is CBC mode RC5-CBC-PAD, is CBC with padding by bytes with value being the number of RC5-CBC-PAD, is CBC with padding by bytes with value being the number of

padding bytespadding bytes RC5-CTS, a variant of CBC which is the same size as the original message, uses RC5-CTS, a variant of CBC which is the same size as the original message, uses

ciphertext stealing to keep size same as originalciphertext stealing to keep size same as original

RC5, RC5, ciphers, ciphers, modesmodes

RC5 Key Expansion and EncryptionRC5 Key Expansion and Encryption RC5 uses 2r+2 subkey words (w-bits)RC5 uses 2r+2 subkey words (w-bits) subkeys are stored in array subkeys are stored in array S[i]S[i], i=0..t-1, i=0..t-1 then the key schedule consists ofthen the key schedule consists of

initializing S to a fixed pseudorandom value, based on constants e and phiinitializing S to a fixed pseudorandom value, based on constants e and phi the byte key is copied (little-endian) into a c-word array Lthe byte key is copied (little-endian) into a c-word array L a mixing operation then combines L and S to form the final S arraya mixing operation then combines L and S to form the final S array

split input into two halves A & Bsplit input into two halves A & BLL00 = = A A + S[0];+ S[0];

RR00 = = B B + S[1];+ S[1];for for i i = 1 to = 1 to r r dodo

LLii = ((= ((LLi-1i-1 XOR XOR RRi-1i-1) <<< ) <<< RRi-1i-1) + S[2 x ) + S[2 x ii];];

RRii = ((= ((RRi-1i-1 XOR XOR LLii) <<< ) <<< LLii) + S[2 x ) + S[2 x i i + 1];+ 1];

each round is like 2 DES roundseach round is like 2 DES rounds note rotation is main source of non-linearity note rotation is main source of non-linearity need reasonable number of rounds (eg 12-16) need reasonable number of rounds (eg 12-16)

In summaryIn summary

have considered:have considered: use and placement of symmetric encryption to use and placement of symmetric encryption to

protect confidentialityprotect confidentiality need for good key distributionneed for good key distribution use of trusted third party KDC’suse of trusted third party KDC’s random number generation issuesrandom number generation issues