RC4-Stream Ciphers Blowfish, RC5 Block Ciphers - PowerPoint PPT Presentation

About This Presentation
Title:

RC4-Stream Ciphers Blowfish, RC5 Block Ciphers

Description:

Blowfish, RC5 Block Ciphers M. Sakalli, Marmara Univ. Chapter 6 of Cryptography and Network Security by William Stallings Modified from the original s of Lawrie ... – PowerPoint PPT presentation

Number of Views:550
Avg rating:3.0/5.0
Slides: 31
Provided by: DrLa66
Category:

less

Transcript and Presenter's Notes

Title: RC4-Stream Ciphers Blowfish, RC5 Block Ciphers


1
RC4-Stream CiphersBlowfish, RC5 Block Ciphers
  • M. Sakalli, Marmara Univ.
  • Chapter 6 of Cryptography and Network Security
  • by William Stallings
  • Modified from the original slides of Lawrie Brown

2
Stream Ciphers
  • process message bit by bit (as a stream)
  • have a pseudo random keystream
  • Idea of randomness of stream key is complete
    destroy of the statistically properties in
    message
  • Ci Mi ? StreamKeyi
  • but must never reuse stream key
  • otherwise can recover messages (cf book cipher)

3
Stream Cipher Properties
  • some design considerations are
  • long sequence with no periodicities
  • statistically random
  • depends on large enough key
  • large linear complexity
  • correlation immunity
  • confusion, diffusion (cryptographically)
  • can be as secure as a block cipher with same size
    key
  • but simpler faster

4
(Ron Rivest!!! Cipher) RC4
  • the period of the cipher is overwhelmingly likely
    to be greater than 10100
  • Runs faster - five/fifteen times than DES/3DES
  • Used in
  • SSL/TLS (Secure socket, transport layer security)
    between web browsers and servers,
  • IEEE 802.11 wirelss LAN std WEP (Wired
    Equivalent Privacy), WPA (WiFi Protocol Access)
    protocol
  • a proprietary cipher owned by RSA, kept secret,
    released at the sites of Cyberpunk remailers.
  • simple but effective, variable key length from 1
    to 256 bytes starts with an array S of numbers
    0..255 and after initialization 0? S. ?255..

5
(Ron Rivest!!! Cipher) RC4
  • key forms random permutation of all 8-bit values,
    scrambles input info a byte at a time
  • S internal state of the cipher, a byte k is
    generated from S by selecting one of the 255
    entries in a systematic fashion.
  • Initialization and permutation of S state vector.
    Key length 1? K?256
  • for i 0 to 255 do
  • Si i //
  • Ti Ki mod(K))
  • j 0
  • for i 0 to 255 do
  • j (j Si Ti) (mod 256)
  • swap (Si, Sj)

6
KSA Key scheduling
  • encryption continues shuffling array values
  • sum of shuffled pair selects "stream key" value
    from permutation
  • XOR St with next byte of message to en/decrypt
  • i j 0
  • for each message byte Mi
  • i (i 1) (mod 256)
  • j (j Si) (mod 256)
  • swap(Si, Sj)
  • t (Si Sj) (mod 256)
  • Ci Mi XOR St

7
RC4 Encryption
  • claimed secure against known attacks
  • have some analyses in a number of papers, but
    none to be practical with a reasonable key
    length, such as 128 bits.
  • In one authors demonstrate that in the case of
    WEP, it is vulnerable to a particular attack
    approach due to the initialization of the keys
    but not the RC4 itself but the way in which keys
    are generated.
  • Remedied by changing the way in which keys are
    generated.
  • since RC4 is a stream cipher, must never reuse a
    key

8
  • Security issues of RC4
  • The keystream generated by RC4 is biased.
  • The second byte is biased toward zero with high
    probability.
  • The first few bytes are strongly non-random and
    leak information about the input key.
  • Defense discard the initial n bytes of the
    keystream.
  • Called RC4-dropn-bytes.
  • Recommended values for n 256, 768, or 3072
    bytes.
  • -----------------------------
  • WEP is a protocol using RC4 to encrypt packets
    for transmission over IEEE 802.11 wireless LAN.
  • WEP requires each packet to be encrypted with a
    separate RC4 key.
  • The RC4 key for each packet is a concatenation of
    a 24-bit IV (initialization vector) and a 40 or
    104-bit long-term key.

encrypted
802.11 frames using WEP
l
Header IV Packet ICV FCS
9
  • Fluhrer, Mantin, and Shamir showed that
  • If the same secret key is used with numerous IVs,
    and the attacker can obtain the first word of RC4
    output (keystream) corresponding to each IV, then
    he can construct the secret key with little
    effort.
  • The first word is known for many plaintext
    packets.
  • Recall Ciphertext plaintext ? keystream
  • So, the first word of RC output (keystream) can
    be obtained.
  • Tews, Weinmann, and Pyshkin wrote an article,
    Breaking 104 bit WEP in less than 60 seconds,
    discussing how to discover the RC4 key by
    analyzing the easily identified ARP packets.

9
10
(No Transcript)
11
Chapter 7 Confidentiality using Symmetric
EncryptionWhich part to encrypt in a PSN Packet
switching nw
  • traditionally symmetric encryption is used to
    provide message confidentiality
  • Vulnerable points snooping, monitoring or
    modifying by using
  • another workstation
  • dial-in to LAN or server or external router
  • by physically taping line in wiring closet
  • end-to-end encryption (shared keys) protects
    data between source and destination, needs
    devices at each end.
  • link encryption, (paired keys) protects traffic
    monitoring, is considered over every link,
    requires many devices,
  • End Link Link End

12
Placement of Encryption in the various levels of
OSI Encapsulation Model
13
Traffic monitoring
  • The purpose of monitoring
  • military commercial
  • can also be used to create a covert channel if
    controlled
  • Link encryption obscures header details
  • But overall traffic volumes in networks and at
    end-points will still be visible
  • Traffic padding can further obscure flows but at
    cost of continuous traffic..

14
How to distribute key
  • symmetric schemes require to share a common
    secret key
  • often secure system failure due to a break in the
    key distribution scheme
  • given parties A and B have various key
    distribution alternatives
  • Physically delivery from A to B
  • Third party can issue deliver key to A B, if
    A B have secure communications with a third
    party C, C can relay key between A B
  • Distribution of Key is based on a Hierarchy, at
    least two levels of keys are used
  • temporary key referred as session key
  • used for the duration of a logical connection
    between users
  • for one logical session then discarded
  • master key
  • used to encrypt session keys
  • shared by user key distribution center

15
Key Distribution Scenario
  • Assume that user A wishes to establish a logical
    connection with B and requires a one-time session
    key to protect the data transmitted over the
    logical connection to B. A has a master key, Ka,
    known only to itself and the KDC similarly, B
    shares the master key Kb with the KDC. The
    following steps occur

16
  1. A issues a request to the KDC for a session key
    to B including the identity of A and B and a
    unique session identifier, N1, valid for this
    transaction, nonce a timestamp, a counter, or a
    random number differs with each request. I.e. to
    prevent masquerading, suppose something like, a
    random number.
  2. The KDCs response to A KA Thus, only A can
    decrypt the message. One-time session key, KS, to
    be used for the session. Items for A The
    original message so that, A can verify the
    original request not altered before reception by
    the KDC. The nonce, so that this is not a replay
    of some previous request. Items for B The one
    time session key KS and IDSA (e.g., its network
    address), both encrypted with KB (the master key
    that the KDC shares with B).

17
  • A stores KS for use in the upcoming session and
    forwards to B the information originated from
    the KDC for B, namely, E(KB, KS IDA).
    Because this information is encrypted with KB, it
    is protected from eavesdropping. B knows the
    session key (KS), and A, and the information that
    must have originated at the KDC Kb.--A secure KS
    delivered to A and B, to proceed with protected
    exchange---.
  • Protected exchange with sym key KS used by A and
    B for encryption.
  • B sends a nonce, N2, E(KS N2). A responds with
    E(KS f(N2)). (e.g., adding one).. Last steps
    involve authentication.

18
Random Numbers
  • uses of random numbers nonces in authentication
    protocols to prevent replay, session keys, public
    key generation
  • statistically random, uniform distribution,
  • If a problem is to hard, time-consuming, then use
    randomization, i.e. RSA public key exchange,
    large prime number N, sqrt(10150)
  • independent so that unpredictable
  • (ie reciprocal authentication and session key
    generation), where the requirement is not so much
    that the numbers be statistically random but be
    unpredictable.
  • With "true" random sequences, each number is
    statistically independent, therefore
    unpredictable. However used seldom.
  • Often deterministic algorithmic techniques used
    to create random numbers. Pseudorandom Number
    Generators (PRNGs). Care to be taken that an
    opponent not be able to predict future elements.

19
Linear Congruential Generator
  • The most common to produce random sequences and
    an iterative technique
  • Xn1 (aXn c) mod m
  • Only a small number of suitable values available
    Consider the values a 7, c 0, m 32, and X0
    1. This generates the sequence 7, 17, 23, 1,
    7, etc., which is also clearly unsatisfactory.
    Of the 32 possible values, only 4 are used thus,
    the sequence is said to have a period of 4. If,
    instead, we change the value of a to 5, then the
    sequence is 5, 25, 29, 17, 21, 9, 13, 1, 5,
    etc., which increases the period to 8.

20
Linear Congruential Generator
  • m to be very large, for producing a long series
    of distinct random numbers, nearly equal to the
    maximum representable nonnegative integer for a
    given computer, equal to m231-1.
  • Function should generate a long full-period
    sequence between 0 and m,
  • Generated deterministically, should appear
    random.
  • Efficient implementation with 32-bit.
  • an attacker can reconstruct sequence given a
    small number of values. 3 unknowns, a, c, m, 3
    equations.
  • One solution is using internal system clock to
    modify the random number stream.
  • Restart the sequence after every N numbers with
    the current clock value (mod m) as the new seed
  • Add the current clock value to each random number
    (mod m).

21
Cryptographically Generated Random Numbers
  • Use a block cipher to generate random numbers
  • often for creating session keys from master key
    which is protected, counter 56 key length, 256
    possible c..
  • Counter Mode
  • Xi EKmi
  • Output Feedback Mode
  • Xi EKmXi-1

22
ANSI X9.17 PRNG
Cryptographically Generated Random Numbers
  • One of the strongest
  • DTi, Vi - Date/time, seed values at the beginning
    of ith generation stage
  • Ri - Pseudorandom number produced by the ith
    generation stage
  • K1, K2 - DES keys used for each stage
  • Ri EDE(K1, K2, Vi EDE(K1, K2, DTi))
  • Vi1 EDE(K1, K2, Ri EDE(K1, K2, DTi))
  • where EDE(K1,K2, X)

23
Blum Blum Shub Generator
  • based on public key algorithms
  • use least significant bit from iterative
    equation
  • xi xi-12 mod n
  • where np.q, and primes p,q should be congruent
    to 3 mod 4 p, q and
  • gcd(f(p-1), f(q-1)) should be small
  • unpredictable, passes next-bit test
  • security rests on difficulty of factoring N
  • is unpredictable given any run of bits
  • slow, since very large numbers must be used
  • too slow for cipher use, good for key generation

24
Natural Random Noise
  • best source is natural randomness in real world
  • find a regular but random event and monitor
  • do generally need special h/w to do this
  • eg. radiation counters, radio noise, audio noise,
    thermal noise in diodes, leaky capacitors,
    mercury discharge tubes etc
  • starting to see such h/w in new CPU's
  • problems of bias or uneven distribution in signal
  • have to compensate for this when sample and use
  • best to only use a few noisiest bits from each
    sample

25
Published Sources
  • a few published collections of random numbers
  • Rand Co, in 1955, published 1 million numbers
  • generated using an electronic roulette wheel
  • has been used in some cipher designs cf Khafre
  • earlier Tippett in 1927 published a collection
  • issues are that
  • these are limited
  • too well-known for most uses

26
A symmetric block cipher Blowfish
  • Designed by Bruce Schneier in 1993/94
  • characteristics
  • fast implementation on 32-bit CPUs
  • compact in use of memory
  • simple structure for analysis/implementation
  • variable security by varying key size
  • has been implemented in various products
  • uses a 32 to 448 bit key
  • used to generate
  • 18 32-bit subkeys stored in K-array Kj
  • four 8x32 S-boxes stored in Si,j
  • key schedule consists of
  • initialize P-array and then 4 S-boxes using pi
  • XOR P-array with key bits (reuse as needed)
  • loop repeatedly encrypting data using current P
    S and replace successive pairs of P then S values
  • requires 521 encryptions, hence slow in re-keying

27
  • uses two primitives addition XOR
  • data is divided into two 32-bit halves L0 R0
  • for i 1 to 16 do
  • Ri Li-1 XOR Pi
  • Li FRi XOR Ri-1
  • L17 R16 XOR P18
  • R17 L16 XOR i17
  • where
  • Fa,b,c,d ((S1,a S2,b) XOR S3,c) S4,a
  • key dependent S-boxes and subkeys, makes
    cryptanalysis very difficult
  • changing both halves in each round increases
    security
  • provided key is large enough, brute-force key
    search is not practical, especially given the
    high key schedule cost

28
RC5, ciphers, modes
  • a proprietary cipher owned by RSADSI
  • designed by Ronald Rivest (of RSA fame)
  • used in various RSADSI products
  • can vary key size / data size / no rounds
  • very clean and simple design
  • easy implementation on various CPUs
  • yet still regarded as secure
  • RC5 is a family of ciphers RC5-w/r/b
  • w word size in bits (16/32/64) nb data2w
  • r number of rounds (0..255)
  • b number of bytes in key (0..255)
  • nominal version is RC5-32/12/16
  • ie 32-bit words so encrypts 64-bit data blocks
  • using 12 rounds
  • with 16 bytes (128-bit) secret key
  • RFC2040 defines 4 modes used by RC5
  • RC5 Block Cipher, is ECB mode
  • RC5-CBC, is CBC mode
  • RC5-CBC-PAD, is CBC with padding by bytes with
    value being the number of padding bytes

29
RC5 Key Expansion and Encryption
  • RC5 uses 2r2 subkey words (w-bits)
  • subkeys are stored in array Si, i0..t-1
  • then the key schedule consists of
  • initializing S to a fixed pseudorandom value,
    based on constants e and phi
  • the byte key is copied (little-endian) into a
    c-word array L
  • a mixing operation then combines L and S to form
    the final S array
  • split input into two halves A B
  • L0 A S0
  • R0 B S1
  • for i 1 to r do
  • Li ((Li-1 XOR Ri-1) ltltlt Ri-1) S2 x i
  • Ri ((Ri-1 XOR Li) ltltlt Li) S2 x i 1
  • each round is like 2 DES rounds
  • note rotation is main source of non-linearity
  • need reasonable number of rounds (eg 12-16)

30
In summary
  • have considered
  • use and placement of symmetric encryption to
    protect confidentiality
  • need for good key distribution
  • use of trusted third party KDCs
  • random number generation issues
Write a Comment
User Comments (0)
About PowerShow.com