RC4-Stream Ciphers Blowfish, RC5 Block Ciphers

About This Presentation

Title:

RC4-Stream Ciphers Blowfish, RC5 Block Ciphers

Description:

Blowfish, RC5 Block Ciphers M. Sakalli, Marmara Univ. Chapter 6 of Cryptography and Network Security by William Stallings Modified from the original s of Lawrie ... – PowerPoint PPT presentation

Number of Views:258

Avg rating:3.0/5.0

Slides: 31

Provided by: DrLaw197

Category:

more less

Transcript and Presenter's Notes

Title: RC4-Stream Ciphers Blowfish, RC5 Block Ciphers

1
RC4-Stream CiphersBlowfish, RC5 Block Ciphers

M. Sakalli, Marmara Univ.
Chapter 6 of Cryptography and Network Security
by William Stallings
Modified from the original slides of Lawrie Brown

2
Stream Ciphers

process message bit by bit (as a stream)
have a pseudo random keystream
Idea of randomness of stream key is complete
destroy of the statistically properties in
message
Ci Mi ? StreamKeyi
but must never reuse stream key
otherwise can recover messages (cf book cipher)

3
Stream Cipher Properties

some design considerations are
long sequence with no periodicities
statistically random
depends on large enough key
large linear complexity
correlation immunity
confusion, diffusion (cryptographically)
can be as secure as a block cipher with same size
key
but simpler faster

4
(Ron Rivest!!! Cipher) RC4

the period of the cipher is overwhelmingly likely
to be greater than 10100
Runs faster - five/fifteen times than DES/3DES
Used in
SSL/TLS (Secure socket, transport layer security)
between web browsers and servers,
IEEE 802.11 wirelss LAN std WEP (Wired
Equivalent Privacy), WPA (WiFi Protocol Access)
protocol
a proprietary cipher owned by RSA, kept secret,
released at the sites of Cyberpunk remailers.
simple but effective, variable key length from 1
to 256 bytes starts with an array S of numbers
0..255 and after initialization 0? S. ?255..

5
(Ron Rivest!!! Cipher) RC4

key forms random permutation of all 8-bit values,
scrambles input info a byte at a time
S internal state of the cipher, a byte k is
generated from S by selecting one of the 255
entries in a systematic fashion.
Initialization and permutation of S state vector.
Key length 1? K?256
for i 0 to 255 do
Si i //
Ti Ki mod(K))
j 0
for i 0 to 255 do
j (j Si Ti) (mod 256)
swap (Si, Sj)

6
KSA Key scheduling

encryption continues shuffling array values
sum of shuffled pair selects "stream key" value
from permutation
XOR St with next byte of message to en/decrypt
i j 0
for each message byte Mi
i (i 1) (mod 256)
j (j Si) (mod 256)
swap(Si, Sj)
t (Si Sj) (mod 256)
Ci Mi XOR St

7
RC4 Encryption

claimed secure against known attacks
have some analyses in a number of papers, but
none to be practical with a reasonable key
length, such as 128 bits.
In one authors demonstrate that in the case of
WEP, it is vulnerable to a particular attack
approach due to the initialization of the keys
but not the RC4 itself but the way in which keys
are generated.
Remedied by changing the way in which keys are
generated.
since RC4 is a stream cipher, must never reuse a
key

Security issues of RC4
The keystream generated by RC4 is biased.
The second byte is biased toward zero with high
probability.
The first few bytes are strongly non-random and
leak information about the input key.
Defense discard the initial n bytes of the
keystream.
Called RC4-dropn-bytes.
Recommended values for n 256, 768, or 3072
bytes.
-----------------------------
WEP is a protocol using RC4 to encrypt packets
for transmission over IEEE 802.11 wireless LAN.
WEP requires each packet to be encrypted with a
separate RC4 key.
The RC4 key for each packet is a concatenation of
a 24-bit IV (initialization vector) and a 40 or
104-bit long-term key.

encrypted
802.11 frames using WEP
l
Header IV Packet ICV FCS
9

Fluhrer, Mantin, and Shamir showed that
If the same secret key is used with numerous IVs,
and the attacker can obtain the first word of RC4
output (keystream) corresponding to each IV, then
he can construct the secret key with little
effort.
The first word is known for many plaintext
packets.
Recall Ciphertext plaintext ? keystream
So, the first word of RC output (keystream) can
be obtained.
Tews, Weinmann, and Pyshkin wrote an article,
Breaking 104 bit WEP in less than 60 seconds,
discussing how to discover the RC4 key by
analyzing the easily identified ARP packets.

9
10
(No Transcript)
11
Chapter 7 Confidentiality using Symmetric
EncryptionWhich part to encrypt in a PSN Packet
switching nw

traditionally symmetric encryption is used to
provide message confidentiality
Vulnerable points snooping, monitoring or
modifying by using
another workstation
dial-in to LAN or server or external router
by physically taping line in wiring closet
end-to-end encryption (shared keys) protects
data between source and destination, needs
devices at each end.
link encryption, (paired keys) protects traffic
monitoring, is considered over every link,
requires many devices,
End Link Link End

12
Placement of Encryption in the various levels of
OSI Encapsulation Model
13
Traffic monitoring

The purpose of monitoring
military commercial
can also be used to create a covert channel if
controlled
Link encryption obscures header details
But overall traffic volumes in networks and at
end-points will still be visible
Traffic padding can further obscure flows but at
cost of continuous traffic..

14
How to distribute key

symmetric schemes require to share a common
secret key
often secure system failure due to a break in the
key distribution scheme
given parties A and B have various key
distribution alternatives
Physically delivery from A to B
Third party can issue deliver key to A B, if
A B have secure communications with a third
party C, C can relay key between A B
Distribution of Key is based on a Hierarchy, at
least two levels of keys are used
temporary key referred as session key
used for the duration of a logical connection
between users
for one logical session then discarded
master key
used to encrypt session keys
shared by user key distribution center

15
Key Distribution Scenario

Assume that user A wishes to establish a logical
connection with B and requires a one-time session
key to protect the data transmitted over the
logical connection to B. A has a master key, Ka,
known only to itself and the KDC similarly, B
shares the master key Kb with the KDC. The
following steps occur

A issues a request to the KDC for a session key
to B including the identity of A and B and a
unique session identifier, N1, valid for this
transaction, nonce a timestamp, a counter, or a
random number differs with each request. I.e. to
prevent masquerading, suppose something like, a
random number.
The KDCs response to A KA Thus, only A can
decrypt the message. One-time session key, KS, to
be used for the session. Items for A The
original message so that, A can verify the
original request not altered before reception by
the KDC. The nonce, so that this is not a replay
of some previous request. Items for B The one
time session key KS and IDSA (e.g., its network
address), both encrypted with KB (the master key
that the KDC shares with B).

A stores KS for use in the upcoming session and
forwards to B the information originated from
the KDC for B, namely, E(KB, KS IDA).
Because this information is encrypted with KB, it
is protected from eavesdropping. B knows the
session key (KS), and A, and the information that
must have originated at the KDC Kb.--A secure KS
delivered to A and B, to proceed with protected
exchange---.
Protected exchange with sym key KS used by A and
B for encryption.
B sends a nonce, N2, E(KS N2). A responds with
E(KS f(N2)). (e.g., adding one).. Last steps
involve authentication.

18
Random Numbers

uses of random numbers nonces in authentication
protocols to prevent replay, session keys, public
key generation
statistically random, uniform distribution,
If a problem is to hard, time-consuming, then use
randomization, i.e. RSA public key exchange,
large prime number N, sqrt(10150)
independent so that unpredictable
(ie reciprocal authentication and session key
generation), where the requirement is not so much
that the numbers be statistically random but be
unpredictable.
With "true" random sequences, each number is
statistically independent, therefore
unpredictable. However used seldom.
Often deterministic algorithmic techniques used
to create random numbers. Pseudorandom Number
Generators (PRNGs). Care to be taken that an
opponent not be able to predict future elements.

19
Linear Congruential Generator

The most common to produce random sequences and
an iterative technique
Xn1 (aXn c) mod m
Only a small number of suitable values available
Consider the values a 7, c 0, m 32, and X0
1. This generates the sequence 7, 17, 23, 1,
7, etc., which is also clearly unsatisfactory.
Of the 32 possible values, only 4 are used thus,
the sequence is said to have a period of 4. If,
instead, we change the value of a to 5, then the
sequence is 5, 25, 29, 17, 21, 9, 13, 1, 5,
etc., which increases the period to 8.

20
Linear Congruential Generator

m to be very large, for producing a long series
of distinct random numbers, nearly equal to the
maximum representable nonnegative integer for a
given computer, equal to m231-1.
Function should generate a long full-period
sequence between 0 and m,
Generated deterministically, should appear
random.
Efficient implementation with 32-bit.
an attacker can reconstruct sequence given a
small number of values. 3 unknowns, a, c, m, 3
equations.
One solution is using internal system clock to
modify the random number stream.
Restart the sequence after every N numbers with
the current clock value (mod m) as the new seed
Add the current clock value to each random number
(mod m).

21
Cryptographically Generated Random Numbers

Use a block cipher to generate random numbers
often for creating session keys from master key
which is protected, counter 56 key length, 256
possible c..
Counter Mode
Xi EKmi
Output Feedback Mode
Xi EKmXi-1

22
ANSI X9.17 PRNG
Cryptographically Generated Random Numbers

One of the strongest
DTi, Vi - Date/time, seed values at the beginning
of ith generation stage
Ri - Pseudorandom number produced by the ith
generation stage
K1, K2 - DES keys used for each stage

Ri EDE(K1, K2, Vi EDE(K1, K2, DTi))
Vi1 EDE(K1, K2, Ri EDE(K1, K2, DTi))
where EDE(K1,K2, X)

23
Blum Blum Shub Generator

based on public key algorithms
use least significant bit from iterative
equation
xi xi-12 mod n
where np.q, and primes p,q should be congruent
to 3 mod 4 p, q and
gcd(f(p-1), f(q-1)) should be small
unpredictable, passes next-bit test
security rests on difficulty of factoring N
is unpredictable given any run of bits
slow, since very large numbers must be used
too slow for cipher use, good for key generation

24
Natural Random Noise

best source is natural randomness in real world
find a regular but random event and monitor
do generally need special h/w to do this
eg. radiation counters, radio noise, audio noise,
thermal noise in diodes, leaky capacitors,
mercury discharge tubes etc
starting to see such h/w in new CPU's
problems of bias or uneven distribution in signal
have to compensate for this when sample and use
best to only use a few noisiest bits from each
sample

25
Published Sources

a few published collections of random numbers
Rand Co, in 1955, published 1 million numbers
generated using an electronic roulette wheel
has been used in some cipher designs cf Khafre
earlier Tippett in 1927 published a collection
issues are that
these are limited
too well-known for most uses

26
A symmetric block cipher Blowfish

Designed by Bruce Schneier in 1993/94
characteristics
fast implementation on 32-bit CPUs
compact in use of memory
simple structure for analysis/implementation
variable security by varying key size
has been implemented in various products
uses a 32 to 448 bit key
used to generate
18 32-bit subkeys stored in K-array Kj
four 8x32 S-boxes stored in Si,j
key schedule consists of
initialize P-array and then 4 S-boxes using pi
XOR P-array with key bits (reuse as needed)
loop repeatedly encrypting data using current P
S and replace successive pairs of P then S values
requires 521 encryptions, hence slow in re-keying

uses two primitives addition XOR
data is divided into two 32-bit halves L0 R0
for i 1 to 16 do
Ri Li-1 XOR Pi
Li FRi XOR Ri-1
L17 R16 XOR P18
R17 L16 XOR i17
where
Fa,b,c,d ((S1,a S2,b) XOR S3,c) S4,a
key dependent S-boxes and subkeys, makes
cryptanalysis very difficult
changing both halves in each round increases
security
provided key is large enough, brute-force key
search is not practical, especially given the
high key schedule cost

28
RC5, ciphers, modes

a proprietary cipher owned by RSADSI
designed by Ronald Rivest (of RSA fame)
used in various RSADSI products
can vary key size / data size / no rounds
very clean and simple design
easy implementation on various CPUs
yet still regarded as secure
RC5 is a family of ciphers RC5-w/r/b
w word size in bits (16/32/64) nb data2w
r number of rounds (0..255)
b number of bytes in key (0..255)
nominal version is RC5-32/12/16
ie 32-bit words so encrypts 64-bit data blocks
using 12 rounds
with 16 bytes (128-bit) secret key
RFC2040 defines 4 modes used by RC5
RC5 Block Cipher, is ECB mode
RC5-CBC, is CBC mode
RC5-CBC-PAD, is CBC with padding by bytes with
value being the number of padding bytes