Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 90 Stream Cipher Suppose you want to encrypt a stream of data, such as: the data from a keyboard the data from a sensor Block ciphers might be awkward/inefficient (consider each keystroke as a block??).
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 91 A stream cipher is a bit like a one-time pad: we generate a key that s as long as the data, but we generate it from a short seed. The key stream is thus not random, but pseudorandom. Use seed (short random number) and produce keystream. Plaintext Ciphertext Key/Seed Pseudo-random generator Keystream
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 92 Example 1 A block cipher, using counter mode.
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 93 Example 2: LFSR Linear Feedback Shift Register: Building block for many modern stream ciphers Can be implemented very efficiently Key idea: have register of single bit cells shifted by one at every clock cycle together with feedback function Source: Wikipedia
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 94 Example: Source: Wikipedia
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 95 Reasoning about LFSRs Interesting property: Length of keystream period Reasoning works as follows: Have state vector s = [s 1,..., s n ] for shift register with n cells c 1 c 2 c n 1 c n 1 0 0 0 Have a matrix M = 0 1 0 0......... 0 0 1 0 where c i is 1 if the i th cell in s is used for feedback and 0 if not. Next state vector given by M s.
Combining LFSRs LFSRs are insecure in practice (given a lot of output, the values c i can computed fairly efficiently) Hence multiple LFSRs are combined in non-linear fashion Source: Wikipedia Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 96
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 97 CSS CSS used to encrypt DVD for copy protection Following steps are taken: Check whether region code and code on DVD match Use player keys to extract disk key from DVD Use disk key to extract title key for track Use title key to extract for each sector a sector key, which is used to decrypt the sector.
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 98 Sector encryption is combination of two LFSR s added modulo 256 (observing carry bit from previous addition): seed 1 K 0 K 1 17 bit LFSR add modulo 256 8 bit keystream 1 K 2 K 3 K 4 25 bit LFSR
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 99 Security of CSS Can be broken in time 2 17 : Idea: Because of structure of MP4, first 20 bytes of plaintext are known Hence also first 20 bytes of keystream are known Given output of 17 bit LFSR, can deduce output of 25 bit LFSR by subtraction Hence try all 2 17 possibilities for 17 bit LFSR and if generated 25 bit LFSR produces observed keystream, cipher is cracked
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 100 A5/1 used in GSM mobile phone communication Became public knowledge through leaks and reverse engineering Built from three LFSRs with irregular clock cycle 54 bit secret key and 22 bit initialisation vector A register is shifted only if its clock bit is the same as majority of the three clock bits
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 101 Source: Wikipedia
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 102 Security of A5/1 Better design: Clock shift make cryptanalysis much harder However, advanced techniques means mainstream PC with terabytes of flash memory (to store pre-processed tables) can break A5/1 with probability 90% in a few seconds
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 103 Example 3: invented 1987 by Ron Rivest Main datastructure is array S of 256 bytes. Consists of two phases: Initalisation of S phase ( key schedule ) Keystream generation phase
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 104 Code for for i := 0 to 255 do S[i] := i end j := 0 for i := 0 to 255 do j := (j + S[i] + K[i mod keylength]) mod 256 swap(s[i],s[j]) end i := 0 j := 0 while GeneratingOutput: i := (i + 1) mod 256 j := (j + S[i]) mod 256 swap(s[i],s[j]) output S[(S[i] + S[j]) mod 256] end
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 105 Graphical representation Source: Wikipedia
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 106 Properties of Extremely compact, and beautiful Exhaustively studied Two books, and hundreds of research papers Pretty good! But not good enough by modern standards: Numerous attacks (biases in the stream, especially the first few bytes) Led to real attacks on WEP, and modes of TLS that use it
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 107 WEP Old standard for encryption on wireless networks based on, but seriously broken - don t use Source: Wikipedia
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 108 Weaknesses in WEP Initialisation vector only 24 bits, hence key streams repeat after at most 2 24 frames With certain initialisation vectors knowing m bytes of key and keystream means you can deduce byte m + 1 of key First bytes of key stream known because standard headers are always sent With this method, can crack the key in minutes on modern PC hardware
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 109 Keys for stream ciphers must not be reused. Formally, and LFSR as presented do not satisfy IND-CPA security. Need carefully used initialisation vectors or nonces to obtain IND-CPA.