Handout 5 Summary of This Handout: Stream Ciphers — RC4 — Linear Feedback Shift Registers — CSS — A5/1
Total Page:16
File Type:pdf, Size:1020Kb
06-20008 Cryptography The University of Birmingham Autumn Semester 2009 School of Computer Science Volker Sorge 30 October, 2009 Handout 5 Summary of this handout: Stream Ciphers — RC4 — Linear Feedback Shift Registers — CSS — A5/1 II.2 Stream Ciphers A stream cipher is a symmetric cipher that encrypts the plaintext units one at a time and that varies the transformation of successive units during the encryption. In practise, the units are typically single bits or bytes. In contrast to a block cipher, which encrypts one block and then starts over again, a stream cipher encrypts plaintext streams continuously and therefore needs to maintain an internal state in order to avoid obvious duplication of encryptions. The main difference between stream ciphers and block ciphers is that stream ciphers have to maintain an internal state, while block ciphers do not. Recall that we have already seen how block ciphers avoid duplication and can also be transformed into stream ciphers via modes of operation. Basic stream ciphers are similar to the OFB and CTR modes for block ciphers in that they produce a continuous keystream, which is used to encipher the plaintext. However, modern stream ciphers are computationally far more efficient and easier to implement in both hard- and software than block ciphers and are therefore preferred in applications where speed really matters, such as in real-time audio and video encryption. Before we look at the technical details how stream ciphers work, we recall the One Time Pad, which we have briefly discussed in Handout 1. The One Time Pad is essentially an unbreakable cipher that depends on the fact that the key 1. is as long as the message, and 2. is a truly random sequence of letters that cannot be guessed. Both points are reasons, why the One Time Pad is unpractical, since one has to constantly exchange new keys and getting true randomness in practise is difficult to achieve. 39. Pseudo-random Generators One idea to overcome this problem is to not use keys that are fully random but keys that only look random. A relatively short string which is truly random is used to compute a larger string which, while of course not being truly random, is as good as being random. This large string is called a pseudo-random string, and it can be used to replace the random key in the One Time Pad. Algorithms that produce pseudo-random strings are called pseudo-random generators (PRG). The short string that initialises a pseudo-random generator is called a seed and takes the place of the secret key for stream ciphers. In overview a stream cipher works like this: Plaintext ⊕ Ciphertext Key/Seed Pseudo-random Generator Keystream 40. Getting True Randomness The seed for a pseudo-random generator, and keys for symmetric encryption schemes in general, should be as random as possible. One uses for example physical random number generators to get good random- ness. There are some physical sources that are supposed to produce good randomness, but the resulting bits may have a certain bias or some correlation. One usually circumvents this by taking the xor of bits obtained from different such sources. Typical physical sources of randomness include: • Thermal noise in various electric circuits, 37 • Radioactive decay, • Atmospheric noise. In practise more easily available are events in computer hardware such as • measurement of times between user key-strokes, and • time needed to access different sectors on the hard-disk drive (the air turbulence caused by the spinning disk is supposed to be random). 41. Properties of Pseudo-random Generators One of the most important improper usages of stream ciphers is to re-use the seed and therefore the keystream twice, i.e., to encrypt several messages with the same key. Assume Eve intercepts two en- cryptions C1 = K⊕M1 and C2 = K⊕M2 for two messages M1, M2 with the same key K then she can simply compute the xor of C1 and C2 yielding: C1⊕C2 = (M1⊕K)⊕(M2⊕K)= M1⊕M2 Thus re-using the key leaks the xor of the actual plaintexts. Assuming that both messages contain ordi- nary text, Eve can use frequency analysis to recover the plaintexts M1 and M2 from M1⊕M2. Thus one has to be careful not to re-use a key when using stream ciphers. There are mainly two methods to realise this: • One might use successive parts of the output stream to encrypt successive messages. This requires synchronisation of the senders and the receivers streams by some means, usually by transmitting its position along with the encrypted message. This has disadvantages if the order of messages is changed in the transmission line or by the protocol. • One might create a new seed for each message that needs to be encrypted. Then one additionally transmits the seed along with the message. Of course, the seed has to be transmitted secretly somehow. This can be done by combining the stream cipher with a block cipher and to transmit the seed enciphered with the block cipher before the actual ciphertext encrypted with the stream cipher. As a consequence it is important that stream ciphers appear random — which can be checked with sta- tistical methods — and have a long period, i.e. can produce a large number of bits before the same keystream is produced again. Generally determining more of the sequence from a part should be compu- tationally infeasible. Ideally, even if one knows the first one billion bits of the keystream sequence, the probability of guessing the next bit correctly should be no better than one half. We now have a look at several pseudo-random generators. II.2.1 RC4 RC4 is a stream-cipher invented by Ron Rivest in 1987 for RSA Security, which also holds the trademark for it. The source code was originally not released to the public because it was a trade secret, but was posted to a newsgroup some time ago; thus people referred to this version as alleged RC4. Today it is known that alleged RC4 indeed equals RC4. While RC4 does not hold up to most randomness tests, it is considered secure from a practical point of view if one takes certain precautions. It works on bytes instead of bits and can therefore be very efficiently implemented. It is used in many protocols such as SSL/TLS and 802.11b WEP. RC4 consists of two phases: an initialisation phase, which can also be understood as a key schedule, and a keystream generation phase. Its main data structure is an array S of 256 bytes. The array is initialised to the identity before any output is generated, i.e., the first cell is initialised with 0, the second with 1 and so on. Then the cells are permuted using a swap operation that depends on the current state and the chosen key K. The key K can be of variable size between 5 and 16 bytes. This keylength is a constant that is exploited during the initialisation algorithm. In pseudo code, the RC4 initialisation phase works as follows: 38 for i := 0 to 255 do S[i] := i end j := 0 for i := 0 to 255 do j := (j + S[i]+K[i mod keylength]) mod 256 swap(S[i],S[j]) end After initialisation has been completed, the following procedure computes the pseudo-random sequence. For each output byte, new values of the variables i, j are calculated, the corresponding cells are swapped, and the content of a third cell is output. The algorithm looks as follows: i := 0 j := 0 while GeneratingOutput: i := (i + 1) mod 256 j := (j + S[i]) mod 256 swap(S[i],S[j]) output S[(S[i]+S[j]) mod 256] end In the while loop the first line makes sure every array element is used once after 256 iterations; the second line makes the output depend non-linearly on the array; the third line makes sure the array is evolved and modified as the iteration continues; and the fourth line makes sure the output sequence reveals little about the internal state of the array. The generated keystream is then xor-ed with the plaintext byte by byte. Here is a graphical depiction of RC4. Observe that the K here stands for the generated keystream byte and not for the initial key. Source: Wikipedia Nevertheless we can see that the first output byte depends on the content of 3 cells, only. This property can be used to launch attacks against the cipher, so one usually discards the first 256 bytes of output generated by this algorithm to prevent these attacks. II.2.2 LFSR Linear Feedback Shift Registers (LFSR) is a pseudo-random generator that is used as a building block for many modern stream ciphers. They can be very efficiently implemented in both hardware and software and constitute a very fast way to produce keystreams. They consist of a shift register, which is a group of single bit cells that shift by one cell at every clock cycle together with a linear function f, called the feedback function, that determines the new incoming bit for the shift register. The function f generally uses some of the bits in the shift register to determine the new input bit. For instance below we have a 4 bit shift register, and the feedback function uses bit 1 and 4 to compute the new input. 39 The process of taking certain bits, but not all bits from a shift register is referred to as tapping. Thus the feedback function f above taps the bits 1 and 4.