cryptography and network security chapter 7 fifth edition by william stallings lecture slides by...
TRANSCRIPT
Cryptography and Cryptography and Network SecurityNetwork Security
Chapter 7Chapter 7
Fifth EditionFifth Edition
by William Stallingsby William Stallings
Lecture slides by Lawrie BrownLecture slides by Lawrie Brown
Chapter 7 – Stream Ciphers and Chapter 7 – Stream Ciphers and Random Number GenerationRandom Number Generation
The comparatively late rise of the theory of The comparatively late rise of the theory of probability shows how hard it is to grasp, probability shows how hard it is to grasp, and the many paradoxes show clearly that and the many paradoxes show clearly that we, as humans, lack a well grounded we, as humans, lack a well grounded intuition in this matter. intuition in this matter.
In probability theory there is a great deal of art In probability theory there is a great deal of art in setting up the model, in solving the in setting up the model, in solving the problem, and in applying the results back to problem, and in applying the results back to the real world actions that will follow. the real world actions that will follow.
— — The Art of Probability, Richard HammingThe Art of Probability, Richard Hamming
Random NumbersRandom Numbers
many uses of many uses of random numbersrandom numbers in cryptography in cryptography nonces in authentication protocols to prevent replaynonces in authentication protocols to prevent replay session keyssession keys public key generationpublic key generation keystream for a one-time padkeystream for a one-time pad
in all cases its critical that these values be in all cases its critical that these values be statistically random, uniform distribution, independentstatistically random, uniform distribution, independent unpredictability of future values from previous valuesunpredictability of future values from previous values
true random numbers provide thistrue random numbers provide this care needed with generated random numberscare needed with generated random numbers
Pseudorandom Number Pseudorandom Number Generators (PRNGs)Generators (PRNGs)
often use deterministic algorithmic often use deterministic algorithmic techniques to create “random numbers”techniques to create “random numbers”although are not truly randomalthough are not truly randomcan pass many tests of “randomness”can pass many tests of “randomness”
known as “pseudorandom numbers”known as “pseudorandom numbers” created by “created by “Pseudorandom Number Pseudorandom Number
Generators (PRNGs)”Generators (PRNGs)”
Random & Pseudorandom Random & Pseudorandom Number GeneratorsNumber Generators
PRNG RequirementsPRNG Requirements
randomnessrandomnessuniformity, scalability, consistencyuniformity, scalability, consistency
unpredictabilityunpredictabilityforward & backward unpredictabilityforward & backward unpredictabilityuse same tests to checkuse same tests to check
characteristics of the seedcharacteristics of the seedsecuresecureif known adversary can determine outputif known adversary can determine outputso must be random or pseudorandom numberso must be random or pseudorandom number
Linear CongruentialLinear CongruentialGeneratorGenerator
common iterative technique using:common iterative technique using:XXnn+1+1 = ( = (aXaXnn + + cc) mod ) mod mm
given suitable values of parameters can produce a given suitable values of parameters can produce a long random-like sequencelong random-like sequence
suitable criteria to have are:suitable criteria to have are: function generates a full-periodfunction generates a full-period generated sequence should appear randomgenerated sequence should appear random efficient implementation with 32-bit arithmeticefficient implementation with 32-bit arithmetic
note that an attacker can reconstruct sequence note that an attacker can reconstruct sequence given a small number of valuesgiven a small number of values
have possibilities for making this harderhave possibilities for making this harder
Blum Blum Shub GeneratorBlum Blum Shub Generator
based on public key algorithmsbased on public key algorithms use least significant bit from iterative equation:use least significant bit from iterative equation:
xxii = x = xi-1i-122 mod n mod n
where where n=p.qn=p.q, and primes , and primes p,q=3 mod 4p,q=3 mod 4 unpredictable, passes unpredictable, passes next-bitnext-bit test test security rests on difficulty of factoring N security rests on difficulty of factoring N is unpredictable given any run of bits is unpredictable given any run of bits slow, since very large numbers must be usedslow, since very large numbers must be used too slow for cipher use, good for key generation too slow for cipher use, good for key generation
Using Block Ciphers as PRNGsUsing Block Ciphers as PRNGs
for cryptographic applications, can use a block for cryptographic applications, can use a block cipher to generate random numberscipher to generate random numbers
often for creating session keys from master keyoften for creating session keys from master key CTRCTR
XXii = E = EKK[V[Vii]]
OFBOFBXXii = E = EKK[[XXi-1i-1]]
ANSI X9.17 PRGANSI X9.17 PRG
Stream CiphersStream Ciphers
process message bit by bit (as a stream) process message bit by bit (as a stream) have a pseudo random have a pseudo random keystreamkeystream combined (XOR) with plaintext bit by bit combined (XOR) with plaintext bit by bit randomness of randomness of stream keystream key completely completely
destroys statistically properties in messagedestroys statistically properties in message CCii = M = Mii XOR StreamKey XOR StreamKeyii
but must never reuse stream keybut must never reuse stream keyotherwise can recover messages (cf book otherwise can recover messages (cf book
cipher)cipher)
Stream Cipher StructureStream Cipher Structure
Stream Cipher PropertiesStream Cipher Properties
some design considerations are:some design considerations are:long period with no repetitions long period with no repetitions statistically random statistically random depends on large enough keydepends on large enough keylarge linear complexitylarge linear complexity
properly designed, can be as secure as a properly designed, can be as secure as a block cipher with same size keyblock cipher with same size key
but usually simpler & fasterbut usually simpler & faster
• With a properly designed pseudorandom number generator, a stream cipher can be as secure as block cipher of comparable key length.
• The primary advantage of a stream cipher is that stream ciphers are almost always faster and use far less code than do block ciphers.
• A stream cipher can be constructed with any cryptographically strong PRNG.
RC4RC4 a proprietary cipher owned by RSA DSI a proprietary cipher owned by RSA DSI another Ron Rivest design, simple but another Ron Rivest design, simple but
effective variable key size, byte-oriented effective variable key size, byte-oriented stream cipher stream cipher
Secure Sockets layer/Transport Layer Secure Sockets layer/Transport Layer securitysecurity
widely used (web SSL/TLS, wireless widely used (web SSL/TLS, wireless WEP/WPA) WEP/WPA)
key forms random permutation of all 8-bit key forms random permutation of all 8-bit values uses that permutation to scramble values uses that permutation to scramble input info processed a byte at a time input info processed a byte at a time
The algorithm is based on the use of a random permutation.
Analysis shows that the period of the cipher is overwhelmingly likely to be greater than 10^100.
Eight to sixteen machine operations are required per output byte, and the cipher can be expected to run very quickly in software.
RC4 is probably the most widely used stream cipher.
RC4 Key Schedule RC4 Key Schedule
starts with an array S of numbers: 0..255 starts with an array S of numbers: 0..255 use key to well and truly shuffle use key to well and truly shuffle S forms S forms internal stateinternal state of the cipher of the cipher /*Initialization *//*Initialization */for i = 0 to 255 dofor i = 0 to 255 doS[i] = iS[i] = iT[i] = K[i mod keylen])T[i] = K[i mod keylen])
/*Initial permutation of s*/
j = 0j = 0
for i = 0 to 255 do for i = 0 to 255 do
j = (j + S[i] + T[i])(mod j = (j + S[i] + T[i])(mod 256) 256)
swap (S[i], S[j])swap (S[i], S[j])
RC4 EncryptionRC4 Encryption
encryption continues shuffling array valuesencryption continues shuffling array values sum of shuffled pair selects "stream key" sum of shuffled pair selects "stream key"
value from permutationvalue from permutation XOR S[t] with next byte of message to XOR S[t] with next byte of message to
en/decrypten/decrypt
Stream Generation
i = j = 0 i = j = 0
for each message byte Mfor each message byte Mii
i = (i + 1) (mod 256)i = (i + 1) (mod 256)j = (j + S[i]) (mod 256)j = (j + S[i]) (mod 256)swap(S[i], S[j])swap(S[i], S[j])t = (S[i] + S[j]) (mod t = (S[i] + S[j]) (mod 256) 256)
CCii = M = Mii XOR S[t] XOR S[t]
RC4 OverviewRC4 Overview
RC4 SecurityRC4 Security claimed secure against known attacksclaimed secure against known attacks
have some analyses, none practical have some analyses, none practical result is very non-linear result is very non-linear since RC4 is a stream cipher, must since RC4 is a stream cipher, must never never
reuse a keyreuse a key have a concern with WEP, but due to key have a concern with WEP, but due to key
handling rather than RC4 itself handling rather than RC4 itself Currently RC4 its regarded as quite
secure, if used correctly, with a sufficiently large key.
Natural Random NoiseNatural Random Noise
best source is natural randomness in real world best source is natural randomness in real world find a regular but random event and monitor find a regular but random event and monitor do generally need special h/w to do this do generally need special h/w to do this
eg. radiation counters, radio noise, audio noise, eg. radiation counters, radio noise, audio noise, thermal noise in diodes, leaky capacitors, mercury thermal noise in diodes, leaky capacitors, mercury discharge tubes etc discharge tubes etc
starting to see such h/w in new CPU's starting to see such h/w in new CPU's problems of problems of biasbias or uneven distribution in signal or uneven distribution in signal
have to compensate for this when sample, often by have to compensate for this when sample, often by passing bits through a hash function passing bits through a hash function
best to only use a few noisiest bits from each samplebest to only use a few noisiest bits from each sample RFC4086 recommends using multiple sources + hash RFC4086 recommends using multiple sources + hash
Published SourcesPublished Sources
a few published collections of random numbers a few published collections of random numbers Rand Co, in 1955, published 1 million numbers Rand Co, in 1955, published 1 million numbers
generated using an electronic roulette wheel generated using an electronic roulette wheel has been used in some cipher designs cf Khafre has been used in some cipher designs cf Khafre
earlier Tippett in 1927 published a collection earlier Tippett in 1927 published a collection issues are that:issues are that:
these are limitedthese are limited too well-known for most uses too well-known for most uses
SummarySummary
pseudorandom number generationpseudorandom number generation stream ciphersstream ciphers RC4RC4 true random numbers true random numbers