Cryptography and Cryptography and Network SecurityNetwork Security

Chapter 7Chapter 7

Fifth EditionFifth Edition

by William Stallingsby William Stallings

Lecture slides by Lawrie BrownLecture slides by Lawrie Brown

Chapter 7 – Stream Ciphers and Chapter 7 – Stream Ciphers and Random Number GenerationRandom Number Generation

The comparatively late rise of the theory of The comparatively late rise of the theory of probability shows how hard it is to grasp, probability shows how hard it is to grasp, and the many paradoxes show clearly that and the many paradoxes show clearly that we, as humans, lack a well grounded we, as humans, lack a well grounded intuition in this matter. intuition in this matter.

In probability theory there is a great deal of art In probability theory there is a great deal of art in setting up the model, in solving the in setting up the model, in solving the problem, and in applying the results back to problem, and in applying the results back to the real world actions that will follow. the real world actions that will follow.

— — The Art of Probability, Richard HammingThe Art of Probability, Richard Hamming

Random NumbersRandom Numbers

many uses of many uses of random numbersrandom numbers in cryptography in cryptography nonces in authentication protocols to prevent replaynonces in authentication protocols to prevent replay session keyssession keys public key generationpublic key generation keystream for a one-time padkeystream for a one-time pad

in all cases its critical that these values be in all cases its critical that these values be statistically random, uniform distribution, independentstatistically random, uniform distribution, independent unpredictability of future values from previous valuesunpredictability of future values from previous values

true random numbers provide thistrue random numbers provide this care needed with generated random numberscare needed with generated random numbers

Pseudorandom Number Pseudorandom Number Generators (PRNGs)Generators (PRNGs)

often use deterministic algorithmic often use deterministic algorithmic techniques to create “random numbers”techniques to create “random numbers”although are not truly randomalthough are not truly randomcan pass many tests of “randomness”can pass many tests of “randomness”

known as “pseudorandom numbers”known as “pseudorandom numbers” created by “created by “Pseudorandom Number Pseudorandom Number

Generators (PRNGs)”Generators (PRNGs)”

Random & Pseudorandom Random & Pseudorandom Number GeneratorsNumber Generators

PRNG RequirementsPRNG Requirements

randomnessrandomnessuniformity, scalability, consistencyuniformity, scalability, consistency

unpredictabilityunpredictabilityforward & backward unpredictabilityforward & backward unpredictabilityuse same tests to checkuse same tests to check

characteristics of the seedcharacteristics of the seedsecuresecureif known adversary can determine outputif known adversary can determine outputso must be random or pseudorandom numberso must be random or pseudorandom number

Linear CongruentialLinear CongruentialGeneratorGenerator

common iterative technique using:common iterative technique using:XXnn+1+1 = ( = (aXaXnn + + cc) mod ) mod mm

given suitable values of parameters can produce a given suitable values of parameters can produce a long random-like sequencelong random-like sequence

suitable criteria to have are:suitable criteria to have are: function generates a full-periodfunction generates a full-period generated sequence should appear randomgenerated sequence should appear random efficient implementation with 32-bit arithmeticefficient implementation with 32-bit arithmetic

note that an attacker can reconstruct sequence note that an attacker can reconstruct sequence given a small number of valuesgiven a small number of values

have possibilities for making this harderhave possibilities for making this harder

Blum Blum Shub GeneratorBlum Blum Shub Generator

based on public key algorithmsbased on public key algorithms use least significant bit from iterative equation:use least significant bit from iterative equation:

xxii = x = xi-1i-122 mod n mod n

where where n=p.qn=p.q, and primes , and primes p,q=3 mod 4p,q=3 mod 4 unpredictable, passes unpredictable, passes next-bitnext-bit test test security rests on difficulty of factoring N security rests on difficulty of factoring N is unpredictable given any run of bits is unpredictable given any run of bits slow, since very large numbers must be usedslow, since very large numbers must be used too slow for cipher use, good for key generation too slow for cipher use, good for key generation

Using Block Ciphers as PRNGsUsing Block Ciphers as PRNGs

for cryptographic applications, can use a block for cryptographic applications, can use a block cipher to generate random numberscipher to generate random numbers

often for creating session keys from master keyoften for creating session keys from master key CTRCTR

XXii = E = EKK[V[Vii]]

OFBOFBXXii = E = EKK[[XXi-1i-1]]

ANSI X9.17 PRGANSI X9.17 PRG

Stream CiphersStream Ciphers

process message bit by bit (as a stream) process message bit by bit (as a stream) have a pseudo random have a pseudo random keystreamkeystream combined (XOR) with plaintext bit by bit combined (XOR) with plaintext bit by bit randomness of randomness of stream keystream key completely completely

destroys statistically properties in messagedestroys statistically properties in message CCii = M = Mii XOR StreamKey XOR StreamKeyii

but must never reuse stream keybut must never reuse stream keyotherwise can recover messages (cf book otherwise can recover messages (cf book

cipher)cipher)

Stream Cipher StructureStream Cipher Structure

Stream Cipher PropertiesStream Cipher Properties

some design considerations are:some design considerations are:long period with no repetitions long period with no repetitions statistically random statistically random depends on large enough keydepends on large enough keylarge linear complexitylarge linear complexity

properly designed, can be as secure as a properly designed, can be as secure as a block cipher with same size keyblock cipher with same size key

but usually simpler & fasterbut usually simpler & faster

• With a properly designed pseudorandom number generator, a stream cipher can be as secure as block cipher of comparable key length.

• The primary advantage of a stream cipher is that stream ciphers are almost always faster and use far less code than do block ciphers.

• A stream cipher can be constructed with any cryptographically strong PRNG.

RC4RC4 a proprietary cipher owned by RSA DSI a proprietary cipher owned by RSA DSI another Ron Rivest design, simple but another Ron Rivest design, simple but

effective variable key size, byte-oriented effective variable key size, byte-oriented stream cipher stream cipher

Secure Sockets layer/Transport Layer Secure Sockets layer/Transport Layer securitysecurity

widely used (web SSL/TLS, wireless widely used (web SSL/TLS, wireless WEP/WPA) WEP/WPA)

key forms random permutation of all 8-bit key forms random permutation of all 8-bit values uses that permutation to scramble values uses that permutation to scramble input info processed a byte at a time input info processed a byte at a time

The algorithm is based on the use of a random permutation.

Analysis shows that the period of the cipher is overwhelmingly likely to be greater than 10^100.

Eight to sixteen machine operations are required per output byte, and the cipher can be expected to run very quickly in software.

RC4 is probably the most widely used stream cipher.

RC4 Key Schedule RC4 Key Schedule

starts with an array S of numbers: 0..255 starts with an array S of numbers: 0..255 use key to well and truly shuffle use key to well and truly shuffle S forms S forms internal stateinternal state of the cipher of the cipher /*Initialization *//*Initialization */for i = 0 to 255 dofor i = 0 to 255 doS[i] = iS[i] = iT[i] = K[i mod keylen])T[i] = K[i mod keylen])

/*Initial permutation of s*/

j = 0j = 0

for i = 0 to 255 do for i = 0 to 255 do

j = (j + S[i] + T[i])(mod j = (j + S[i] + T[i])(mod 256) 256)

swap (S[i], S[j])swap (S[i], S[j])

RC4 EncryptionRC4 Encryption

encryption continues shuffling array valuesencryption continues shuffling array values sum of shuffled pair selects "stream key" sum of shuffled pair selects "stream key"

value from permutationvalue from permutation XOR S[t] with next byte of message to XOR S[t] with next byte of message to

en/decrypten/decrypt

Stream Generation

i = j = 0 i = j = 0

for each message byte Mfor each message byte Mii

i = (i + 1) (mod 256)i = (i + 1) (mod 256)j = (j + S[i]) (mod 256)j = (j + S[i]) (mod 256)swap(S[i], S[j])swap(S[i], S[j])t = (S[i] + S[j]) (mod t = (S[i] + S[j]) (mod 256) 256)

CCii = M = Mii XOR S[t] XOR S[t]

RC4 OverviewRC4 Overview

RC4 SecurityRC4 Security claimed secure against known attacksclaimed secure against known attacks

have some analyses, none practical have some analyses, none practical result is very non-linear result is very non-linear since RC4 is a stream cipher, must since RC4 is a stream cipher, must never never

reuse a keyreuse a key have a concern with WEP, but due to key have a concern with WEP, but due to key

handling rather than RC4 itself handling rather than RC4 itself Currently RC4 its regarded as quite

secure, if used correctly, with a sufficiently large key.

Natural Random NoiseNatural Random Noise

best source is natural randomness in real world best source is natural randomness in real world find a regular but random event and monitor find a regular but random event and monitor do generally need special h/w to do this do generally need special h/w to do this

eg. radiation counters, radio noise, audio noise, eg. radiation counters, radio noise, audio noise, thermal noise in diodes, leaky capacitors, mercury thermal noise in diodes, leaky capacitors, mercury discharge tubes etc discharge tubes etc

starting to see such h/w in new CPU's starting to see such h/w in new CPU's problems of problems of biasbias or uneven distribution in signal or uneven distribution in signal

have to compensate for this when sample, often by have to compensate for this when sample, often by passing bits through a hash function passing bits through a hash function

best to only use a few noisiest bits from each samplebest to only use a few noisiest bits from each sample RFC4086 recommends using multiple sources + hash RFC4086 recommends using multiple sources + hash

Published SourcesPublished Sources

a few published collections of random numbers a few published collections of random numbers Rand Co, in 1955, published 1 million numbers Rand Co, in 1955, published 1 million numbers

generated using an electronic roulette wheel generated using an electronic roulette wheel has been used in some cipher designs cf Khafre has been used in some cipher designs cf Khafre

earlier Tippett in 1927 published a collection earlier Tippett in 1927 published a collection issues are that:issues are that:

these are limitedthese are limited too well-known for most uses too well-known for most uses

SummarySummary

pseudorandom number generationpseudorandom number generation stream ciphersstream ciphers RC4RC4 true random numbers true random numbers