8/12/2019 Part_02_B&W

1/21

1

STREAM CIPHERS

A.A. 2009/2010 1

Cryptography Part II

Stream Enciphering

michele elia

Politecnico di Torino

STREAM CIPHERS

A.A. 2009/2010 2

Stream enciphering is realized in two ways

- as a Bit by Bit operation, which is performed by

machines called Stream ciphers

- as a Block by Block operation, which is performed

by machines called Block ciphers

The Stream enciphering is intended to be theencryption operation of long sequences of bits.

8/12/2019 Part_02_B&W

2/21

2

STREAM CIPHERS

A.A. 2009/2010 3

Plain text binary sequence

m(1), m(2), , m(n) ...

Key binary sequence (produced by a FSM starting from a short

sequence K0 called the secret keyk(1), k(2), , k(n) ...

Encrypted binary sequence

k(1), k(2), , k(n) ...

Encryption rule, referred to as Caesar enciphering

e(n) = m(n) + k(n)

Stream Ciphers

STREAM CIPHER

A.A. 2009/2010 4

Structure of a stream generator as Autonomous FSM

Periodic generator

Nonlinear

Function

k(n)

8/12/2019 Part_02_B&W

3/21

3

STREAM CIPHER

A.A. 2009/2010 5

Stream Cipher Cryptanalysis

The problem:Find the secret key K0 (the initial state of the FSM)knowing

- state transition function f,

- output function g,given a piece of generated enciphering stream

k1,k2, k3, , ks

STREAM CIPHER

A.A. 2009/2010 6

Structure of a Block Cipher

Nonlinear

Function

I

N

P

UT

Key

Oypute1 en

m1 mn

8/12/2019 Part_02_B&W

4/21

4

STREAM CIPHER

A.A. 2009/2010 7

Block Ciphers (classical)

Enigma: single character cipher

DES: Data Encryption Standard

AES: Advanced Encryption Standard

IDEA: International Data EncryptionAlgorithm

STREAM CIPHERS

A.A. 2009/2010 8

Common structure

Input

Input Transformation

Round 1

Round 2

Round n

Output Transformation

Output

8/12/2019 Part_02_B&W

5/21

5

STREAM CIPHER

A.A. 2009/2010 9

Classic (Standard) Algorithms

STREAM CIPHERS

A.A. 2009/2010 10

Enigma: Round structure

26 Alphabetic Characters represented as elements of Z26

T(X)= (X+k)-kEach round consist of a Caesar transformation

followed by a permutation (monoalphabetic

substitution) followed by the inverse of the Caesar

transformation.

The machine state changes after the encryption of a

character with a period that depends on rotor notches

and is of the order 266

8/12/2019 Part_02_B&W

6/21

6

STREAM CIPHERS

A.A. 2009/2010 11

DATA ENCRYPTION STANDARD: DES

DES

Ei=DES(K0,Mi) (64bit)

Mi

(64bit)

K0 (56bit)

STREAM CIPHERS

A.A. 2009/2010 12

DES ROUND structure

Li Ri

Ri+1Li+1

Q(S(E(Ri)+ Ki ))

+

8/12/2019 Part_02_B&W

7/21

7

STREAM CIPHER

A.A. 2009/2010 13

DES function description

M is a vector with 64 entries (bits); consider

M=(L|R) decomposed into two vectors of dimension 32

P denotes an operator permuting the entries of a vector

denotes an involutory operator, that is M=(R|L)

2= where is the identity operator

denotes an operator such that M=(L+f(R)|R)therefore is an involution, that is 2=

DES = P 16 15 14 1 P-1

DES-1 = P 1 2 3 16 P-1

STREAM CIPHER

A.A. 2009/2010 14

Description of DES function Function f(.)

f(R)= S(E(R)+K)

K is a vector of 48 bits defined from K0, the key of 56 bits

E(.) is an expansion function of a vector of dimension 32 toa vector of dimension 48: this is obtained by replicatingsome entries

S, called S-box, is a compression function from dimension48 to dimension 32 made of 8 boxes that define 8 s-mappings from 6 bits to 4 bits: the vector of 48 bits ispartitioned into 8 vectors of 6 bits to which each s-mappingis applied

8/12/2019 Part_02_B&W

8/21

8

STREAM CIPHER

A.A. 2009/2010 15

DES transformation

In standard applications a binary message is partitionedinto groups (vectors) of 64 bits

M0, M1, Mn,

Function DES is always applied with the same key K0 toeach vector

DES(K0, M0), DES(K0, M1), DES(K0, Mn), ...

STREAM CIPHER

A.A. 2009/2010 16

DES strengths and weaknesses

DES is a good encryption function

Few (4) known keys are weak

DES(K0, DES(K0, M) = M

Few (6) known pairs of keys are weak

DES(K1, DES(K2, M) = M

It is highly probable that the 256 DES transformationsdo not form a group: otherwise the complexity to breakthe system, namely to find the secret key from a pair of plain

and cipher texts, would be 228

8/12/2019 Part_02_B&W

9/21

9

STREAM CIPHER

A.A. 2009/2010 17

AES

128 bits of data are stored as bytesin a 4 x 4 state matrix

Round operations are: Subbyte,Shiftrow, Mixcolumn, andAddroundkey

STREAM CIPHER

A.A. 2009/2010 18

Round transformations

Subbyte

Shiftrow

Mixcolumn

Addroundkey

8/12/2019 Part_02_B&W

10/21

10

STREAM CIPHER

A.A. 2009/2010 19

AES Round Structure

STREAM CIPHER

A.A. 2009/2010 20

Legenda

Polynomial (fixed in the standard)

Affine transformation on bytes

8/12/2019 Part_02_B&W

11/21

11

STREAM CIPHER

A.A. 2009/2010 21

Legenda (continue)

Each round requires 4 words (i.e. 128 bits) of key data plus 4words for the output transformation

A 128 bit key requires 4 x 11 words of key data w[i] (0i

8/12/2019 Part_02_B&W

12/21

12

STREAM CIPHER

A.A. 2009/2010 23

IDEA Round structure

X1

X1

X2

X2

X3

X3

X4

X4

++ +

+

+ +

++

+

+

K1 K2 K3 K4

K5K6

STREAM CIPHER

A.A. 2009/2010 24

Legenda

XOR su 16 bit somma in

somma modulo 216 somma in

prodotto modulo 216+1 prodotto in

+

+

8/12/2019 Part_02_B&W

13/21

13

STREAM CIPHER

A.A. 2009/2010 25

ECB: Electronic Code Book

DES

Ei=DES(K0,Mi) (64bit)

Mi

(64bit)

K0 (56bit)

STREAM CIPHER

A.A. 2009/2010 26

CBC: Cipher-Block Chaining

DES

Ei =DES(K0, Mi+Ei-1)

K0

+

Mi

8/12/2019 Part_02_B&W

14/21

14

STREAM CIPHER

A.A. 2009/2010 27

CFB: Cipher FeedBack

DES

ki=DES(K0, ki-1)

ki-1

K0

+

Mi

Ei

STREAM CIPHER

A.A. 2009/2010 28

OFB: Output FeedBack

DES

ki=DES(K0, Ei-1)

Ei-1

K0

+

Mi

Ei = ki+Mi

8/12/2019 Part_02_B&W

15/21

15

STREAM CIPHER

A.A. 2009/2010 29

Applications

GSM (Mobile telephony)Authentication for correct accounting and

access control to the network

Confidentiality

No tracking

Internet Secure Connection

STREAM CIPHER

A.A. 2009/2010 30

GSM

Security in GSM is based on threealgorithms

A3 authentication algorithm (and protocol)

A5 confidentiality algorithm: a stream

ciphering with stream generator consistingof three clock controlled LFSR

A8 algorithm: a one-way function used todefine the initial state for A5

Tracking is avoided using a secret alias forany accepted user.

8/12/2019 Part_02_B&W

16/21

16

STREAM CIPHER

A.A. 2009/2010 31

GSM - A3 protocol

Users are identified by

a public user number PIN, the phonenumber, and

a secret user number ID.

ID is stored on the SIM card and in theControl access computer system of theProvider.

STREAM CIPHER

A.A. 2009/2010 32

GSM - A3 protocol

BOB sends an access request to

Base Station (BS) (the distributedaccess points of the cellular network)with clear PIN.

BS forwards the request to provider P.

P returns a RANDOM number to BS.

BS sends RANDOM to BOB

8/12/2019 Part_02_B&W

17/21

17

STREAM CIPHER

A.A. 2009/2010 33

GSM - A3 protocol

BOB encrypts RANDOM combined withhis secret ID using A3 algorithm

ANSWER=A3(RANDOM, ID)

BOB sends ANSWER to BS

BS forwards ANSWER to P

P compares ANSWER with the locallycomputed ANS = A3(RANDOM, ID)If ANS = ANSWER then access

is permitted, otherwise itis denied.

STREAM CIPHER

A.A. 2009/2010 34

GSM - A3 protocol

If access is permitted then P sends an ackto BS together with a SKEY5, a secret keyused by the encryption algorithm A5

BS sends an ack to BOB.

BOB computes his SKEY5 as

SKEY5 = A8(RANDOM, ID)

8/12/2019 Part_02_B&W

18/21

18

STREAM CIPHER

A.A. 2009/2010 35

GSM - A5 algorithm

It is composed of three LFSRs of length 19,22, and 23.

The evolution is clock controlled: threecells, in position 8, 10 and 10 of the threeRegisters respectively, are checked and

only the Registers with the majority symbol(either 0 or 1) change of state

The output sequence is obtained as a summodulo 2 of the three binary sequences.

STREAM CIPHER

A.A. 2009/2010 36

GSM - A5 algorithm

Block scheme and polynomial generators

+

8/12/2019 Part_02_B&W

19/21

19

STREAM CIPHER

A.A. 2009/2010 37

GSM - Comments

A3 algorithmIs Providers responsibility and choice

Must be a strong ONE-WAY function toprevent cloning

Must be easy to compute because of the

limited power of cell phones.Definition is not publicly available.

Common to all Providers (possibly) as thatproposed by GSM group is used

STREAM CIPHER

A.A. 2009/2010 38

GSM - Comments

A5 algorithm Must be common to every Provider as it runs on every

Base Station

Must be reasonably strong but guarantee QoSbeing a real time bit by bit encryption

Must need few computations because of thelimited power and energy available.

Is public. It was originally proposed by GSMstandardization group

Initial state of LFSRs provided by A8 algorithm

8/12/2019 Part_02_B&W

20/21

20

STREAM CIPHER

A.A. 2009/2010 39

GSM - Comments

A8 is Providers responsibility and choice

It must be a strong ONE-WAY function toprevent cloning

The weakness is manifest only if A5 isbroken

It must be easy to compute because of the

limited power of cell phones.

At present the algorithm used is not public.

It is common to all Providers as they usethat proposed by GSM standardizationgroup

STREAM CIPHER

A.A. 2009/2010 40

Internet secure connection

Internet confidentiality is based onSecure Socket Layer (SSL) thatestablishes an encrypted connectionwith the secret keys distributed by a

Trusted Party using a PKCSSL encrypts the bits that go through the

Internet channel

8/12/2019 Part_02_B&W

21/21

21

STREAM CIPHER

A.A. 2009/2010 41

Comparisson

Internet confidentiality

GSM confidentiality

are examples of two different securitymodels:

SSL encrypts the channelGSM encrypts the message