Chapter 7 – Stream Ciphers and Cryptography and Random ...banach/COMP61411.Info/Course... ·...
Transcript of Chapter 7 – Stream Ciphers and Cryptography and Random ...banach/COMP61411.Info/Course... ·...
Cryptography and Cryptography and
Network SecurityNetwork Security
Chapter 7Chapter 7
Fifth EditionFifth Edition
by William Stallingsby William Stallings
Lecture slides by Lecture slides by LawrieLawrie BrownBrown
(with edits by RHB)(with edits by RHB)
Chapter 7 Chapter 7 –– Stream Ciphers and Stream Ciphers and
Random Number GenerationRandom Number Generation
The comparatively late rise of the theory of The comparatively late rise of the theory of probability shows how hard it is to grasp, probability shows how hard it is to grasp, and the many paradoxes show clearly that and the many paradoxes show clearly that we, as humans, lack a well grounded we, as humans, lack a well grounded intuition in this matter. intuition in this matter.
In probability theory there is a great deal of art In probability theory there is a great deal of art in setting up the model, in solving the in setting up the model, in solving the problem, and in applying the results back to problem, and in applying the results back to the real world actions that will follow. the real world actions that will follow.
—— The Art of Probability, Richard HammingThe Art of Probability, Richard Hamming
OutlineOutline
•• pseudorandom number generationpseudorandom number generation
•• stream ciphersstream ciphers
•• RC4RC4
•• true random numbers true random numbers
Random NumbersRandom Numbers
•• many uses of many uses of random numbersrandom numbers in cryptography in cryptography
–– noncesnonces in authentication protocols to prevent replayin authentication protocols to prevent replay
–– session keyssession keys
–– public key generationpublic key generation
–– keystreamkeystream for a onefor a one--time padtime pad
•• in all cases its critical that these values are in all cases its critical that these values are
–– statistically random, uniform distribution, independentstatistically random, uniform distribution, independent
–– have unpredictability of future from have unpredictability of future from previous valuesprevious values
•• true random numbers provide thistrue random numbers provide this
•• care needed with generated random numberscare needed with generated random numbers
Pseudorandom Number Pseudorandom Number
Generators (Generators (PRNGsPRNGs))
•• often use deterministic algorithmic often use deterministic algorithmic
techniques to create techniques to create ““random numbersrandom numbers””
–– although are not truly randomalthough are not truly random
–– can pass many tests of can pass many tests of ““randomnessrandomness””
•• known as known as ““pseudorandom numberspseudorandom numbers””
•• created by created by ““Pseudorandom Number Pseudorandom Number
Generators (Generators (PRNGsPRNGs))””
Random & Pseudorandom Random & Pseudorandom
Number GeneratorsNumber Generators
PRNG RequirementsPRNG Requirements
•• randomnessrandomness
–– uniformity, scalability, consistencyuniformity, scalability, consistency
•• unpredictabilityunpredictability
–– forward & backward unpredictabilityforward & backward unpredictability
–– same tests used to check bothsame tests used to check both
•• characteristics of the seedcharacteristics of the seed
–– securesecure
–– if known adversary can determine outputif known adversary can determine output
–– so must be random or pseudorandom numberso must be random or pseudorandom number
Linear Linear CongruentialCongruential
GeneratorGenerator
•• common iterative technique using:common iterative technique using:XXnn+1+1 == ((aXaXnn ++ cc)) modmod mm
•• given suitable values of parameters can produce given suitable values of parameters can produce a long randoma long random--like sequencelike sequence
•• suitable criteria to have are:suitable criteria to have are:–– function generates a fullfunction generates a full--period (period always period (period always exists)exists)
–– generated sequence should appear randomgenerated sequence should appear random
–– efficient implementation with 32efficient implementation with 32--bit arithmeticbit arithmetic
•• note that an attacker can reconstruct sequence note that an attacker can reconstruct sequence given a small number of values (knowing given a small number of values (knowing aa cc mm))
•• have possibilities for making this harderhave possibilities for making this harder
Blum Blum BlumBlum ShubShub GeneratorGenerator
•• based on public key algorithmsbased on public key algorithms
•• use least significant bit from iterative equation:use least significant bit from iterative equation:xx00 == ss22 modmod nn
LOOP xLOOP xii== xx
ii--1122 modmod n n
bbii== xx
iimodmod 22
where where nn == p.qp.q, and primes , and primes p,qp,q == 33 modmod 44
•• unpredictable, passes unpredictable, passes nextnext--bitbit testtest
•• security restssecurity rests on difficulty of factoring on difficulty of factoring nn
•• is unpredictable given any run of bits is unpredictable given any run of bits
•• slow, since very large numbers must be usedslow, since very large numbers must be used
•• too slow for cipher use, good for key generation too slow for cipher use, good for key generation
Example Operation of BBS
Using Block Ciphers as Using Block Ciphers as PRNGsPRNGs
•• for cryptographic applications, can use a block for cryptographic applications, can use a block
cipher to generate random numberscipher to generate random numbers
•• often for creating session keys from master keyoften for creating session keys from master key
•• CTRCTR
XXii== EE
KK[V[V
ii]]
•• OFBOFB
XXii== EE
KK[[XX
ii--11]]
ANSI X9.17 PRGANSI X9.17 PRG
• a relatively complicated construction, including timestamps, and multiple encryptions
• date and time (DTi)
• uses 2-key (K1,K2) triple DES
(3 times per random bit Ri)
• feeds back between rounds (Vi)
ANSI X9.17 PRGANSI X9.17 PRG ANSI X9.17 ANSI X9.17 PRNGPRNG
Stream CiphersStream Ciphers
•• process message bit by bit (as a stream) process message bit by bit (as a stream)
•• have a pseudo random have a pseudo random keystreamkeystream
•• Which is combined (XOR) with plaintext bit by bit Which is combined (XOR) with plaintext bit by bit
(cf. one(cf. one--time pad) time pad)
•• randomness of randomness of stream keystream key completely destroys completely destroys
statistically properties in messagestatistically properties in message
–– CCii == MMii XORXOR StreamKeyStreamKeyii
•• but must never reuse stream keybut must never reuse stream key
–– otherwise can recover messages (via XOR of otherwise can recover messages (via XOR of msgsmsgs))
Stream Cipher StructureStream Cipher Structure
Stream Cipher PropertiesStream Cipher Properties
•• some design considerations are:some design considerations are:
–– long period with no repetitions of long period with no repetitions of keystreamkeystream
–– statistically random statistically random
–– depends on large enough keydepends on large enough key
–– large linear complexitylarge linear complexity
•• properly designed, can be as secure as a properly designed, can be as secure as a
block cipher with same size keyblock cipher with same size key
•• but usually simpler & fasterbut usually simpler & faster
RC4RC4
•• a proprietary cipher owned by RSA DSI a proprietary cipher owned by RSA DSI
•• a Ron a Ron RivestRivest design, simple but effectivedesign, simple but effective
•• variable key size, bytevariable key size, byte--oriented stream cipher oriented stream cipher
•• was widely used (web SSL/TLS, wireless was widely used (web SSL/TLS, wireless
WEP/WPA) WEP/WPA)
•• key forms random permutation of all 8key forms random permutation of all 8--bit values bit values
•• uses that permutation to scramble input info uses that permutation to scramble input info
processed a byte at a timeprocessed a byte at a time
•• these days, known to have vulnerabilities these days, known to have vulnerabilities
RC4 Key Schedule RC4 Key Schedule
•• starts with an array S of numbers: 0..255 starts with an array S of numbers: 0..255
•• use key to well and truly shuffle Suse key to well and truly shuffle S
•• S forms S forms internal stateinternal state ofof the cipher the cipher for ifor i == 00 toto 255255 dodo
S[iS[i]] == ii
T[iT[i]] == K[iK[i modmod keylenkeylen]]
jj == 00
for ifor i == 00 toto 255255 do do
jj == (j(j ++ S[iS[i]] ++ T[iT[i])]) (mod(mod 256) 256)
swapswap ((S[iS[i],], S[jS[j])])
RC4 EncryptionRC4 Encryption
•• encryption continues shuffling array valuesencryption continues shuffling array values
•• sum of shuffled pair selects "stream key" value sum of shuffled pair selects "stream key" value from permutationfrom permutation
•• XOR XOR S[tS[t] with next byte of msg. to en/de] with next byte of msg. to en/de--cryptcryptii == jj == 0 0
forfor eacheach messagemessage bytebyte MMii
ii == (i(i ++ 1)1) (mod(mod 256)256)
jj == (j(j ++ S[iS[i])]) (mod(mod 256)256)
swapswap ((S[iS[i],], S[jS[j])])
tt == ((S[iS[i]] ++ S[jS[j])]) (mod(mod 256) 256)
CCii == MMii XORXOR S[tS[t]]
RC4 OverviewRC4 OverviewRC4 SecurityRC4 Security
•• claimed secure against known attacks when claimed secure against known attacks when
managed properlymanaged properly
–– have some analyses, none practical have some analyses, none practical
•• result is very nonresult is very non--linear linear
•• since RC4 is a stream cipher, must since RC4 is a stream cipher, must never reuse never reuse
a keya key
•• these days, RC4 is known to be biased (unequal these days, RC4 is known to be biased (unequal
numbers of 0s and 1s in the numbers of 0s and 1s in the keystreamkeystream))
•• NSA has been breaking RC4 for NSA has been breaking RC4 for many years!many years!
Natural Random NoiseNatural Random Noise
•• best source is natural randomness in real world best source is natural randomness in real world
•• find a regular but random event and monitor find a regular but random event and monitor
•• do generally need special do generally need special h/wh/w to do this to do this –– eg. radiation counters, radio noise, audio noise, eg. radiation counters, radio noise, audio noise,
thermal noise in diodes, leaky capacitors, mercury thermal noise in diodes, leaky capacitors, mercury discharge tubes etc discharge tubes etc …… photon detectors photon detectors ……
•• see such see such h/wh/w in better contemporary CPU's in better contemporary CPU's
•• problems of problems of biasbias or uneven distribution in signal or uneven distribution in signal –– have to compensate for this when sample, often by have to compensate for this when sample, often by
passing bits through a hash function passing bits through a hash function
–– best to only use a few noisiest bits from each samplebest to only use a few noisiest bits from each sample
–– RFC4086 recommends using multiple sources + hash RFC4086 recommends using multiple sources + hash
Photon Detector TRNG
Photon Detector TRNG Compensating for physical bias
Exponential decay leads to unequal bins
Using a TRNG to give seed Published SourcesPublished Sources
•• a few published collections of random numbers a few published collections of random numbers
•• Rand Rand Co.,Co., in 1955, published 1 million numbers in 1955, published 1 million numbers
–– generated using an electronic roulette wheel generated using an electronic roulette wheel
–– has been used in some cipher designs has been used in some cipher designs cfcf KhafreKhafre
•• earlier earlier TippettTippett in 1927 published a collection in 1927 published a collection
•• issues are that:issues are that:
–– these are limitedthese are limited
–– too welltoo well--known for most uses known for most uses