Professional Documents
Culture Documents
Abstract
We will discuss
How to use block ciphers? RC4: a widely used stream cipher Problems with WEPs use of RC4
Modes of Operations
Message Padding
The plaintext message is broken into blocks, P1, P2, P3, ... The last block may be short of a whole block and needs padding. Possible padding:
Known non-data values (e.g. nulls) Or a number indicating the size of the pad Or a number indicating the size of the plaintext The last two schemes may require an extra block.
6
Remarks on ECB
Strength: its simple. Weakness: Repetitive information contained in the plaintext may show in the ciphertext, if aligned with blocks. If the same message (e.g., an SSN) is encrypted (with the same key) and sent twice, their ciphertexts are the same. Typical application: secure transmission of short pieces of information (e.g. a temporary encryption key)
8
10
Remarks on CBC
The encryption of a block depends on the current and all blocks before it. So, repeated plaintext blocks are encrypted differently. Initialization Vector (IV)
Must be known to both the sender & receiver Typically, IV is either a fixed value or is sent encrypted in ECB mode before the rest of ciphertext.
11
Without knowing the key k , for any data block x, Ek ( x ) is unknown to the adversary. To encrypt P , P2 , P3 ,..., we may use Ek to generate 1 a key stream (a sequence of "masks") K1 , K 2 , K3 ,..., and encrypt Pi as Ci = Pi Ki . Three different ways to generate K1 , K 2 , K3 ,...
12
13
15
16
17
Remark on CFB
The block cipher is used as a stream cipher. Appropriate when data arrives in bits/bytes. s can be any value; a common value is s = 8. A ciphertext segment depends on the current and all preceding plaintext segments. A corrupted ciphertext segment during transmission will affect the current and next several plaintext segments. How many plaintext segments will be affected?
18
19
Cipher Feedback
Output Feedback
21
Remark on OFB
The block cipher is used as a stream cipher. Appropriate when data arrives in bits/bytes. Advantage:
more resistant to transmission errors; a bit error in a ciphertext segment affects only the decryption of that segment.
Disadvantage:
Cannot recover from lost ciphertext segments; if a ciphertext segment is lost, all following segments will be decrypted incorrectly (if the receiver is not aware of the segment loss).
IV should be generated randomly each time and sent with the ciphertext.
22
Remark on CTR
Strengthes:
Needs only the encryption algorithm Fast encryption/decryption; blocks can be processed (encrypted or decrypted) in parallel; good for high speed links Random access to encrypted data blocks
24
Stream Ciphers
Vernams one-time pad cipher Key = k1k2k3k4 K (random, used one-time only) Plaintext = m1m2 m3m4 K Ciphertext = c1c2c3c4 K where ci = mi ki Can be proved to be unconditionally secure.
26
27
Stream Ciphers
Typically, process the plaintext byte by byte. So, the plaintext is a stream of bytes: P , P2 , P3 , 1 Use a key K as the seed to generate a sequence of pseudorandom bytes (keystream): K1 , K 2 , K 3 , The ciphertext is C1 , C2 , C3 , C4 , , where Ci = Pi Ki Various stream ciphers differ in the way they generate keystreams.
28
Stream Ciphers
For a stream cipher to be secure, the keystream g should have a large period, and g should be as random as possible, each of the 256 values appearing about equally often. The same keystream must not be reused. That is, the input key K must be different for each plaintext (if the pseudorandom generator is deterministic).
29
RC4
Two vectors of bytes: S [0], S [1], S [2], K , S [255] T [0], T [1], T [2], K , T [255] Key: variable length, from 1 to 256 bytes Initialization: 1. S [i ] i, for 0 i 255 2. T [i ] K [i mod key-length], for 0 i 255 (i.e., fill up T [0..255] with the key K repeatedly.)
31
Security of RC4
The keystream generated by RC4 is biased.
The second byte is biased toward zero with high probability. The first few bytes are strongly non-random and leak information about the input key.
Efforts are underway (e.g. the eSTREAM project) to develop more secure stream ciphers.
34
or 104 bits)
35
Header IV
l Packet
ICV
FCS
encrypted
ICV: integrity check value (for data integrity) FCS: frame check sequence (for error detection) Both use CRC32
36
WEP has been shown to be insecure. There is an article, Breaking 104 bit WEP in less than 60 seconds, discussing how to discover the RC4 key by analyzing encrypted ARP packets.
37