- CS461 09.Cryptography
- e-voting using pgp
- A Decentralized Self-Adaptation Mechanism For
- File Locking System Using Aes Algorithm
- As NZS ISO IEC 18033.4-2006 Information Technology - Security Techniques - Encryption Algorithms Stream Ciphe
- 510
- Trust Based CP-ABE for DTN
- How PGP Works
- Stochastic Modeling
- Java Web Logic
- Principle of Security QA
- A Review on Key-Aggregate Cryptosystem for Scalable Data Sharing in Cloud Storage
- Pseddo Random Numbers Generator Using Deterministic Chaotic System
- RC4 Encryption Technique by ABHAYA KUMAR
- TQP Development v. TracFone Wireless
- IPU MCA Advance Computer Network Lecture wise Notes(Lec32 (Key Predistribution))
- Encryption
- Nested
- Information Governance Policy and Management Framework
- Adv of Encryption
- Dynamic Cryptographic Authentication Applied
- it6011 sayedhasanmahfoodh 201501553 project2
- A Survey on Security in Wireless Sensor Networks
- IJETR021515
- Main Document
- A CRYPTOGRAPHIC MUTUAL AUTHENTICATION SCHEME FOR WEB APPLICATIONS
- 1-s2.0-S1742287615000481-main
- De Thi Va Dap an Thi Vao 10 Chuyen Anh
- Cyber Crime
- APPLICATION OF CLASSICAL ENCRYPTION TECHNIQUES FOR SECURING DATA- A THREADED APPROACH
- javascript
- advancedjavascript
- 22-javascript-2
- ajaxworld
- JavaScriptBasics
- UsingCascadingStyleSheets CssBasics
- CSS3
- first things first final
- css2
- Advanced CSS
- CCT8-FROMMELT-PR
- CSS

**Introduction to Stream Ciphers Attack on CSS
**

Vitaly Shmatikov

slide 1

Stream Ciphers

x Remember one-time pad? Ciphertext(Key,Message)=Message⊕Key

• Key must be a random bit sequence as long as message

**x Idea: replace “random” with “pseudorandom”
**

• Encrypt with pseudo-random number generator (PRNG) No efficient algorithm can tell • PRNG takes a short, truly random secret truly this sequence from seed random and expands it into a long “random-looking” sequence

– E.g., 128-bit seed into a 106-bit

slide 2

**Properties of Stream Ciphers
**

x Usually very fast (faster than block ciphers)

• Used where speed is important: WiFi, DVD

**x Unlike one-time pad, stream ciphers do not provide perfect secrecy
**

• Only as secure as the underlying PRNG • If used properly, can be as secure as block ciphers

**x PRNG is, by definition, unpredictable
**

• Given the stream of PRNG output (but not the seed!), it’s hard to predict what the next bit will be

– If PRNG(unknown random seed)=b1…bi, then

slide 3

**Weaknesses of Stream Ciphers
**

x No integrity

• Associativity & commutativity: (X⊕Y)⊕Z=(X⊕Z) ⊕Y • (M1⊕PRNG(seed)) ⊕ M2 = (M1⊕M2) ⊕ PRNG(seed)

**x Known-plaintext attack is very dangerous if keystream is ever repeated
**

• Self-cancellation property of XOR: X⊕X=0 • (M1⊕PRNG(seed)) ⊕ (M2⊕PRNG(seed)) = M1⊕M2 • If attacker knows M1, then easily recovers M2

– Most plaintexts contain enough redundancy that knowledge of M1 or M2 is not even necessary to recover both from M1⊕M2

slide 4

**Stream Cipher Terminology
**

x Seed of pseudo-random generator often consists of initialization vector (IV) and key

• IV is usually sent with the ciphertext • The key is a secret known only to the sender and the recipient, not sent with the ciphertext

**x The pseudo-random bit stream produced by PRNG(IV,key) is referred to as keystream
**

• PRNG must be cryptographically secure

**x Encrypt message by XORing with keystream
**

• ciphertext = message ⊕ keystream

slide 5

**Cryptographically Secure PRNG
**

x Next-bit test

• Given N bits of the pseudo-random sequence, predict (N+1)st bit

– Probability of correct prediction should be very close to 1/2 for any efficient adversarial algorithm

**x PRNG state compromise
**

• Even if attacker learns complete or partial state of the PRNG, he should not be able to reproduce the previously generated sequence

– … or future sequence, if there’ll be future random input(s)

x Common PRNGs are not cryptographically secure

slide 6

RC4

x Designed by Ron Rivest for RSA in 1987 x Simple, fast, widely used

• SSL/TLS for Web security, WEP for wireless

Byte array S[256] contains a permutation of numbers from 0 to 255 i = j := 0 loop i := (i+1) mod 256 j := (j+S[i]) mod 256 swap(S[i],S[j]) output (S[i]+S[j]) mod 256 end loop slide 7

RC4 Initialization

Key can be any Divide key K into L bytes length up to 2048 bits for i = 0 to 255 do S[i] := i j := 0 for i = 0 to 255 do j := (j+S[i]+K[i mod L]) mod 256 swap(S[i],S[j])

Generate initial permutation from key K

**x To use RC4, usually prepend initialization vector (IV) to the key
**

• IV can be random or a counter

x RC4 is not random enough! 1st byte of generated sequence depends only on 3 cells of state array S. This can be used to Fluhrer-MantinShamir attack extract the key.

• To use RC4 securely, RSA suggests discarding first 256 bytes

slide 8

**Linear Feedback Shift Register (LFSR)
**

⊕

Example: 4-bit LFSR b0 b1 b2 b3

add to pseudo-random sequence

**x Key is used as the seed
**

• For example, if the seed is 1001, the generated sequence is 1001101011110001001…

**x Repeats after 15 bits (24-1)
**

slide 9

**Content Scrambling System (CSS)
**

x DVD encryption scheme from Matsushita and Toshiba

Each player has its own PLAYER KEY (409 player manufacturers, each has its player key) KEY DATA BLOCK contains disk key encrypted with 409 different player keys:

• EncryptDiskKey(DiskKey) Each DVD is encrypted with • EncryptPlayerKey1(DiskKey) … What Encrypt a disk-specific 40-bit DISK This helps attacker PlayerKey409(DiskKey) happens if even a single KEY verify his guess of disk key player key is

slide 10

**Attack on CSS Decryption Scheme
**

[Frank Stevenson]

“1” seeded in 4th bit

16 key bits

disk key

… …

LFSR-17

+mod 256

th

⊕

Decrypted title key

**24 key bits
**

“1” seeded in 4 bit

LFSR-25

invert carry Table-based “mangling”

EncryptDiskKey(DiskKe y) stored on disk

Encrypted title key

Guess the output of mangling function byte by byte and recover the first 40 bits of the decrypted title key – this takes O(28) Guess 16 bits of the key contained in LFSR-17 – this takes O(216) Clock out 24 bits out of LFSR-17, use them to determine the corresponding output bits of LFSR-25 (this reveals all of LFSR-25 except the highest bit) 25 This attack takes O(2 ) Clock back 24 bits, try both possibilities – this takes O(2) Verify the key

slide 11

DeCSS

x In CSS, disk key is encrypted under hundreds of different player keys

• … including Xing, a software DVD player

**x Reverse engineering object code of Xing revealed its decryption key
**

• Recall that every CSS disk contains the master disk key encrypted under Xing’s key • One bad player ⇒ entire system is broken!

**x Easy-to-use DeCSS software
**

slide 12

DeCSS Aftermath

x DVD CCA sued Jon Lech Johansen, one of DeCSS authors (eventually dropped) x Publishing DeCSS code violates copyright

• Underground distribution as haikus and T-shirts

– “Court to address DeCSS T-Shirt: When can a T-shirt become a trade secret? When it tells you how to copy a DVD.” - From Wired News

slide 13

- CS461 09.CryptographyUploaded byAb Godwin
- e-voting using pgpUploaded byprvigneshkumar
- A Decentralized Self-Adaptation Mechanism ForUploaded byMuthu Samy
- File Locking System Using Aes AlgorithmUploaded bydhana pal
- As NZS ISO IEC 18033.4-2006 Information Technology - Security Techniques - Encryption Algorithms Stream CipheUploaded bySAI Global - APAC
- 510Uploaded byKumpulan Dzb
- Trust Based CP-ABE for DTNUploaded byInternational Journal of Innovative Science and Research Technology
- How PGP WorksUploaded byAlexandru Botez
- Stochastic ModelingUploaded byEileen Flores Romero
- Java Web LogicUploaded bybedorlehacker
- Principle of Security QAUploaded byBen Evado
- A Review on Key-Aggregate Cryptosystem for Scalable Data Sharing in Cloud StorageUploaded byesatjournals
- Pseddo Random Numbers Generator Using Deterministic Chaotic SystemUploaded byIJSTR Research Publication
- RC4 Encryption Technique by ABHAYA KUMARUploaded byAbhaya Pradhan
- TQP Development v. TracFone WirelessUploaded byPriorSmart
- IPU MCA Advance Computer Network Lecture wise Notes(Lec32 (Key Predistribution))Uploaded byVaibhav Jain
- EncryptionUploaded byRicardo Gómez Paredes
- NestedUploaded bycabdilahiingiris
- Information Governance Policy and Management FrameworkUploaded byhangga t s
- Adv of EncryptionUploaded byDevendra Kumar
- Dynamic Cryptographic Authentication AppliedUploaded byInternational Journal of Research in Engineering and Technology
- it6011 sayedhasanmahfoodh 201501553 project2Uploaded byapi-413173067
- A Survey on Security in Wireless Sensor NetworksUploaded byAIRCC - IJNSA
- IJETR021515Uploaded byerpublication
- Main DocumentUploaded byPadmanaban Thirumurthi
- A CRYPTOGRAPHIC MUTUAL AUTHENTICATION SCHEME FOR WEB APPLICATIONSUploaded byAIRCC - IJNSA
- 1-s2.0-S1742287615000481-mainUploaded byAkhmad Zulfikar
- De Thi Va Dap an Thi Vao 10 Chuyen AnhUploaded bymr hanh
- Cyber CrimeUploaded bynemonizer
- APPLICATION OF CLASSICAL ENCRYPTION TECHNIQUES FOR SECURING DATA- A THREADED APPROACHUploaded byJames Moreno

- javascriptUploaded byraj4raj
- advancedjavascriptUploaded byraj4raj
- 22-javascript-2Uploaded byraj4raj
- ajaxworldUploaded byraj4raj
- JavaScriptBasicsUploaded byraj4raj
- UsingCascadingStyleSheets CssBasicsUploaded byraj4raj
- CSS3Uploaded byraj4raj
- first things first finalUploaded byraj4raj
- css2Uploaded byraj4raj
- Advanced CSSUploaded byraj4raj
- CCT8-FROMMELT-PRUploaded byraj4raj
- CSSUploaded byraj4raj