-
In this segment, I want to give a few
examples of stream ciphers that are used in practice.
-
I'm gonna start with two old
examples that actually are not
-
supposed to be used in new systems.
But nevertheless, they're still fairly
-
widely used, and so I just want to mention
the names so that you're familiar with
-
these concepts. The first stream cipher I
want to talk about is called RC4, designed
-
back in 1987. And I'm only gonna give you
the high-level description of it, and then
-
we'll talk about some weaknesses of RC4
and leave it at that. So RC4 takes a
-
variable size seed, here I just gave
as an example where it would take 128
-
bits as the seed size, which would then
be used as the key for the stream cipher.
-
The first thing it does, is it expands the
128-bit secret key into 2,048 bits, which
-
are gonna be used as the internal state
for the generator. And then, once it's done
-
this expansion, it basically executes a
very simple loop, where every iteration of
-
this loop outputs one byte of output. So,
essentially, you can run the generator for
-
as long as you want, and generate one byte
at a time. Now RC4 is actually, as I said,
-
fairly popular. It's used in the HTTPS
protocol quite commonly actually.
-
These days, for example, Google uses RC4 in its
HTTPS. It's also used in WEP as we
-
discussed in the last segment, but of
course in WEP, it's used incorrectly and
-
it's completely insecure the way it's used
inside of WEP. So over the years,
-
some weaknesses have been found in RC4, and as a
result, it's recommended that new projects
-
actually not use RC4 but rather use a more
modern pseudo-random generator as we'll
-
discuss toward the end of the segment. So
let me just mention two of the weaknesses.
-
So the first one is, it's kind of bizarre
basically, if you look at the second byte
-
of the output of RC4. It turns out the
second byte is slightly biased. If RC4 was
-
completely random, the probability that the
second byte happens to be equal to zero
-
would be exactly one over 256. There are
256 possible bytes, the probability that
-
it's zero should be one over 256. It so
happens that for RC4 the probability is
-
actually two over 256, which means that if
you use the RC4 output to encrypt a
-
message the second byte is likely to not
be encrypted at all. In other words it'll
-
be XOR-ed with zero with twice the
probability that it's supposed to.
-
So two over 256, instead of one over 256.
And by the way I should say that there's
-
nothing special about the second byte. It
turns out the first and the third bytes
-
are also biased. And in fact it's now
recommended that if you're gonna use RC4,
-
what you should do is ignore basically the
first 256 bytes of the output and just
-
start using the output of the generator
starting from byte 257. The first couple
-
of bytes turned out to be biased, so you
just ignore them. The second attack that
-
was discovered is that in fact if you look
at a very long output of RC4 it so happens
-
that you're more likely to get the
sequence 00. In other words, you're more
-
likely to get sixteen bits, two bytes of
zero, zero, than you should. Again, if RC4
-
was completely random the probability of
seeing zero, zero would be exactly 1/256
-
squared. It turns out RC4 is a little
biased and the bias is 1/256 cubed. It
-
turns out this bias actually starts after
several gigabytes of data are produced by
-
RC4. But nevertheless, this is something
that can be used to predict the generator
-
and definitely it can be used to
distinguish the output of the generator
-
from a truly random sequence. Basically the
fact that zero, zero appears more often
-
than it should is the distinguisher. And
then in the last segment we talked about
-
related-key attacks that were used to
attack WEP, that basically say that
-
if one uses keys that are closely related
to one another then it's actually possible
-
to recover the root key. So these are the
weaknesses that are known of RC4 and, as a
-
result, it's recommended that new systems
actually not use RC4 and instead use a
-
modern pseudo-random generator. Okay,
second example I want to give you is a
-
badly broken stream cipher that's used for
encrypting DVD movies. When you buy a DVD
-
in the store, the actual movie is
encrypted using a stream cipher called the
-
content scrambling system, CSS. CSS turns
out to be a badly broken stream cipher,
-
and we can very easily break it, and I
want to show you how the attack algorithm
-
works. We're doing it so you can see an
example of an attack algorithm, but in
-
fact, there are many systems out there
that basically use this attack to decrypt
-
encrypted DVDs. So the CSS stream cipher
is based on something that hardware
-
designers like. It's designed to be a
hardware stream cipher that is supposed to
-
be easy to implement in hardware, and is
based on a mechanism called a linear
-
feedback shift register. So a linear
feedback shift register is basically a register
-
that consists of cells where
each cell contains one bit. Then basically
-
what happens is there are these taps into
certain cells, not all the cells, certain
-
positions are called taps. And then these
taps feed into an XOR and then at
-
every clock cycle, the shift register
shifts to the left. The last bit falls off
-
and then the first bit becomes the result
of this XOR. So you can see that
-
this is a very simple mechanism to implement, and in hardware takes very few
-
transistors. Just the shift right, the
last bit falls off and the first bit just
-
becomes the XOR of the previous
bits. So the seed for this LFSR
-
basically, is the initial state of the
LFSR.
-
And it is the basis of a number of stream
ciphers. So here are some examples. So, as
-
I said, DVD encryption uses two LFSRs.
I'll show you how that works in just a
-
second. GSM encryption, these are
algorithms called A51 and A52. And that
-
uses three LFSRs. Bluetooth encryption is
an algorithm called, E zero. These are all
-
stream ciphers, and that uses four LFSRs.
Turns out all of these are badly broken,
-
and actually really should not be trusted
for encrypting traffic, but they're all
-
implemented in hardware, so it's a little
difficult now to change what the hardware
-
does. But the simplest of these, CSS,
actually has a cute attack on it, so let
-
me show you how the attack works. So,
let's describe how CSS actually works. So,
-
the key for CSS is five bytes, namely 40
bits, five times eight is 40 bits. The
-
reason they had to limit themselves to
only 40 bits is that DVD encryption was
-
designed at a time where U.S. Export
regulations only allowed for export of
-
crpyto algorithms where the key was
only 40 bits. So the designers of CSS were
-
already limited to very, very short keys.
Just 40 bit keys. So, their design works
-
as follows. Basically, CSS uses two
LFSR's. One is a 17-bit LFSR. In other words,
-
the register contains
17 bits. And the other one is a 25-bit LFSR,
-
it's a little bit longer, 25-bit
LFSR. And the way these LFSRs are seeded
-
is as follows. So the key for the
encryption, basically looks as follows.
-
You start off with a one, and you concatenate to it the first two bytes of
-
the key. And that's the initial state of the LFSR.
-
And then the second LFSR basically is intitialized the same way.
-
One concatenated the last three bytes of
the key. And that's
-
loaded into the initial state of the LFSR.
You can see that the first two bytes are
-
sixteen bits, plus leading one, that's
seventeen bits overall, whereas the second
-
LFSR is 24 bits plus one which is 25 bits.
And you notice we used all five bits of
-
the key. So then these LFSRs are basically
run for eight cycles, so they generate
-
eight bits of output. And then they go
through this adder that does basically
-
addition modulo 256. Yeah so this is an
addition box, modulo 256. There's one more
-
technical thing that happens. In fact let's
actually—also added is the carry from the
-
previous block. But that is not so
important. That's a detail that's not so
-
relevant. OK, so every block, you notice
we're doing addition modulo 256 and
-
we're ignoring the carry, but the carry is
basically added as a zero or a one to the
-
addition of the next block. Okay? And then
basically this output one byte per round.
-
Okay, and then this byte is then of course
used, XOR-ed with the appropriate
-
byte of the movie that's being encrypted.
Okay, so it's a very simple stream
-
cipher, it takes very little hardware to
implement. It will run fast, even on very
-
cheap hardware and it will encrypt movies.
So it turns out this is easy to break
-
in time roughly two to the seventeen. Now let me show you how.
-
So suppose you
intercept the movies, so here we have an
-
encrypted movie that you want to decrypt.
So let's say that this is all encrypted so
-
you have no idea what's inside of here.
However, it so happens that just because
-
DVD encryption is using MPEG files, it so
happens if you know of a prefix of the
-
plaintext, let's just say maybe this is
twenty bytes. Well, we know if you
-
XOR these two things together, so in other words, you do the XOR here,
-
what you'll get is the initial segment of the PRG. So, you'll get the
-
first twenty bytes of the output of CSS,
the output of this PRG. Okay, so now
-
here's what we're going to do. So we have
the first twenty bytes of the output. Now
-
we do the following. We try all two to the
seventeen possible values of the first
-
LFSR. Okay? So two to the seventeen
possible values. So for each value, so for
-
each of these two to the seventeen initial
values of the LFSR, we're gonna run the
-
LFSR for twenty bytes, okay? So we'll
generate twenty bytes of outputs from this
-
first LFSR, assuming—for each one of the
two to the seventeen possible settings.
-
Now, remember we have the full output of
the CSS system. So what we can do is we
-
can take this output that we have. And
subtract it from the twenty bites that we
-
got from the first LFSR, and if in fact our
guess for the initial state of the first
-
LFSR is correct, what we should get
is the first twenty-byte output of the
-
second LFSR. Right? Because that's by
definition what the output of the CSS
-
system is. Now, it turns out that looking
at a 20-byte sequence, it's very easy
-
to tell whether this 20-byte sequence
came from a 25-bit LFSR or not. If it
-
didn't, then we know that our guess
for the 17-bit LFSR was
-
incorrect and then we move on to the next
guess for the 17-bit LFSR and
-
the next guess and so on and so forth.
Until eventually we hit the right initial
-
state for the 17-bit LFSR, and
then we'll actually get, we'll see that
-
the 20 bytes that we get as the
candidate output for the 25-bit LFSR is
-
in fact a possible output for a 25-bit LFSR. And then, not only will we have
-
learned the correct initial state for the
17-bit LFSR, we will have also
-
learned the correct initial state of the
25-bit LFSR. And then we can predict the
-
remaining outputs of CSS, and of course,
using that, we can then decrypt the rest of
-
the movie. We can actually recover the
remaining plaintext. Okay. This is
-
things that we talked about before. So, I
said this a little quick, but hopefully,
-
it was clear. We're also going to be doing
a homework exercise on this type of stream
-
ciphers and you'll kind of get the point
of how these attack algorithms
-
work. And I should mention that there are
many open-source systems now that actually
-
use this method to decrypt CSS-encrypted
data. Okay, so now that we've seen two
-
weak examples, let's move on to better
examples, and in particular the better
-
pseudo-random generators come from what's
called the eStream Project. This is a
-
project that concluded in 2008, and they
qualify basically five different stream
-
ciphers, but here I want to present just
one. So first of all the parameters for
-
these stream ciphers are a little
different than what we're used to. So these
-
stream ciphers as normal they have a seed.
But in addition they also have, what's
-
called a nonce and we'll see what a
nonce is used for in just a minute. So
-
they take two inputs a seed and a nonce.
We'll see what the nonce is used for in
-
just a second. And the of course they
produce a very large output, so n here is
-
much, much, much bigger than s. Now, when
I say nonce, what I mean is a value that's
-
never going to repeat as long as the key
is fixed. And I'll explain that in more
-
detail in just a second. But for now, just
think of it as a unique value that never
-
repeats as long as the key is the same.
And so of course once you have this PRG,
-
you would encrypt, you get a stream cipher
just as before, except now as you see, the
-
PRG takes as input both the key and the
nonce. And the property of the nonce is
-
that the pair, k comma r, so the key comma
the nonce, is never—never repeats. It's
-
never used more than once. So the bottom
line is that you can reuse the key, reuse
-
the key, because the nonce makes the
pair unique, because k and r are only
-
used once. I'll say they're unique. Okay
so this nonce is kind of a cute trick that
-
saves us the trouble of moving to a new
key every time. Okay, so the particular
-
example from the eStream that I want to
show you is called Salsa twenty. It's a
-
stream cipher that's designed for both
software implementations and hardware
-
implementations. It's kind of interesting.
You realize that some stream ciphers are
-
designed for software, like RC4.
Everything it does is designed to make
-
software implementation run fast, whereas
other stream ciphers are designed for
-
hardware, like CSS, using an LFSR that's
particularly designed to make hardware
-
implementations very cheap. It's also, the
nice thing about that is that it's
-
designed so that it's both easy to
implement it in hardware and its software
-
implementation is also very fast. So let
me explain how Salsa works. Well, Salsa
-
takes either 128 or 256-bit keys. I'll
only explain the 128-bit version of Salsa.
-
So this is the seed. And then it also
takes a nonce, just as before, which
-
happens to be 64 bits. And then it'll
generate a large output. Now, how does it
-
actually work? Well, the function itself
is defined as follows. Basically, given
-
the key and the nonce, it will generate a
very long, well, a long pseudorandom
-
sequence, as long as necessary. And it'll do
it by using this function that I'll denote by
-
H. This function H takes three inputs.
Basically the key. Well, the seed k,
-
the nonce r, and then a counter that
increments from step to step. So it goes
-
from zero to one, two, three, four as long as
we need it to be. Okay? So basically,
-
by evaluating this H on this k r, but using
this incrementing counter, we can get a
-
sequence that's as long as we want. So all
I have to do is describe how this function
-
H works. Now, let me do that here for you.
The way it works is as follows. Well, we
-
start off by expanding the states into
something quite large which is 64 bytes
-
long, and we do that as follows. Basically
we stick a constant at the beginning, so
-
there's tao zero, these are four bytes,
it's a four byte constant, so the spec for
-
Salsa basically gives you the value for
tao zero. Then we put k in which is
-
sixteen bytes. Then we put another
constant. Again, this is four bytes. And
-
as I said, the spec basically specifies
what this fixed constant is. Then we put
-
the nonce, which is eight bytes. Then we
put the index. This is the counter zero,
-
one, two, three, four, which is another
eight bytes. Then we put another constant
-
tau two, which is another four bytes.
Then we put the key again, this is another
-
sixteen bytes. And then finally we put the
third constant, tau three, which is
-
another four bytes. Okay so as I said, if you
sum these up, you see that you get 64
-
bytes. So basically we've expanded the key
and the nonce and the counter into 64
-
bytes. Basically the key is repeated twice
I guess. And then what we do is we apply a
-
function, I'll call this functional little h.
Okay, so we apply this function, little h.
-
And this is a function that's one to one
so it maps 64 bytes to 64 bytes. It's a
-
completely invertible function, okay? So
this function h is, as I say, it's an
-
invertable function. So given the input
you can get the output and given the
-
output you can go back to the input. And
it's designed specifically so it's a- easy
-
to implement in hardware and b- on an x86,
it's extremely easy to implement because
-
x86 has this SSE2 instruction set which
supports all the operations you need to do
-
for this function. It's very, very fast.
As a result, Salsa has a very fast stream
-
cipher. And then it does this basically
again and again. So it applies this
-
function h again and it gets another 64
bytes. And so on and so forth, basically
-
it does this ten times. Okay so the whole
thing here, say repeats ten times, so
-
basically apply h ten times. And then by
itself, this is actually not quite random.
-
It's not gonna look random because like we
said, H is completely invertable. So given
-
this final output, it's very easy to
just invert h and then go back to the original
-
inputs and then test that the input has
the right structure. So you do one more
-
thing, which is to basically XOR the
inputs and the final outputs. Actually,
-
sorry. It's not an XOR. It's actually an
addition. So you do an addition word by
-
word. So if there are 64 bytes, you do a
word-by-word addition four bytes at a
-
time, and finally you get the 64-byte
output, and that's it. That's the whole
-
pseudo-random generator. So that, that's
the whole function, little h. And as I
-
explained, this whole construction here is
the function big H. And then you evaluate
-
big H by incrementing the counter I from
zero, one, two, three onwards. And that
-
will give you a pseudo-random sequence
that's as long as you need it to be. And
-
basically, there are no signifigant
attacks on this. This has security that's
-
very close to two to the 128. We'll see
what that means more precisely later on.
-
It's a very fast stream cipher, both in
hardware and in software. And, as far as
-
we can tell, it seems to be unpredictable
as required for a stream cipher. So I
-
should say that the eStream project
actually has five stream ciphers like
-
this. I only chose Salsa 'cause I think
it's the most elegant. But I can give you
-
some performance numbers here. So you can
see, these are performance numbers on a
-
2.2 gigahertz, you know, x86 type machine.
And you can see that RC4 actually is the
-
slowest. Because essentially, well it
doesn't really take advantage of the
-
hardware. It only does byte operations.
And so there's a lot of wasted cycles that
-
aren't being used. But the E-Stream
candidates, both Salsa and other
-
candidate called Sosemanuk. I should say these
are eStream finalists. These are
-
actually stream ciphers that are approved
by the eStream project. You can see that
-
they have achieved a significant rate.
This is 643 megabytes per second on this
-
architecture, more than enough for a movie
and these are actually quite impressive
-
rates. And so now you've seen examples of
two old stream ciphers that shouldn't be
-
used, including attacks on those stream ciphers.
You've seen what the modern stream ciphers
-
look like with this nonce. And you
see the performance numbers for these
-
modern stream ciphers so if you happen to
need a stream cipher you could use one of
-
the eStream finalists. In particular you
could use something like Salsa.
