Stream Cipher Attacks
   HOME

TheInfoList



OR:

Stream cipher stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream (keystream). In a stream cipher, each plaintext digit is encrypted one at a time with the corresponding digit of the keystream ...
s, where
plaintext In cryptography, plaintext usually means unencrypted information pending input into cryptographic algorithms, usually encryption algorithms. This usually refers to data that is transmitted or stored unencrypted. Overview With the advent of comp ...
bits are combined with a cipher bit stream by an exclusive-or operation (
xor Exclusive or or exclusive disjunction is a logical operation that is true if and only if its arguments differ (one is true, the other is false). It is symbolized by the prefix operator J and by the infix operators XOR ( or ), EOR, EXOR, , ...
), can be very secure if used properly. However, they are vulnerable to attacks if certain precautions are not followed: *keys must never be used twice *valid decryption should never be relied on to indicate authenticity


Reused key attack

Stream cipher stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream (keystream). In a stream cipher, each plaintext digit is encrypted one at a time with the corresponding digit of the keystream ...
s are vulnerable to attack if the same key is used twice (depth of two) or more. Say we send messages ''A'' and ''B'' of the same length, both encrypted using same key, ''K''. The stream cipher produces a string of bits ''C(K)'' the same length as the messages. The encrypted versions of the messages then are: :''E(A) = A xor C'' :''E(B) = B xor C'' where ''xor'' is performed bit by bit. Say an adversary has intercepted ''E(A)'' and ''E(B)''. He can easily compute: :''E(A) xor E(B)'' However, ''xor'' is
commutative In mathematics, a binary operation is commutative if changing the order of the operands does not change the result. It is a fundamental property of many binary operations, and many mathematical proofs depend on it. Most familiar as the name o ...
and has the property that ''X xor X = 0'' (self-inverse) so: :''E(A) xor E(B) = (A xor C) xor (B xor C) = A xor B xor C xor C = A xor B'' If one message is longer than the other, our adversary just truncates the longer message to the size of the shorter and his attack will only reveal that portion of the longer message. In other words, if anyone intercepts two messages encrypted with the same key, they can recover ''A xor B'', which is a form of
running key cipher In classical cryptography, the running key cipher is a type of polyalphabetic substitution cipher in which a text, typically from a book, is used to provide a very long keystream. Usually, the book to be used would be agreed ahead of time, while ...
. Even if neither message is known, as long as both messages are in a natural language, such a cipher can often be broken by paper-and-pencil methods. During
World War II World War II or the Second World War, often abbreviated as WWII or WW2, was a world war that lasted from 1939 to 1945. It involved the vast majority of the world's countries—including all of the great powers—forming two opposin ...
, British cryptanalyst
John Tiltman Brigadier John Hessell Tiltman, (25 May 1894 – 10 August 1982) was a British Army officer who worked in intelligence, often at or with the Government Code and Cypher School (GC&CS) starting in the 1920s. His intelligence work was largely conn ...
accomplished this with the
Lorenz cipher The Lorenz SZ40, SZ42a and SZ42b were German rotor stream cipher machines used by the German Army during World War II. They were developed by C. Lorenz AG in Berlin. The model name ''SZ'' was derived from ''Schlüssel-Zusatz'', meaning ''cipher ...
(dubbed "Tunny"). With an average
personal computer A personal computer (PC) is a multi-purpose microcomputer whose size, capabilities, and price make it feasible for individual use. Personal computers are intended to be operated directly by an end user, rather than by a computer expert or tec ...
, such ciphers can usually be broken in a matter of minutes. If one message is known, the solution is trivial. Another situation where recovery is trivial is if
traffic-flow security Traffic analysis is the process of intercepting and examining messages in order to deduce information from patterns in communication, it can be performed even when the messages are encrypted. In general, the greater the number of messages observed ...
measures have each station sending a continuous stream of cipher bits, with null characters (e.g. ''LTRS'' in Baudot) being sent when there is no real traffic. This is common in military communications. In that case, and if the transmission channel is not fully loaded, there is a good likelihood that one of the ciphertext streams will be just nulls. The
NSA The National Security Agency (NSA) is a national-level intelligence agency of the United States Department of Defense, under the authority of the Director of National Intelligence (DNI). The NSA is responsible for global monitoring, collectio ...
goes to great lengths to prevent keys from being used twice. 1960s-era encryption systems often included a
punched card A punched card (also punch card or punched-card) is a piece of stiff paper that holds digital data represented by the presence or absence of holes in predefined positions. Punched cards were once common in data processing applications or to di ...
reader for loading keys. The mechanism would automatically cut the card in half when the card was removed, preventing its reuse. One way to avoid this problem is to use an
initialization vector In cryptography, an initialization vector (IV) or starting variable (SV) is an input to a cryptographic primitive being used to provide the initial state. The IV is typically required to be random or pseudorandom, but sometimes an IV only needs to ...
(IV), sent in the clear, that is combined with a secret master key to create a one-time key for the stream cipher. This is done in several common systems that use the popular stream cipher
RC4 In cryptography, RC4 (Rivest Cipher 4, also known as ARC4 or ARCFOUR, meaning Alleged RC4, see below) is a stream cipher. While it is remarkable for its simplicity and speed in software, multiple vulnerabilities have been discovered in RC4, ren ...
, including
Wired Equivalent Privacy Wired Equivalent Privacy (WEP) was a security algorithm for 802.11 wireless networks. Introduced as part of the original IEEE 802.11 standard ratified in 1997, its intention was to provide data confidentiality comparable to that of a traditional wi ...
(WEP),
Wi-Fi Protected Access Wi-Fi Protected Access (WPA), Wi-Fi Protected Access II (WPA2), and Wi-Fi Protected Access 3 (WPA3) are the three security and security certification programs developed after 2000 by the Wi-Fi Alliance to secure wireless computer networks. The All ...
(WPA) and
Ciphersaber CipherSaber is a simple symmetric encryption protocol based on the RC4 stream cipher. Its goals are both technical and political: it gives reasonably strong protection of message confidentiality, yet it's designed to be simple enough that even no ...
. One of the many problems with WEP was that its IV was too short, 24 bits. This meant that there was a high likelihood that the same IV would be used twice if more than a few thousand packets were sent with the same master key (see
birthday attack A birthday attack is a type of cryptographic attack that exploits the mathematics behind the birthday problem in probability theory. This attack can be used to abuse communication between two or more parties. The attack depends on the higher likeli ...
), subjecting the packets with duplicated IV to the key reuse attack. This problem was fixed in WPA by changing the "master" key frequently.


Bit-flipping attack

Suppose an adversary knows the exact content of all or part of one of our messages. As a part of a
man in the middle attack In cryptography and computer security, a man-in-the-middle, monster-in-the-middle, machine-in-the-middle, monkey-in-the-middle, meddler-in-the-middle, manipulator-in-the-middle (MITM), person-in-the-middle (PITM) or adversary-in-the-middle (AiTM) ...
or
replay attack A replay attack (also known as a repeat attack or playback attack) is a form of network attack in which valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary wh ...
, he can alter the content of the message without knowing the key, ''K''. Say, for example, he knows a portion of the message, say an electronics fund transfer, contains the
ASCII ASCII ( ), abbreviated from American Standard Code for Information Interchange, is a character encoding standard for electronic communication. ASCII codes represent text in computers, telecommunications equipment, and other devices. Because of ...
string ''"$1000.00"''. He can change that to ''"$9500.00"'' by XORing that portion of the ciphertext with the string: ''"$1000.00" xor "$9500.00"''. To see how this works, consider that the cipher text we send is just ''C(K) xor "$1000.00"''. The new message the adversary is creating is: :''(C(K) xor "$1000.00") xor ("$1000.00" xor "$9500.00") = C(K) xor "$1000.00" xor "$1000.00" xor "$9500.00" = C(K) xor "$9500.00"'' Recall that a string
XORed Exclusive or or exclusive disjunction is a Logical connective, logical operation that is true if and only if its arguments differ (one is true, the other is false). It is Table of logic symbols, symbolized by the prefix operator J and by the ...
with itself produces all zeros and that a string of zeros XORed with another string leaves that string intact. The result, C(K) xor "$9500.00", is what our ciphertext would have been if $9500 were the correct amount. Bit-flipping attacks can be prevented by including
message authentication code In cryptography, a message authentication code (MAC), sometimes known as a ''tag'', is a short piece of information used for authenticating a message. In other words, to confirm that the message came from the stated sender (its authenticity) and ...
to increase the likelihood that tampering will be detected.


Chosen-IV attack

Stream ciphers combine a secret key with an agreed initialization vector (IV) to produce a pseudo-random sequence which from time-to-time is re-synchronized. A "Chosen IV" attack relies on finding particular IV's which taken together probably will reveal information about the secret key. Typically multiple pairs of IV are chosen and differences in generated key-streams are then analysed statistically for a linear
correlation In statistics, correlation or dependence is any statistical relationship, whether causal or not, between two random variables or bivariate data. Although in the broadest sense, "correlation" may indicate any type of association, in statistics ...
and/or an algebraic boolean relation (see also
Differential cryptanalysis Differential cryptanalysis is a general form of cryptanalysis applicable primarily to block ciphers, but also to stream ciphers and cryptographic hash functions. In the broadest sense, it is the study of how differences in information input can aff ...
). If choosing particular values of the initialization vector does expose a non-random pattern in the generated sequence, then this attack computes some bits and thus shortens the effective key length. A symptom of the attack would be frequent re-synchronisation. Modern stream ciphers include steps to adequately mix the secret key with an initialization vector, usually by performing many initial rounds.


References


External links


Security of the WEP algorithm

"Attacks in Stream Ciphers: A Survey"
– a brief 2014 overview of different stream cipher attacks
"Attacks on Stream Ciphers: A Perspective"
– talk slides from 2011 {{Cryptography navbox, stream Cryptographic attacks