Upload
zarita
View
31
Download
4
Tags:
Embed Size (px)
DESCRIPTION
Cryptography and Network Security Chapter 7. Fifth Edition by William Stallings. Chapter 7 – Pseudorandom Number Generation and Stream Ciphers. - PowerPoint PPT Presentation
Citation preview
Cryptography and Cryptography and Network SecurityNetwork Security
Chapter 7Chapter 7
Fifth EditionFifth Edition
by William Stallingsby William Stallings
Chapter 7 – Chapter 7 – Pseudorandom Pseudorandom Number Generation and Stream Number Generation and Stream
CiphersCiphersJohn wrote the letters of the alphabet under the letters in John wrote the letters of the alphabet under the letters in its first lines and tried it against the message. its first lines and tried it against the message. Immediately he knew that once more he had broken the Immediately he knew that once more he had broken the code. It was extraordinary the feeling of triumph he had. code. It was extraordinary the feeling of triumph he had. He felt on top of the world. For not only had he done it, He felt on top of the world. For not only had he done it, had he broken the July code, but he now had the key to had he broken the July code, but he now had the key to every future coded message, since instructions as to the every future coded message, since instructions as to the source of the next one must of necessity appear in the source of the next one must of necessity appear in the current one at the end of each month.current one at the end of each month.——Talking to Strange Men, Talking to Strange Men, Ruth RendellRuth Rendell
Random NumbersRandom Numbers
many uses of many uses of random numbersrandom numbers in cryptography in cryptography nonces in authentication protocols to prevent replaynonces in authentication protocols to prevent replay session keyssession keys public key generationpublic key generation keystream for a one-time padkeystream for a one-time pad
in all cases its critical that these values be in all cases its critical that these values be statistically random, uniform distribution, independentstatistically random, uniform distribution, independent unpredictability of future values from unpredictability of future values from previous valuesprevious values
Nonce – Fresh randomness coming from Cryptographically Strong (pseudo)Random Source
Nonce – Fresh randomness coming from Cryptographically Strong (pseudo)Random Source
Diffie-Hellman key exchange (production of a session key) needFresh randomness coming from Cryptographically Strong (pseudo)Random Source
Salt – Fresh randomness coming from Cryptographically Strong (pseudo)Random Source (Block cipher in this case)
RSA – Fresh randomness coming from Cryptographically Strong (pseudo)Random Source
Skype and other VoIP applications that encrypt the communication One-time-pad fresh randomness coming from Cryptographically Strong (pseudo)Random Source
Skype and other VoIP applications that encrypt the communication One-time-pad fresh randomness coming from Cryptographically Strong (pseudo)Random Source
Skype and other VoIP applications that encrypt the communication One-time-pad fresh randomness coming from Cryptographically Strong (pseudo)Random Source
Slot machines for gambling need fresh randomness coming from Cryptographically Strong (pseudo)Random Source BIG money – STRONG LEGISLATIVE, STRONG CONTROLS
Online gambling needs fresh randomness coming from Cryptographically Strong (pseudo)Random Source BIG money – STRONG LEGISLATIVE, STRONG CONTROLS
Sources of RandomnessSources of Randomness
True Random Number GeneratorTrue Random Number Generator Entropy source (physical source – keystroke Entropy source (physical source – keystroke
timings, disk activity, mouse movements, …)timings, disk activity, mouse movements, …) Pseudo Random Number GeneratorsPseudo Random Number Generators
Seed and then the output is coming from a Seed and then the output is coming from a deterministic algorithmdeterministic algorithm
Pseudo Random FunctionsPseudo Random Functions Seed + Context specific values and then the Seed + Context specific values and then the
output is coming from a deterministic algorithmoutput is coming from a deterministic algorithm
RequirementsRequirements
Must pass the NIST SP 800-22 (A Statistical Must pass the NIST SP 800-22 (A Statistical Test Suite for Random and Pseudorandom Test Suite for Random and Pseudorandom Number Generators for Cryptographic Number Generators for Cryptographic Algorithms)Algorithms) 15 separate tests15 separate tests
UnpredictabilityUnpredictability Forward unpredictabilityForward unpredictability Backward unpredictabilityBackward unpredictability
Seed should come from secure source (TRNG Seed should come from secure source (TRNG or else – like huge pool of randomness)or else – like huge pool of randomness)
Design methodologies for cryptographic Design methodologies for cryptographic sources of randomnesssources of randomness
Designed specifically to be PRNGs Designed specifically to be PRNGs (PRFs)(PRFs)
Using the existing cryptographic Using the existing cryptographic algorithmsalgorithms Symmetric block ciphersSymmetric block ciphers Asymmetric ciphersAsymmetric ciphers Hash functions and message authentication Hash functions and message authentication
codescodes
Pseudorandom Number Pseudorandom Number Generators (PRNGs)Generators (PRNGs)
often use deterministic algorithmic often use deterministic algorithmic techniques to create “random numbers”techniques to create “random numbers” although are not truly randomalthough are not truly random can pass many tests of “randomness”can pass many tests of “randomness”
known as “pseudorandom numbers”known as “pseudorandom numbers” created by “created by “Pseudorandom Number Pseudorandom Number
Generators (PRNGs)”Generators (PRNGs)”
Pseudorandom Number Pseudorandom Number Generators (PRNGs)Generators (PRNGs)
The following two criteria are used to validate The following two criteria are used to validate that a sequence of numbers is random:that a sequence of numbers is random: Uniform distribution: The distribution of numbers in Uniform distribution: The distribution of numbers in
the sequence should be uniform; that is, the the sequence should be uniform; that is, the frequency of occurrence of each of the numbers frequency of occurrence of each of the numbers should be approximately the same.should be approximately the same.
Independence: No one value in the sequence can be Independence: No one value in the sequence can be inferred from the others.inferred from the others.
Linear CongruentialLinear CongruentialGeneratorGenerator
common iterative technique using:common iterative technique using:XXnn+1+1 = ( = (aXaXnn + + cc) mod ) mod mm
given suitable values of parameters can produce a given suitable values of parameters can produce a long random-like sequencelong random-like sequence
suitable criteria to have are:suitable criteria to have are: function generates a full-periodfunction generates a full-period generated sequence should appear randomgenerated sequence should appear random efficient implementation with 32-bit arithmeticefficient implementation with 32-bit arithmetic
note that an attacker can reconstruct sequence note that an attacker can reconstruct sequence given a small number of valuesgiven a small number of values
have possibilities for making this harderhave possibilities for making this harder
Blum Blum Shub GeneratorBlum Blum Shub Generator
based on public key algorithmsbased on public key algorithms use least significant bit from iterative equation:use least significant bit from iterative equation:
xxii = x = xi-1i-122 mod n mod n
where where n=p.qn=p.q, and primes , and primes p,q=3 mod 4p,q=3 mod 4 unpredictable, passes unpredictable, passes next-bitnext-bit test test security rests on difficulty of factoring N security rests on difficulty of factoring N is unpredictable given any run of bits is unpredictable given any run of bits slow, since very large numbers must be usedslow, since very large numbers must be used too slow for cipher use, good for key generationtoo slow for cipher use, good for key generation Example: n=192649=383x503, s=101355 Example: n=192649=383x503, s=101355
Using Block Ciphers as PRNGsUsing Block Ciphers as PRNGs
for cryptographic applications, can use a block for cryptographic applications, can use a block cipher to generate random numberscipher to generate random numbers
often for creating session keys from master keyoften for creating session keys from master key Counter ModeCounter Mode
XXii = E = EKmKm[i][i]
Output Feedback ModeOutput Feedback ModeXXii = E = EKmKm[[XXi-1i-1]]
ANSI X9.17 PRGANSI X9.17 PRG
Published SourcesPublished Sources
a few published collections of random numbers a few published collections of random numbers Rand Co, in 1955, published 1 million numbers Rand Co, in 1955, published 1 million numbers
generated using an electronic roulette wheel generated using an electronic roulette wheel has been used in some cipher designs cf Khafre has been used in some cipher designs cf Khafre
earlier Tippett in 1927 published a collection earlier Tippett in 1927 published a collection issues are that:issues are that:
these are limitedthese are limited too well-known for most uses too well-known for most uses
Stream CiphersStream Ciphers
process message bit by bit (as a stream) process message bit by bit (as a stream) have a pseudo random have a pseudo random keystreamkeystream combined (XOR) with plaintext bit by bit combined (XOR) with plaintext bit by bit randomness of randomness of stream keystream key completely completely
destroys statistically properties in messagedestroys statistically properties in message CCii = M = Mii XOR StreamKey XOR StreamKeyii
but must never reuse stream keybut must never reuse stream key otherwise can recover messages (cf book otherwise can recover messages (cf book
cipher)cipher)
Stream Cipher StructureStream Cipher Structure
Stream Cipher PropertiesStream Cipher Properties
some design considerations are:some design considerations are: long period with no repetitions long period with no repetitions statistically random statistically random depends on large enough keydepends on large enough key large non-linear complexitylarge non-linear complexity
properly designed, can be as secure as a properly designed, can be as secure as a block cipher with same size keyblock cipher with same size key
but usually simpler & fasterbut usually simpler & faster
RC4RC4
a proprietary cipher owned by RSA DSI a proprietary cipher owned by RSA DSI another Ron Rivest design, simple but effectiveanother Ron Rivest design, simple but effective variable key size, byte-oriented stream cipher variable key size, byte-oriented stream cipher widely used (web SSL/TLS, wireless WEP) widely used (web SSL/TLS, wireless WEP) key forms random permutation of all 8-bit values key forms random permutation of all 8-bit values uses that permutation to scramble input info uses that permutation to scramble input info
processed a byte at a time processed a byte at a time
RC4 Key Schedule RC4 Key Schedule
starts with an array S of numbers: 0..255 starts with an array S of numbers: 0..255 use key to well and truly shuffle use key to well and truly shuffle S forms S forms internal stateinternal state of the cipher of the cipher
for i = 0 to 255 dofor i = 0 to 255 doS[i] = iS[i] = iT[i] = K[i mod keylen])T[i] = K[i mod keylen])
j = 0j = 0for i = 0 to 255 do for i = 0 to 255 do
j = (j + S[i] + T[i]) (mod 256) j = (j + S[i] + T[i]) (mod 256) swap (S[i], S[j])swap (S[i], S[j])
RC4 EncryptionRC4 Encryption
encryption continues shuffling array valuesencryption continues shuffling array values sum of shuffled pair selects "stream key" sum of shuffled pair selects "stream key"
value from permutationvalue from permutation XOR S[t] with next byte of message to XOR S[t] with next byte of message to
en/decrypten/decrypti = j = 0 i = j = 0
for each message byte Mfor each message byte Mii
i = (i + 1) (mod 256)i = (i + 1) (mod 256)j = (j + S[i]) (mod 256)j = (j + S[i]) (mod 256)swap(S[i], S[j])swap(S[i], S[j])t = (S[i] + S[j]) (mod 256) t = (S[i] + S[j]) (mod 256)
CCii = M = Mii XOR S[t] XOR S[t]
RC4 OverviewRC4 Overview
RC4 SecurityRC4 Security
claimed secure against known attacksclaimed secure against known attacks have some analyses, none practical have some analyses, none practical
result is very non-linear result is very non-linear since RC4 is a stream cipher, must since RC4 is a stream cipher, must never never
reuse a keyreuse a key have a concern with WEP, but due to key have a concern with WEP, but due to key
handling rather than RC4 itself handling rather than RC4 itself RC4 is theoretically considered as broken but RC4 is theoretically considered as broken but
practically it is notpractically it is not
True Random Number True Random Number GeneratorsGenerators
best source is natural randomness in real world best source is natural randomness in real world find a regular but random event and monitor find a regular but random event and monitor do generally need special h/w to do this do generally need special h/w to do this
eg. radiation counters, radio noise, audio noise, thermal noise in eg. radiation counters, radio noise, audio noise, thermal noise in diodes, leaky capacitors, mercury discharge tubes etc diodes, leaky capacitors, mercury discharge tubes etc
starting to see such h/w in new CPU's starting to see such h/w in new CPU's problems of problems of bias (skew)bias (skew) or uneven distribution in signal or uneven distribution in signal
have to compensate for this when sample and use have to compensate for this when sample and use only use a few noisiest bits from each sample only use a few noisiest bits from each sample Hash the output of the biased source by cryptographic hash Hash the output of the biased source by cryptographic hash
function (MD5, SHA-1, SHA-2, ...)function (MD5, SHA-1, SHA-2, ...) RFC 4086 – recommends collecting input from multiple sources RFC 4086 – recommends collecting input from multiple sources
and then hashingand then hashing
SummarySummary
have considered:have considered: Random Number Generation issuesRandom Number Generation issues Stream CiphersStream Ciphers