Cryptography and Cryptography and Network SecurityNetwork Security

Chapter 7Chapter 7

Fifth EditionFifth Edition

by William Stallingsby William Stallings

Chapter 7 – Chapter 7 – Pseudorandom Pseudorandom Number Generation and Stream Number Generation and Stream

CiphersCiphersJohn wrote the letters of the alphabet under the letters in John wrote the letters of the alphabet under the letters in its first lines and tried it against the message. its first lines and tried it against the message. Immediately he knew that once more he had broken the Immediately he knew that once more he had broken the code. It was extraordinary the feeling of triumph he had. code. It was extraordinary the feeling of triumph he had. He felt on top of the world. For not only had he done it, He felt on top of the world. For not only had he done it, had he broken the July code, but he now had the key to had he broken the July code, but he now had the key to every future coded message, since instructions as to the every future coded message, since instructions as to the source of the next one must of necessity appear in the source of the next one must of necessity appear in the current one at the end of each month.current one at the end of each month.——Talking to Strange Men, Talking to Strange Men, Ruth RendellRuth Rendell

Random NumbersRandom Numbers

many uses of many uses of random numbersrandom numbers in cryptography in cryptography nonces in authentication protocols to prevent replaynonces in authentication protocols to prevent replay session keyssession keys public key generationpublic key generation keystream for a one-time padkeystream for a one-time pad

in all cases its critical that these values be in all cases its critical that these values be statistically random, uniform distribution, independentstatistically random, uniform distribution, independent unpredictability of future values from unpredictability of future values from previous valuesprevious values

Nonce – Fresh randomness coming from Cryptographically Strong (pseudo)Random Source

Nonce – Fresh randomness coming from Cryptographically Strong (pseudo)Random Source

Diffie-Hellman key exchange (production of a session key) needFresh randomness coming from Cryptographically Strong (pseudo)Random Source

Salt – Fresh randomness coming from Cryptographically Strong (pseudo)Random Source (Block cipher in this case)

RSA – Fresh randomness coming from Cryptographically Strong (pseudo)Random Source

Skype and other VoIP applications that encrypt the communication One-time-pad fresh randomness coming from Cryptographically Strong (pseudo)Random Source

Skype and other VoIP applications that encrypt the communication One-time-pad fresh randomness coming from Cryptographically Strong (pseudo)Random Source

Skype and other VoIP applications that encrypt the communication One-time-pad fresh randomness coming from Cryptographically Strong (pseudo)Random Source

Slot machines for gambling need fresh randomness coming from Cryptographically Strong (pseudo)Random Source BIG money – STRONG LEGISLATIVE, STRONG CONTROLS

Online gambling needs fresh randomness coming from Cryptographically Strong (pseudo)Random Source BIG money – STRONG LEGISLATIVE, STRONG CONTROLS

Sources of RandomnessSources of Randomness

True Random Number GeneratorTrue Random Number Generator Entropy source (physical source – keystroke Entropy source (physical source – keystroke

timings, disk activity, mouse movements, …)timings, disk activity, mouse movements, …) Pseudo Random Number GeneratorsPseudo Random Number Generators

Seed and then the output is coming from a Seed and then the output is coming from a deterministic algorithmdeterministic algorithm

Pseudo Random FunctionsPseudo Random Functions Seed + Context specific values and then the Seed + Context specific values and then the

output is coming from a deterministic algorithmoutput is coming from a deterministic algorithm

RequirementsRequirements

Must pass the NIST SP 800-22 (A Statistical Must pass the NIST SP 800-22 (A Statistical Test Suite for Random and Pseudorandom Test Suite for Random and Pseudorandom Number Generators for Cryptographic Number Generators for Cryptographic Algorithms)Algorithms) 15 separate tests15 separate tests

UnpredictabilityUnpredictability Forward unpredictabilityForward unpredictability Backward unpredictabilityBackward unpredictability

Seed should come from secure source (TRNG Seed should come from secure source (TRNG or else – like huge pool of randomness)or else – like huge pool of randomness)

Design methodologies for cryptographic Design methodologies for cryptographic sources of randomnesssources of randomness

Designed specifically to be PRNGs Designed specifically to be PRNGs (PRFs)(PRFs)

Using the existing cryptographic Using the existing cryptographic algorithmsalgorithms Symmetric block ciphersSymmetric block ciphers Asymmetric ciphersAsymmetric ciphers Hash functions and message authentication Hash functions and message authentication

codescodes

Pseudorandom Number Pseudorandom Number Generators (PRNGs)Generators (PRNGs)

often use deterministic algorithmic often use deterministic algorithmic techniques to create “random numbers”techniques to create “random numbers” although are not truly randomalthough are not truly random can pass many tests of “randomness”can pass many tests of “randomness”

known as “pseudorandom numbers”known as “pseudorandom numbers” created by “created by “Pseudorandom Number Pseudorandom Number

Generators (PRNGs)”Generators (PRNGs)”

Pseudorandom Number Pseudorandom Number Generators (PRNGs)Generators (PRNGs)

The following two criteria are used to validate The following two criteria are used to validate that a sequence of numbers is random:that a sequence of numbers is random: Uniform distribution: The distribution of numbers in Uniform distribution: The distribution of numbers in

the sequence should be uniform; that is, the the sequence should be uniform; that is, the frequency of occurrence of each of the numbers frequency of occurrence of each of the numbers should be approximately the same.should be approximately the same.

Independence: No one value in the sequence can be Independence: No one value in the sequence can be inferred from the others.inferred from the others.

Linear CongruentialLinear CongruentialGeneratorGenerator

common iterative technique using:common iterative technique using:XXnn+1+1 = ( = (aXaXnn + + cc) mod ) mod mm

given suitable values of parameters can produce a given suitable values of parameters can produce a long random-like sequencelong random-like sequence

suitable criteria to have are:suitable criteria to have are: function generates a full-periodfunction generates a full-period generated sequence should appear randomgenerated sequence should appear random efficient implementation with 32-bit arithmeticefficient implementation with 32-bit arithmetic

note that an attacker can reconstruct sequence note that an attacker can reconstruct sequence given a small number of valuesgiven a small number of values

have possibilities for making this harderhave possibilities for making this harder

Blum Blum Shub GeneratorBlum Blum Shub Generator

based on public key algorithmsbased on public key algorithms use least significant bit from iterative equation:use least significant bit from iterative equation:

xxii = x = xi-1i-122 mod n mod n

where where n=p.qn=p.q, and primes , and primes p,q=3 mod 4p,q=3 mod 4 unpredictable, passes unpredictable, passes next-bitnext-bit test test security rests on difficulty of factoring N security rests on difficulty of factoring N is unpredictable given any run of bits is unpredictable given any run of bits slow, since very large numbers must be usedslow, since very large numbers must be used too slow for cipher use, good for key generationtoo slow for cipher use, good for key generation Example: n=192649=383x503, s=101355 Example: n=192649=383x503, s=101355

Using Block Ciphers as PRNGsUsing Block Ciphers as PRNGs

for cryptographic applications, can use a block for cryptographic applications, can use a block cipher to generate random numberscipher to generate random numbers

often for creating session keys from master keyoften for creating session keys from master key Counter ModeCounter Mode

XXii = E = EKmKm[i][i]

Output Feedback ModeOutput Feedback ModeXXii = E = EKmKm[[XXi-1i-1]]

ANSI X9.17 PRGANSI X9.17 PRG

Published SourcesPublished Sources

a few published collections of random numbers a few published collections of random numbers Rand Co, in 1955, published 1 million numbers Rand Co, in 1955, published 1 million numbers

generated using an electronic roulette wheel generated using an electronic roulette wheel has been used in some cipher designs cf Khafre has been used in some cipher designs cf Khafre

earlier Tippett in 1927 published a collection earlier Tippett in 1927 published a collection issues are that:issues are that:

these are limitedthese are limited too well-known for most uses too well-known for most uses

Stream CiphersStream Ciphers

process message bit by bit (as a stream) process message bit by bit (as a stream) have a pseudo random have a pseudo random keystreamkeystream combined (XOR) with plaintext bit by bit combined (XOR) with plaintext bit by bit randomness of randomness of stream keystream key completely completely

destroys statistically properties in messagedestroys statistically properties in message CCii = M = Mii XOR StreamKey XOR StreamKeyii

but must never reuse stream keybut must never reuse stream key otherwise can recover messages (cf book otherwise can recover messages (cf book

cipher)cipher)

Stream Cipher StructureStream Cipher Structure

Stream Cipher PropertiesStream Cipher Properties

some design considerations are:some design considerations are: long period with no repetitions long period with no repetitions statistically random statistically random depends on large enough keydepends on large enough key large non-linear complexitylarge non-linear complexity

properly designed, can be as secure as a properly designed, can be as secure as a block cipher with same size keyblock cipher with same size key

but usually simpler & fasterbut usually simpler & faster

RC4RC4

a proprietary cipher owned by RSA DSI a proprietary cipher owned by RSA DSI another Ron Rivest design, simple but effectiveanother Ron Rivest design, simple but effective variable key size, byte-oriented stream cipher variable key size, byte-oriented stream cipher widely used (web SSL/TLS, wireless WEP) widely used (web SSL/TLS, wireless WEP) key forms random permutation of all 8-bit values key forms random permutation of all 8-bit values uses that permutation to scramble input info uses that permutation to scramble input info

processed a byte at a time processed a byte at a time

RC4 Key Schedule RC4 Key Schedule

starts with an array S of numbers: 0..255 starts with an array S of numbers: 0..255 use key to well and truly shuffle use key to well and truly shuffle S forms S forms internal stateinternal state of the cipher of the cipher

for i = 0 to 255 dofor i = 0 to 255 doS[i] = iS[i] = iT[i] = K[i mod keylen])T[i] = K[i mod keylen])

j = 0j = 0for i = 0 to 255 do for i = 0 to 255 do

j = (j + S[i] + T[i]) (mod 256) j = (j + S[i] + T[i]) (mod 256) swap (S[i], S[j])swap (S[i], S[j])

RC4 EncryptionRC4 Encryption

encryption continues shuffling array valuesencryption continues shuffling array values sum of shuffled pair selects "stream key" sum of shuffled pair selects "stream key"

value from permutationvalue from permutation XOR S[t] with next byte of message to XOR S[t] with next byte of message to

en/decrypten/decrypti = j = 0 i = j = 0

for each message byte Mfor each message byte Mii

i = (i + 1) (mod 256)i = (i + 1) (mod 256)j = (j + S[i]) (mod 256)j = (j + S[i]) (mod 256)swap(S[i], S[j])swap(S[i], S[j])t = (S[i] + S[j]) (mod 256) t = (S[i] + S[j]) (mod 256)

CCii = M = Mii XOR S[t] XOR S[t]

RC4 OverviewRC4 Overview

RC4 SecurityRC4 Security

claimed secure against known attacksclaimed secure against known attacks have some analyses, none practical have some analyses, none practical

result is very non-linear result is very non-linear since RC4 is a stream cipher, must since RC4 is a stream cipher, must never never

reuse a keyreuse a key have a concern with WEP, but due to key have a concern with WEP, but due to key

handling rather than RC4 itself handling rather than RC4 itself RC4 is theoretically considered as broken but RC4 is theoretically considered as broken but

practically it is notpractically it is not

True Random Number True Random Number GeneratorsGenerators

best source is natural randomness in real world best source is natural randomness in real world find a regular but random event and monitor find a regular but random event and monitor do generally need special h/w to do this do generally need special h/w to do this

eg. radiation counters, radio noise, audio noise, thermal noise in eg. radiation counters, radio noise, audio noise, thermal noise in diodes, leaky capacitors, mercury discharge tubes etc diodes, leaky capacitors, mercury discharge tubes etc

starting to see such h/w in new CPU's starting to see such h/w in new CPU's problems of problems of bias (skew)bias (skew) or uneven distribution in signal or uneven distribution in signal

have to compensate for this when sample and use have to compensate for this when sample and use only use a few noisiest bits from each sample only use a few noisiest bits from each sample Hash the output of the biased source by cryptographic hash Hash the output of the biased source by cryptographic hash

function (MD5, SHA-1, SHA-2, ...)function (MD5, SHA-1, SHA-2, ...) RFC 4086 – recommends collecting input from multiple sources RFC 4086 – recommends collecting input from multiple sources

and then hashingand then hashing

SummarySummary

have considered:have considered: Random Number Generation issuesRandom Number Generation issues Stream CiphersStream Ciphers