Published on

Published in: Education
1 Comment
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. RC4
  2. 2. What is RC4 <ul><li>RC4 designed in 1987 by RSA ( R on Rivest, Adi S hamir, and Leonard A dleman) . </li></ul><ul><li>A symmetric key encryption algorithm . </li></ul><ul><li>Stream Cipher . </li></ul>
  3. 3. A symmetric key encryption algorithm <ul><li>Symmetric-key algorithms are a class of algorithms for cryptography that use trivially related, often identical, cryptographic keys for both decryption and encryption. </li></ul><ul><li>Types of symmetric-key algorithms </li></ul><ul><li>1- stream ciphers </li></ul><ul><li>2- block ciphers </li></ul>
  4. 4. Stream Cipher <ul><li>While block ciphers operate on large blocks of data, stream ciphers typically operate on smaller units of plaintext, usually bits or bytes . </li></ul><ul><li>A stream cipher generates what is called a key stream (a sequence of bits used as a key). </li></ul><ul><li>Encryption is accomplished by combining the key stream with the plaintext, usually with the bitwise XOR operation . </li></ul>11001100 plaintext 01101100 key stream 10100000 Cipher text
  5. 5. RC4 Block Diagram
  6. 6. How does it work ? <ul><li>Initialize an array of 256 bytes. </li></ul><ul><li>Run the Key Scheduling Algorithm (KSA) on them. </li></ul><ul><li>Run the Pseudo-Random Generation Algorithm (PRGA) on the (KSA) output to generate Key stream. </li></ul><ul><li>XOR the data with a key stream. </li></ul>
  7. 7. Initialization of array <ul><li>[S] .. To begin, the entries of S are set equal to the values from 0 through 255 in ascending order; that is; S[0] = 0, S[1] = 1,..., S[255] = 255. </li></ul><ul><li>[T] .. A temporary vector, T, is also created. </li></ul><ul><li>[K] .. Array of bytes of Secret Key. </li></ul><ul><li>[key len] .. Length of (K) </li></ul>for i = 0 to 255 do S[i] = i; T[i] = K[i mod keylen];
  8. 8. Key Scheduling Algorithm <ul><li>Next we use T to produce the initial permutation of (S) </li></ul><ul><li>Because the only operation on S is a swap, the only effect is a permutation. S still contains all the numbers from 0 through 255. </li></ul><ul><ul><li>j = 0; </li></ul></ul><ul><ul><li>for i = 0 to 255 </li></ul></ul><ul><ul><li>do </li></ul></ul><ul><ul><li>j = (j + S[i] + T[i]) mod 256; </li></ul></ul><ul><ul><li>Swap (S[i], S[j]); </li></ul></ul>
  9. 9. Pseudo-Random Generation Algorithm <ul><li>Once the S vector is initialized, the input key is no longer used. </li></ul><ul><ul><li>i, j = 0; </li></ul></ul><ul><ul><li>for (int x = 0; x < byteLen; x++) </li></ul></ul><ul><ul><li>do </li></ul></ul><ul><ul><li>i = (i + 1) mod 256; </li></ul></ul><ul><ul><li>j = (j + S[i]) mod 256; </li></ul></ul><ul><ul><li>Swap (S[i], S[j]); </li></ul></ul><ul><ul><li>t = (S[i] + S[j]) mod 256; </li></ul></ul><ul><ul><li>k = S[t]; </li></ul></ul>
  10. 10. Pseudo-Random Generation Algorithm
  11. 11. RC4
  12. 12. Security of RC4 <ul><li>Bit-flipping attack </li></ul><ul><li>Roos' Biases and Key Reconstruction from Permutation </li></ul><ul><li>Biased Outputs of the RC4 </li></ul><ul><li>Fluhrer, Mantin and Shamir attack </li></ul><ul><li>Klein's Attack </li></ul><ul><li>Combinatorial problem </li></ul>
  13. 13. Bit-flipping attack <ul><li>A bit-flipping attack is an attack on a cryptographic cipher in which the attacker can change the ciphertext in such a way as to result in a predictable change of the plaintext , although the attacker is not able to learn the plaintext itself. Note that this type of attack is not—directly—against the cipher itself (as cryptanalysis of it would be), but against a particular message or series of messages. In the extreme, this could become a Denial of service attack against all messages on a particular channel using that cipher. </li></ul><ul><li>The attack is especially dangerous when the attacker knows the format of the message. In such a situation, the attacker can turn it into a similar message but one in which some important information is altered. For example, a change in the destination address might alter the message route in a way that will force re-encryption with a weaker cipher, thus possibly making it easier for an attacker to decipher the message. </li></ul><ul><li>When applied to digital signatures , the attacker might be able to change a promissory note stating &quot;I owe you $10.00&quot; into one stating &quot;I owe you $10000&quot;. </li></ul>
  14. 14. Roos' Biases and Key Reconstruction from Permutation <ul><li>In 1995, Andrew Roos experimentally observed that the first byte of the keystream is correlated to the first three bytes of the key and the first few bytes of the permutation after the KSA are correlated to some linear combination of the key bytes. These biases remained unproved until 2007, when Paul, Rathi and Maitra proved the keystream-key correlation and Paul and Maitra proved the permutation-key correlations. The latter work also used Roos' permutation-key correlations to design the first algorithm for complete key reconstruction from the final permutation after the KSA, without any assumption on the key or IV . This algorithm has a constant probability of success in a time which is the square root of the exhaustive key search complexity. Subsequently, many other works have been done on key reconstruction from RC4 internal states. In another work, Maitra and Paulshowed that the Roos type biases still persist even when one considers nested permutation indices, like S[S[i]] or S[S[S[i]]]. These types of biases are used in some of the later key reconstruction methods for increasing the success probability. </li></ul>
  15. 15. Biased Outputs of the RC4 <ul><li>The keystream generated by the RC4 is biased in varying degrees towards certain sequences. The best such attack is due to Itsik Mantin and Adi Shamir who showed that the second output byte of the cipher was biased toward zero with probability 1/128 (instead of 1/256). This is due to the fact that if the third byte of the original state is zero, and the second byte is not equal to 2, then the second output byte is always zero. Such bias can be detected by observing only 256 bytes </li></ul>
  16. 16. Fluhrer, Mantin and Shamir attack <ul><li>In 2001, a new and surprising discovery was made by Fluhrer , Mantin and Shamir : over all possible RC4 keys, the statistics for the first few bytes of output key stream are strongly non-random, leaking information about the key. If the long-term key and nonce are simply concatenated to generate the RC4 key, this long-term key can be discovered by analyzing a large number of messages encrypted with this key. This and related effects were then used to break the WEP (&quot;wired equivalent privacy&quot;) encryption used with 802.11 wireless networks . This caused a scramble for a standards-based replacement for WEP in the 802.11 market, and led to the IEEE 802.11i effort and WPA . </li></ul>
  17. 17. Klein's Attack <ul><li>In 2005, Andreas Klein presented an analysis of the RC4 stream cipher showing more correlations between the RC4 keystream and the key. Erik Tews , Ralf-Philipp Weinmann , and Andrei Pychkine used this analysis to create aircrack-ptw, a tool which cracks 104-bit RC4 used in 128-bit WEP in under a minute Whereas the Fluhrer, Mantin, and Shamir attack used around 10 million messages, aircrack-ptw can break 104-bit keys in 40,000 frames with 50% probability, or in 85,000 frames with 95% probability </li></ul>
  18. 18. Combinatorial problem <ul><li>A combinatorial problem related to the number of inputs and outputs of the RC4 cipher was first posed by Itsik Mantin and Adi Shamir in 2001, whereby, of the total 256 elements in the typical state of RC4, if x number of elements ( x ≤ 256) are only known (all other elements can be assumed empty), then the maximum number of elements that can be produced deterministically is also x in the next 256 rounds. This conjecture was put to rest in 2004 with a formal proof given by Souradyuti Paul and Bart Preneel . </li></ul>
  19. 19. RC4-based cryptosystems <ul><li>WEP </li></ul><ul><li>WPA (default algorithm, but can be configured to use AES-CCMP instead of RC4) </li></ul><ul><li>Bit Torrent protocol encryption </li></ul><ul><li>Microsoft Point-to-Point Encryption </li></ul><ul><li>Secure Sockets Layer (optionally) </li></ul><ul><li>Secure shell (optionally) </li></ul><ul><li>Remote Desktop Protocol </li></ul><ul><li>Kerberos (optionally) </li></ul><ul><li>SASL Mechanism Digest-MD5 (optionally) </li></ul>
  20. 20. RC5
  21. 21. Outline <ul><li>Introduction (Feistel Networks) </li></ul><ul><li>What is RC5 </li></ul><ul><li>Parameterization </li></ul><ul><li>Algorithm </li></ul><ul><li>The security of RC5 </li></ul><ul><li>Conclusion </li></ul>
  22. 22. <ul><li>If you don’t know where to go all roads will get you there. </li></ul>Introduction (Feistel Networks)
  23. 23. Feistel Network <ul><li>block cipher is a symmetric key cipher operating on fixed-length groups of bits, called blocks. </li></ul><ul><li>One of the most structures used in construction block ciphers is Feistel Network Structure </li></ul>
  24. 24. Feistel Network <ul><li>Feistel networks were first seen commercially in IBM's Lucifer cipher, designed by Horst Feistel and Don Coppersmith. </li></ul><ul><li>Feistel networks gained respectability when the U.S. Federal Government adopted the DES (a cipher based on Lucifer, with some changes NSA). </li></ul><ul><li>RC5 is like a Feistel Network structure. </li></ul>
  25. 25. Feistel Network - Construction Details
  26. 26. Recap <ul><li>Introduction (Feistel Networks) </li></ul><ul><li>What is RC5 </li></ul><ul><li>Parameterization </li></ul><ul><li>Algorithm </li></ul><ul><li>The security of RC5 </li></ul><ul><li>Conclustion </li></ul>
  27. 27. What is RC5
  28. 28. What is RC5 <ul><li>RC5 is a block cipher notable for its simplicity. Designed by Ronald Rivest in 1994 . </li></ul><ul><li>RC stands for &quot;Rivest Cipher&quot;, or alternatively, &quot;Ron's Code. </li></ul><ul><li>Rivest announced also RC2 and RC4 and now there is RC6 which is The Advanced Encryption Standard (AES) candidate (RC6 was based on RC5). </li></ul>
  29. 29. Features <ul><li>Symmetric block cipher (Like Feistel Network Structure) </li></ul><ul><ul><li>the same secret cryptographic key is used for encryption and decryption </li></ul></ul><ul><li>Suitable for hardware and software </li></ul><ul><ul><li>It uses only computational primitive operations commonly found on typical microprocessors </li></ul></ul><ul><li>Fast </li></ul><ul><ul><li>Cause it uses Word-Oriented operations </li></ul></ul>
  30. 30. Features count. <ul><li>Adaptable to processors of different word lengths </li></ul><ul><ul><li>For example with 64 bit processor RC5 can exploit their longer work length </li></ul></ul><ul><ul><li>Therefore the number w of bits in a word is a parameter of RC5, different choices of this parameter results different algorithms. </li></ul></ul><ul><li>Variable number of rounds </li></ul><ul><ul><li>The user can explicitly manipulate the trade-off between higher speed and higher security. </li></ul></ul><ul><ul><li>So the number of rounds i is a second parameter of RC5 </li></ul></ul>
  31. 31. Features count. <ul><li>Variable length cryptographic key </li></ul><ul><ul><li>The user can choose the level of security appropriate for his application the key length b in bytes is thus a third parameter of RC5 </li></ul></ul><ul><li>Simple </li></ul><ul><ul><li>It is simple to implement, This simplicity makes it more interesting to analyze and evaluate, so that the cryptographic strength can be more rapidly determined </li></ul></ul><ul><li>Low memory requirements </li></ul><ul><ul><li>So it is easily implemented on devices with restricted memory </li></ul></ul>
  32. 32. Features count. <ul><li>Data-dependent rotations </li></ul><ul><ul><li>RC5 highlight the use of data-dependent rotations and encourage the assessment of the cryptographic strength d ata-dependent can provide </li></ul></ul>
  33. 33. Features - Highlight <ul><li>Data-dependent rotations </li></ul><ul><li>Variable block size </li></ul><ul><li>Variable number of rounds </li></ul><ul><li>Variable key size </li></ul>
  34. 34. Recap <ul><li>Introduction (Feistel Networks) </li></ul><ul><li>What is RC5 </li></ul><ul><li>Parameterization </li></ul><ul><li>Algorithm </li></ul><ul><li>The security of RC5 </li></ul><ul><li>Conclusion </li></ul>
  35. 35. Parameterization
  36. 36. Parameterization
  37. 37. Parameterization count. <ul><li>RC5 algorithm example: RC5-32/16/7 </li></ul><ul><ul><li>similar to DES </li></ul></ul><ul><ul><li>Two 32-bit word inputs and outputs </li></ul></ul><ul><ul><li>16 rounds </li></ul></ul><ul><ul><li>7-byte(56-bit) secret key </li></ul></ul><ul><li>Choices for w and r </li></ul><ul><ul><li>speed vs. security </li></ul></ul><ul><li>Choosing larger number of rounds provides an increased level of security </li></ul>
  38. 38. Dropped parameters <ul><li>RC5 Dropped parameters </li></ul><ul><ul><li>The default is 32/12/ 7 for 32 bit words </li></ul></ul><ul><ul><li>The default is 64/16/7 for 64 bit words </li></ul></ul><ul><ul><li>So if any parameter is dropped use the corresponding default parameter </li></ul></ul><ul><li>Examples </li></ul><ul><ul><li>RC5-32 Means 32/12/7 </li></ul></ul><ul><ul><li>RC5-32, 9 Means 32/9/ 7 </li></ul></ul><ul><ul><li>RC5-64 Means 64/16/7 </li></ul></ul>
  39. 39. Notations and Primitive operations
  40. 40. Recap <ul><li>Introduction (Feistel Networks) </li></ul><ul><li>What is RC5 </li></ul><ul><li>Parameterization </li></ul><ul><li>Algorithm </li></ul><ul><li>The security of RC5 </li></ul><ul><li>Conclusion </li></ul>
  41. 41. Algorithm
  42. 42. Algorithm <ul><li>The are three components of RC5 </li></ul><ul><ul><li>Key expansion algorithm </li></ul></ul><ul><ul><li>Encryption algorithm </li></ul></ul><ul><ul><li>Decryption algorithm </li></ul></ul>Key Expansion Algorithm Decryption Algorithm Encryption Algorithm Plaintext Ciphertext Plaintext Ciphertext Expanded Key S Secret Key K
  43. 43. Encryption
  44. 44. Encryption A = A + S[0]; B = B + S[1]; for i = 1 to r do A = ((A ⊕ B) <<< B) + S[2*i]; B = ((B ⊕ A) <<< A) + S[2*i + 1]; A <<< B Bits in A are rotated to left by the amount specified by lower log2( w) bits in B
  45. 45. Decryption
  46. 46. Decryption <ul><ul><li>for i = r downto 1 do </li></ul></ul><ul><ul><li>B = ((B - S[2*i +1]) >>> A) ⊕ A; </li></ul></ul><ul><ul><li>A = ((A - S[2*i]) >>> B) ⊕ B; </li></ul></ul><ul><ul><li>B = B - S[1]; </li></ul></ul><ul><ul><li>A = A - S[0]; </li></ul></ul>A >>> B Bits in A are rotated to right by the amount specified by lower log2( w) bits in B
  47. 47. Encryption and Decryption
  48. 48. Key Expansion <ul><li>RC5 performs some operations on the secret key to generate a total of t sub keys, which are stored in S array, S[0],S[1], …, S[t-1] </li></ul><ul><li>The key expansion algorithm consists of two constants (Magic numbers) and three simple algorithm parts </li></ul><ul><ul><li>Step-1: Convert secret key bytes to words </li></ul></ul><ul><ul><li>Step-2: Initialize sub key array S (S[0], S[1], …, S[t-1]) </li></ul></ul><ul><ul><li>Step-3: Mix the secret key into sub key array S </li></ul></ul>RC5
  49. 49. Key Expansion
  50. 50. The magic constants <ul><li>In key expansion, magic constants are used </li></ul><ul><ul><li>Pw = Odd((e - 2)2w); e=2.718281828…. (base of natural logarithms) </li></ul></ul><ul><ul><li>Qw = Odd((  - 1)2w);  =1.618033988…. (golden ratio = (1+sqr(5))/2) </li></ul></ul><ul><ul><ul><li>Odd(x): odd integer nearest to x </li></ul></ul></ul><ul><ul><li>Example </li></ul></ul>w 16 32 64 P w B7E1 B7E15163 B7E151628AED2A6B Q w 9E37 9E3779B9 9E3779B97F4A7C15
  51. 51. Step-1: Convert secret key bytes to words Copy the Key into new array L of Words with size equal c Any unfilled byte positions of L are zeroed In case b = c = 0 we reset c =1 and set L[0] = 0
  52. 52. Step-2: Initialize sub key array S <ul><li>create an expanded key table, S[0...t-1] </li></ul><ul><ul><li>has t entries, t = 2( r + 1) w -bit words </li></ul></ul><ul><li>Initialize array S </li></ul><ul><ul><li>S [0] = P w ; </li></ul></ul><ul><ul><li>for i = 1 to t - 1 do </li></ul></ul><ul><ul><li>S [ i ] = S [ i - 1] + Q w ; </li></ul></ul>
  53. 53. Step-3: Mix the secret key into sub key array S <ul><li>Mix the secret key into table, S </li></ul><ul><li>i = j = 0; A = B = 0; </li></ul><ul><li>do 3 * max( t , c ) times: </li></ul><ul><li>A = S [ i ] = ( S [ i ] + A + B ) <<< 3; </li></ul><ul><li>B = L [ j ] = ( L [ j ] + A + B ) <<< ( A + B ); </li></ul><ul><li>i = ( i + 1) mod( t ); </li></ul><ul><li>j = ( j + 1) mod( c ); </li></ul>
  54. 54. Key Expansion Algorithm
  55. 55. Recap <ul><li>Introduction (Feistel Networks) </li></ul><ul><li>What is RC5 </li></ul><ul><li>Parameterization </li></ul><ul><li>Algorithm </li></ul><ul><li>The security of RC5 </li></ul><ul><li>Conclusion </li></ul>
  56. 56. The security of RC5
  57. 57. The security of RC5 <ul><li>Exhaustive Search </li></ul><ul><li>Differential cryptanalysis </li></ul><ul><li>Linear cryptanalysis </li></ul><ul><li>Timing Attacks </li></ul>
  58. 58. Exhaustive Search <ul><ul><li>RC5-32/r/b allows </li></ul></ul><ul><ul><ul><li>a maximum of 2040 secret key bits </li></ul></ul></ul><ul><ul><ul><li>a maximum of 25(2r + 2) expanded key table bits </li></ul></ul></ul><ul><ul><li>Choosing large values for r and b can prevent exhaustive attacks </li></ul></ul>
  59. 59. Differential cryptanalysis <ul><li>Pioneered by Biham and Shamir </li></ul><ul><li>It has a quite evolutionary effect on the design and analysis of block ciphers </li></ul><ul><li>The basic Idea </li></ul><ul><ul><li>Two plaint text are chose with a certain difference P` (The difference here is measured by xor but for other cipher alternative measure may be applied) </li></ul></ul><ul><ul><li>The two plaintexts are enciphered to give two cipher texts such that their difference C` </li></ul></ul><ul><ul><li>Such a pair (P` , C`) is called a characteristic </li></ul></ul><ul><ul><li>Depending on the cipher and the analysis the behavior of this characteristics can be useful in deriving certain bit of the key </li></ul></ul>
  60. 60. Linear cryptanalysis <ul><li>Introduced By Matsui. </li></ul><ul><li>The basic idea is </li></ul><ul><ul><li>to find relations among certain bits of plaintext, cipher text and key </li></ul></ul><ul><ul><li>Such as relation is called linear approximation which can be used to obtain information about the key </li></ul></ul><ul><li>Becomes impractical for r > 6 </li></ul>
  61. 61. Differential and Linear attack
  62. 62. Timing Attacks <ul><li>Developed by Kocher </li></ul><ul><li>The opponent can obtain some information about the secret key by recording and analyzing the time used for cryptographic operations that involve the key. </li></ul><ul><li>Kocher found that RC5 may be subject to Timing attack if RC5 is implemented on platforms for which the time for computing a single rotation is proportional to the rotation amount </li></ul><ul><li>RC5 can easily implemented to make the total time is data-independent (ex by computing the rotation of t bits using left-shift of t bits and right shift of w-t bits) </li></ul>
  63. 63. Conclusion <ul><li>Provides good security against the four main attacks </li></ul><ul><li>Simple encryption/decryption algorithms </li></ul><ul><li>RC5 is relatively is still under scrutiny by other cryptanalysis attack </li></ul>
  64. 64. Thank you for your attention