Is your crypto secure? Let's take a look at what main issues there are in modern cryptography that software developers and architects have to be aware of.

1. Applied Cryptanalysis:
Stream ciphers
Vladimir Garbuz

2. Intro
•Why do I need to learn about Crypto generally?
• It’s often used to create Cookies, hidden parameters
• To do TLS the right way
• For hashes and data integrity checks
• Password and sensitive info storage
• To have more marketable skills during an interview
•To whom is this useful?
• Devs, QA, anyone interested in security and crypto
•What do I need to understand this?
• School math knowledge
• Desire to learn

3. Overview
•Symmetric encryption
• Stream ciphers
• Block ciphers
• Modes of operation
•Cryptographic hash
• Key derivation
• Authenticated Encryption, AEAD
•Asymmetric encryption
•Conclusions and best practices

4. Symmetric Crypto basics
Jean-Phillipe
Aumasson

5. Symmetric Crypto basics
•To Encrypt is to take Plaintext, key and convert
them into Ciphertext: C = E(P, k)
•To Decrypt is to take Ciphertext, key and convert
them back into Plaintext: P = D(C, k)
•An attacker must, ideally, try (bruteforce) all
possible keys – for 256 bit key – 1077 combinations

6. Symmetric Crypto basics
•What’s an attack?

7. Symmetric Crypto basics
•OK, what’s a cryptographic attack?
• Anything better than bruteforce
•What’s a practical attack?
• Any attack an adversary with best technology available
can conduct in “reasonable” amount of time
• “reasonable” is determined based on how long the plaintext keeps it’s
value
• Normally, due to exponential nature of cryptanalytic difficulty, attacks
are either impossible or very much possible

8. Symmetric Crypto basics
Main cryptanalytic methods, at a glance
•Known plaintext
•Chosen plaintext (encryption oracles)
•Chosen ciphertext (decryption oracles, bit
flipping)
•Statistical cryptanalysis
•Differential cryptanalysis
•Side-channel attacks

9. Symmetric Crypto basics
http://www.washingtonpost.com/wp-srv/politics/special/clinton/stories/pizza121998.htm

10. Symmetric Crypto basics
XOR ⊕ Refresher
•Basically a bit flipping machine
•A ⊕ A = 0

11. Symmetric Crypto basics
XOR ⊕ Refresher
1. A ⊕ A = 0
2. A ⊕ 0 = A
3. A ⊕ B = B ⊕ A (commutativity)
4. A ⊕ ( B ⊕ C ) = ( A ⊕ B) ⊕ C (associativity)
5. Let K ⊕ M = C , then:
C ⊕ K = K ⊕ M ⊕ K = K ⊕ K ⊕ M = 0 ⊕ M = M

12. Stream ciphers
•Historic stream cipher example – One-time Pads
• Sender and Receiver must have identical Pads
• Pads fully filled with random data
• Sender computes Message ⊕ Pad and sends result
• Receiver does Ciphertext ⊕ Pad to get Message
•One-time Pads are mathematically proven to be
unbreakable! YAY! VICTORY! Let’s all go home now.

13. THE END
QUESTIONS?

14. Stream ciphers
•Historic stream cipher example – One-time Pads
• Sender and Receiver must have identical Pads
• Pads fully filled with random data
• Sender computes Message ⊕ Pad and sends result
• Receiver does Ciphertext ⊕ Pad to get Message
•One-time Pads are mathematically proven to be
unbreakable! YAY! VICTORY! Let’s all go home now.
•Cons? One-time Pads are horribly impractical 
• And unbreakable, well… Only as long as Pads’ data is
truly random and they are never used twice

15. Stream ciphers
•Modern electronic Stream Ciphers
• Were inspired by One-time pads
• Have almost all of their problems + some more!
• Derive high entropy Key from Passphrase
• Generate Keystream via a PRNG algorithm from Key
• It’s output is effectively used instead of one-time pads
• Employ Initialization Vectors - transmitted in cleartext
• They are mixed with the Key to avoid key reuse (pad reuse)

16. Stream ciphers
Basic vulnerabilities: bit flipping
•With Steam Ciphers, a flipped bit in the Ciphertext
ALWAYS results in a flipped bit in the Plaintext
•Having only a Ciphertext, an attacker can make it
say ANYTHING when decrypted!
• Needs to know the target position in the plaintext
• How? E.g. via reverse engineering the app or Crib-dragging
•Requires no knowledge of the encryption key
•Every stream cipher is vulnerable to it!

17. Stream ciphers
Basic vulnerabilities: bit flipping example
•Given: an encrypted cookie with data like
…&user=john.doe&admin=0&…
•Whose encrypted bytes in binary look like
…10010011 11011001 01101000…
•A flip of only 1 bit of ciphertext is necessary
…10010011 11011000 01101000…
•To make the decrypted plaintext say
…&user=john.doe&admin=1&…

18. Stream ciphers
Basic vulnerabilities: key reuse
What’s so terrible about key (pad) reuse?
•So we have 2 plaintexts P1 and P2, and we encrypt
them separately under the same Key, IV pair:
C1=P1⊕F(Key,IV)
C2=P2⊕F(Key,IV)
When attacker intercepts them, he can then
compute:
C1⊕C2=P1⊕P2
•“Oh, please! How bad could that possibly be?..”

19. Stream ciphers
Basic vulnerabilities: key reuse

20. Stream ciphers
Basic vulnerabilities: key reuse
•Edge case: if one of the plaintexts, e.g. P1, is known,
restoring the other one is trivial
C1⊕C2⊕P1 = (P1⊕K)⊕(P2⊕K)⊕P1 = 0⊕P2 = P2
•Edge case: if a portion of Plaintext is known, the
Keystream in corresponding position is revealed
C = P⊕E(Key,IV)  C⊕P = E(Key,IV)
• Now, having the Keystream at some position, we can
decrypt data at that position from ALL other ciphertexts
• We can also change and re-encrypt any data there

21. Stream ciphers
Basic vulnerabilities: Why does key reuse happen?
•No IV is used
•Static IV
• For example, the encryption key itself
• Or a hash of the password – good entropy, still useless
•Very short IV
• E.g. WEP had a 24 bit IV == 16777216 values
• Birthday paradox - in 4096 packets IV is reused with P=0.5
• Birthday paradox??

22. Stream ciphers
Birthday paradox
• For what number of people, the chances that two of them
share a birthday are 50-50?
• 𝑛 ≈ 2𝑚 × 𝑝 𝑛 → 2 × 224 × 0.5 = 212
= 4096

23. Stream ciphers
Basic vulnerabilities: Why does key reuse happen?
•Bad IV
• Caused by bad random
• Specifically, where a PRNG is used instead of CSPRNG
• “Oh please, what’s the difference?”

24. Stream ciphers: random
•Popular PRNG named RANDU
•Dots as (x,y) and (x,y,z) – all fall in 15 3D planes!

25. Stream ciphers: random
•CSPRNG sequence attractor analysis

26. Stream ciphers: random
•Windows 98 PRNG attractor analysis

27. Stream ciphers: random
Hacking Java’s Random(): predicting the future
•Linear Congruential PRNG:
seed = (seed * multiplier + addend) mod (2 ^ precision)
• Has 48 bits of state, but discloses only 32 at a time e.g. nextInt()
• The remaining 16 bits are easily bruteforcible on modern PCs:

28. Stream ciphers: random
Hacking Java’s Random(): peeking into the past
• Long story short, one bit at a time we unwind the changes a
previous seed would’ve had on the current number
• And can do so recursively as far back as we wish

29. Stream ciphers
Case-study
•Used a circular XOR cipher
• Meaning, “keystream”, the passphrase, was reused
• Well, not exactly XOR operation but close enough
•With a hardcoded key 
• That had barely any entropy
•Without an IV
•All this made it vulnerable to every kind of attack

30. Stream ciphers
Case-study
Differential Cryptanalysis via chosen plaintext attack
1. ‘aaaaa’ user session cookie, first 10 “bytes” :
131!167!208!205!204!194!184!192!164!124!...
2. ‘bbbbb’ user session cookie:
131!167!209!206!205!195!185!192!164!124!...
3. This is basically an “encryption” oracle
4. From this, we can already deduce the
“keystream”
5. But it’s revealed clearly if we use ‘0’ for
username
6. But what if we couldn’t control the plaintext?..

31. Stream ciphers
Case-study
Statistical analysis
• Only the end part of cookies changed between sessions
• We can already see what’s encrypted here
• Now just bruteforce 1 byte for each column
• Voila! We have our keystream symbol!

32. Stream ciphers
So, how to do it right?
•NEVER be clever and invent your own crypto!
•Use well-known Crypto suits, e.g. Bouncy Castle
•Never use a vulnerable cipher! E.g., RC4
• Instead, go for ChaCha20 – no known attacks
•When you’re asked for an IV, get it from CSPRNG!
• And make it LOOOOONG
•Never use the Passphrase as the Key!
• Instead, google how to use PBKDF2 from RFC 2898

33. goo.gl/tuKku7