Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Basics of Cryptography - Stream ciphers and PRNG

532 views

Published on

Basics of Cryptography - Stream ciphers and PRNG

Published in: Technology
  • Be the first to comment

Basics of Cryptography - Stream ciphers and PRNG

  1. 1. Basics of cryptography Shift registers and stream ciphers
  2. 2. Menu  Can't explain the whole cryptography here  Let's try to explain how it works  Simply  Let's see then some concrete examples  Among so many other fields of application...
  3. 3. Menu  Cryptography main rule  Vernam One Time Pad (OTP)  Computer applications  Problems  Solutions  Symetric computer-based cryptography  PRNG & LFSR  Designing a stream cipher using PHP and C  Applications :  DVD-Blu-Ray encryption (CSS / AACS)  Wifi (WEP : RC4)  GSM (A5/1)
  4. 4. About me  Julien PAULI - @julienpauli - github.com/jpauli  Working for Sensiolabs in Paris  Release manager of PHP 5.5 / 5.6  PHP internals contributor from time to time (bug fixes, internal API, performances)  Knowledges about CPU architectures, C lang, Linux and networking
  5. 5. Vernam OTP (One Time Password)  The only method of encryption that is mathematically absolutely 100% sure and uncrackable
  6. 6. Vernam OTP  The only method of encryption that is mathematically absolutely 100% sure and uncrackable Hello foo secretkey ????????? clear key encrypted +
  7. 7. Vernam OTP  You modulo-add clear text + a key, randomly chosen and of the same size (or more) than the clear text  The operation is fully bijective and can be undone , just like a classical math addition 3 + 8 = 11 11 - 8 = 3
  8. 8. Vernam OTP 3 + 8 = 11 11 ??? = ??? clear + key = encrypted  This cryptography method is the only one being 100% safe and not violable.  If you get the crypted content only, you'll never be able to get back the clear text, without having the key
  9. 9. Vernam OTP  Used in the image field this time : + =
  10. 10. Vernam conditions  Vernam OTP is 100% sure if and only if :  The key is random and cant be guessed  The key is kept secret  The key size is >= to the clear content size  The key is never reused (One Time Password : OTP)  The same key is used to encrypt and decrypt  This is called symetric encryption
  11. 11. Vernam conditions  If the key is reused : + = + = + = 1 1 2 2 keykey keykey
  12. 12. Vernam  Used during WW II  Enigma  Used in red phone  To link Moscow to Washington  Keys (physical) were carried using extra safe planes
  13. 13. In computer science  Machines make use of basis 2 (binary)  "modulo 2 addition" is called XOR (exclusive OR)  Noted or ^ A B A ^ B 0 0 0 0 1 1 1 0 1 1 1 0
  14. 14. XOR for cryptography  XOR satisfies Vernam OTP conditions  Having A a clear text  Having B a secret key  Crypted C = A ^ B  Clear A = C ^ B Symetric cryptography using key C
  15. 15. Vernam in computer sciences  Vernam based cryptography is inviolable if :  The key is kept secret  The key size is >= the clear size  The key is random  The key is never reused  Those 4 rules seem hard to achieve in modern computers world
  16. 16. 1 - The key is kept secret
  17. 17. The key is secret  It is possible, while not best, to exchange the key securely  Hand to hand  "What's the wifi password please ?"  Usually, asymetric cryptography is used to create a secure channel to exchange the symetric crypto key
  18. 18. And then ?  Vernam based cryptography is inviolable if :  The key is kept secret  The key size is >= the clear size  The key is random  The key is not used more than once
  19. 19. 2 - The key size is >= the clear size
  20. 20. Key size  To crypt 25Mb of data , one will need a 25Mb key  that's 26214400 characters  How to do to use a "reasonnably finite-size" key ?  Think about Wifi keys, often long sized, but not that long of thousands of thousands of chars
  21. 21. LFSR
  22. 22. LFSR  Linear Feedback Shift Register  Solution chosen to solve the problem "The key size must be >= the clear size to crypt"  How does that work ?
  23. 23. LFSR  Linear Feedback Shift Register  Computer and electronic structure  Easy to code in computer language  Easy to make into electronic chips  Very powerful, very fast
  24. 24. One byte : 8 digits (bits)  2^7 + 2^5 + 2^2 + 2^1 + 2^0 = 167 (decimal)  In computer science, 1 byte = 1 character (like 'f')  or one integer between 0 and 255 if you prefer  Let's take one byte from the secret key 1 01 10 1101 7 6 5 4 3 2 1 0
  25. 25. LFSR 1 01 10 1101  Shift register. At each clock tick ...  Shift digits one slot to the right  Reinject the right-out digit to the left  We got an infinite source of digits  This is a circular shift Extracted digit used to crypt one digit of the payload (using XOR)
  26. 26. LFSR 1 01 10 1101  Shift register  Shift to the right  Reinject on the left  We got an infinite number of digits but ...  We got a finite digit sequence (repeating itself) 1 10 11 1001 1 01 11 0011 1 11 01 0101 1- 2- 3- 4-
  27. 27. LFSR 1 01 10 1101  Shift register  We got an infinite digit sequence  But not random  The feedback function is 1 1 10 11 1001 1 01 11 0011 1 11 01 0101 . .. 1- 2- 3- 4- . . .
  28. 28. Where are we ?  Vernam based cryptography is inviolable if :  The key is secret  The key size is >= the clear size  The key is random  The key is never reused
  29. 29. LFSR 1 01 10 1101  The sequence is going to repeat itself  How to add it some randomness ? 1 10 11 1001 1 01 11 0011 1 11 01 0101 . .. 1- 2- 3- 4-
  30. 30. LFSR 1 01 10 1101  It's all about the feedback function  Let's complexify the feedback function
  31. 31. LFSR 1 01 10 1101 1 01 10 1101 1 10 11 1000 1 10 10 0001 1 11 01 0001 1- 2- 3- 4-
  32. 32. LFSR  That starts looking random right ? 1 01 10 1101 1 10 11 1000 1 10 10 0001 1 11 01 0001 167 83 145 240 bits Integer
  33. 33. LFSR vs Maths 1 01 10 1101  This can be mathematically modelized :  S = X^8 + X^7 + X^6 + X^5 + 1  This is a classic polynom , that can be solved
  34. 34. m-sequence LFSR 1 01 10 1101  As the output is injected back into the input, this LFSR will generate a finite number of states  The maximum sequence is 2^n - 1  "n" is the LFSR degree (number of digits)  This maximum sequence is called the "m-sequence"  In the above example, n is 8, the LFSR will have a maximum period of 255 states
  35. 35. m-sequence LFSR 1 01 10 1101  To get an m-sequence  The number of feedback digits must be odd  Their factors must be prime between them  S = X^8 + X^7 + X^6 + X^5 + 1  Works, this LFSR will have a m-sequence (255 states)  S = X^8 + 1  Doesn't work, this LFSR will repeat before 255 states
  36. 36. m-sequence LFSR 1 01 10 1101  If we extend LFSR to 32 digits, max period becomes 2^32 - 1  That's 4294967295 different states  Randomness slowly becomes more and more appearingly clear  With 32 digits (4 bytes or 4 secret key chars) we can encrypt 4294967295 digits, thus 512Mb.  Above that : the key repeats itself (and invalidates Vernam conditions)
  37. 37. LFSR example coded in PHP  https://github.com/jpauli/PHP-Crypto **Simple Galois LFSR, degree 7 (127 states m-sequence)** Used register bits for feedback : 7 6 Deducted Feedback function : 1100000 (0X60) Your initial state is : 00000000000000000000001110001100 (908) Let's now start the Linear Feedback Shift Register [Iteration] [-------Internal Register -------] [PRandom bit] | | | v v v 0 - 00000000000000000000001110001100 [ 0 ] 1 - 00000000000000000000000111000110 [ 0 ] 2 - 00000000000000000000000011100011 [ 1 ] 3 - 00000000000000000000000000010001 [ 1 ] 4 - 00000000000000000000000001101000 [ 0 ]
  38. 38. LFSR example coded in PHP for ($i = 0; $i < count(self::POLYNOMIAL_PRIME_COEFF[$this->degree]); $i++) $this->taps[ ] = self::POLYNOMIAL_PRIME_COEFF[$this->degree][$i]; $this->ff |= (1 << self::POLYNOMIAL_PRIME_COEFF[$this->degree][$i]); } /* LFSR always has first and last bit set */ $this->ff |= 1 << ($this->degree); $this->ff |=1; do { $this->iterations++; $this->currentState >>= 1; /* Shift register */ yield $this->iterations => $this->currentState; if ($this->currentState & 1) { $this->currentState ^= $this->ff; /* re-enter */ } } while ($this->currentState != $this->start);
  39. 39. Encryption with a LFSR ?  Pretty easy  Initialize LFSR with the secret key  Encrypt each clear digit with one digit generated from the LFSR using XOR operation  This is called a stream cipher  (bloc ciphers also exist)
  40. 40. Stream Cipher demo  https://github.com/jpauli/PHP-Crypto
  41. 41. Generating a random byte using an LFSR function getRandomByte(LFSR $lfsr) : int { $random = 0; $run = $lfsr->run(); for ($j=0; $j<8; $j++) { $random |= $lfsr->getCurrentBit() << $j; $run->next(); } return $random; }
  42. 42. Ciphering clear data with the random byte function cipher(string $input) : string { $dataSize = strlen($input); $i = 0; $output = ''; $lfsr = new LFSR($this->degree, $this->seed); do { $random = $this->getRandomByte($lfsr); $data = unpack('C', $input[$i]); $output .= pack('C', $outputByte = $data[1] ^ $random); } while (++$i < $dataSize); return $output; } Yeah !
  43. 43. Where are we ?  Vernam based cryptography is inviolable if :  The key is secret  The key size is >= the clear size  The key is random  The key is not reused
  44. 44. Stream ciphers can be secure if  The key is secret  The feedback digits are kept secret  The period is big enough (m-sequence) to never loop  The attacker cannot access the input stream  If the attacker can inject some data into the clear input, a linear equation system can be used to crack the LFSR and deduce the key  This, with only 2n states  "Berlekamp-Massey attack"
  45. 45. Having a good initialisation  Randomness will depend on how the key is used to initialize the LFSR in the stream cipher  The key is used to define the starting state of the LFSR  It can also be used to choose the feedback digits  The key is usually mixed with an initialization vector (IV), which is some piece of random bytes.  Thus, with the same key , the same LFSR will produce different output
  46. 46. Hacking the encryption process  If the LFSR starts looping, its going to produce the same output (repeat itself) and thus doesn't satisfy Vernam conditions anymore  If the attacker can inject some input, he can use Berlekamp- Massey attack to crack the LFSR key and states
  47. 47. How to strengthen the LFSR ?
  48. 48. Strengthen the encryption  Branch several LFSR together : 1 01 10 1101 1 11 00 output
  49. 49. Strengthen the encryption  Having several LFSR working together :  The loop is still linear  Thus can be cracked in polynomial time by injecting some traffic into the input  N-degree linear equation system  We push the time limit, only
  50. 50. Application examples  Well-known LFSR XOR based encryption systems  (And how they've been hacked)
  51. 51. Examples  Content Scrambling System (CSS)  DVD protection mechanism (from 1995)  Cracked in 1999 by hacking the LFSRs  Keys are cracked by injecting some input, watching the output and cracking the polynoms  DECSS is born, and movie piracy with it  Back then, less than 18 seconds were needed to a Pentium 3 @ 450Mhz to hack the LFSRs
  52. 52. CSS
  53. 53. DECSS  CSS keys are secret and distributed by DVDCCA to DVD- reader manufacturers  Keys are stored into the hardware (or soft for PC softwares)  Each device needs a key, this is costly  http://www.dvdcca.org/css.aspx  Hence, free world and Linux were forgotten from DVDCCA  The open/free world answered by cracking CSS  Lawsuits happened  Technical analysis of CSS :  http://www.lemuria.org/DeCSS/crypto.gq.nu/
  54. 54. CSS and VLC  Since, DECSS code is embeded into VLC  In libdvdcss  http://git.videolan.org/?p=libdvdcss.git;a=blob;f=src/css.c;  This code is the algorithm to hack CSS protected DVDs, to read them under Linux  Hacking the LFSRs and the keys  Otherwise the stream is crypted and unreadable
  55. 55.  LFSR cant be cryptographically secure, but we can still push the limits of the time needed to crack it  Time should be > brute force attack  If output is a linear function of the input, then it can be cracked  https://en.wikipedia.org/wiki/Correlation_attack  We need to have the output not being a linear function of the input.  Use a non-linear reentrancy function  NLFSR  Use a non-linear shift Strengthen the encryption
  56. 56. Trivium
  57. 57. Notes about Trivium  3 LFSR  A : 93 digits  B : 84 digits  C : 111 digits  On LFSR input depends on an other's output and one of its own digit  Period 2^64  Some of the output makes use of an AND  AND is a modulo-2 multiplication  Thus cryptanalysis of the output cant crack the LFSR in linear time anymore
  58. 58. Using Trivium  80 digits IV  loaded in the A LFSR left digits  secret key of 80 digits as well  loaded in the B LFSR left digits  All other digits are zeroed.  We shuffle 1152 round times.  Starting from 1153th time : we got our stream
  59. 59. Cracking Trivium  Today, no efficient attack has been discovered  We found algos in 2^68  Thus above brute force (2^64) , thus useless  As of today 2018, Trivium is recommanded by security experts
  60. 60. A5/1
  61. 61. A5/1  A5/1 makes use of 3 LFSR  19 / 22 / 23 digits  Introduces a non-linear shift :  LFSR are shifted only if it is in the MAJ(1,2,3) set
  62. 62. A5/1  A5/1 is used to crypt GSM communications  It took about 10 years, but today A5/1 is broken  In an acceptable time  Under acceptable computing hardware (CPU/Mem)  Often still needs some specific hardware  Some flaws were found in the GSM protocols that weaken A5/1 and allow an attack
  63. 63. RC4  Rivest Cipher 4 don't use LFSR, but still can be used as a pseudo random generator  The big picture of RC4 :  Byte based (unit is byte, not digit)  Works on a 256 bytes payload  Uses many permutations and one XOR only  Huge period, about 10^100  Depending on the key used  Max theoric period is : 2^170000
  64. 64. RC4  We put 256 bytes into an array  We shuffle the array by adding bytes and swapping them  We get one byte from the array at indexes i and j  We shuffle 2 array slots, then i and j
  65. 65. RC4
  66. 66. RC4 , demo in PHP and C  https://github.com/jpauli/PHP-Crypto
  67. 67. RC4 is cracked  As its been massively used since its creation (1987), RC4 has been cracked  Today, it is cracked. Flaws have been discovered  The first bytes leak some informations about the key  KSA (Key Scheduling Algo) is too weak  RC4 doesnt define how to use the IV  So weak usage started to appear (concatenation of IV with the key)  algo has some weaknesses  You can recognize RC4 from a P-random output stream
  68. 68. RC4 in practice  RC4 was used in 802.11 WEP (Wired Equivalent Privacy).  WEP is very weak :  Ability to inject some trafic in input, and watch the output, thus hijacking the internal state of RC4  Control checksum are weak (CRC32 : which is linear)  Reusage of the key (overflow of the stream cipher period)
  69. 69. Conclusions
  70. 70. Memorize  We talked about stream ciphers  There exists block ciphers  DES/AES/BlowFish/RC5  Every cipher uses the only 100% cryptographically secure Vernam one-time pad  A secret key  A key length >= the clear length  A modulo-2 addition (XOR in radix 2)
  71. 71. Memorize  100% cryptographically secure Vernam one-time pad  A secret key  A key length >= the clear length  A modulo-2 addition (XOR in radix 2)  ... is difficult to gather in computer world  We then use compromises : LFSR f.e  From XOR operations, we try to push the limits so far that it goes over brute force time  But cryptanalysers often use high level math tools to try to hack such systems  Daniel J Bernstein should be the most known engineer about cryptanalysis
  72. 72. Crypto using PHP ?  Don't use ext/mcrypt  Old, unmaintained, bugged and unsecure  Don't use mt_*() or rand() for crypto purposes  Use ext/hash if you need to hash  Use ext/sodium if you need to crypt  2018 crypto. secured stream ciphers :  trivium / salsa20 ...  Have a look at the "estream" project  http://www.ecrypt.eu.org/stream/
  73. 73. Thank you for listening !

×