SlideShare a Scribd company logo

«Applied cryptanalysis stream ciphers» by Vladimir Garbuz

Download as PPTX, PDF
0
0xdec0de

This document provides an overview of stream ciphers and their vulnerabilities. It discusses how stream ciphers work by generating a keystream from a key and initialization vector (IV) that is XOR'd with the plaintext. Key reuse is a major vulnerability as it allows an attacker to recover plaintext if they have multiple ciphertexts encrypted with the same key. The document also discusses weaknesses of deterministic pseudorandom number generators and the importance of using cryptographically secure PRNGs and long random IVs to prevent key reuse attacks against stream ciphers. It provides an example of how statistical analysis and differential cryptanalysis can exploit these weaknesses.

Engineering
1 of 34
Applied Cryptanalysis: Stream ciphers Vladimir Garbuz
Intro •Why do I need to learn about Crypto generally? • It’s often used to create Cookies, hidden parameters • To do TLS the right way • For hashes and data integrity checks • Password and sensitive info storage • To have more marketable skills during an interview •To whom is this useful? • Devs, QA, anyone interested in security and crypto •What do I need to understand this? • School math knowledge • Desire to learn
Overview •Symmetric encryption • Stream ciphers • Block ciphers • Modes of operation •Cryptographic hash • Key derivation • Authenticated Encryption, AEAD •Asymmetric encryption •Conclusions and best practices
Symmetric Crypto basics Jean-Phillipe Aumasson
Symmetric Crypto basics •To Encrypt is to take Plaintext, key and convert them into Ciphertext: C = E(P, k) •To Decrypt is to take Ciphertext, key and convert them back into Plaintext: P = D(C, k) •An attacker must, ideally, try (bruteforce) all possible keys – for 256 bit key – 1077 combinations
Symmetric Crypto basics •What’s an attack?
Symmetric Crypto basics •OK, what’s a cryptographic attack? • Anything better than bruteforce •What’s a practical attack? • Any attack an adversary with best technology available can conduct in “reasonable” amount of time • “reasonable” is determined based on how long the plaintext keeps it’s value • Normally, due to exponential nature of cryptanalytic difficulty, attacks are either impossible or very much possible
Symmetric Crypto basics Main cryptanalytic methods, at a glance •Known plaintext •Chosen plaintext (encryption oracles) •Chosen ciphertext (decryption oracles, bit flipping) •Statistical cryptanalysis •Differential cryptanalysis •Side-channel attacks
Symmetric Crypto basics http://www.washingtonpost.com/wp-srv/politics/special/clinton/stories/pizza121998.htm
Symmetric Crypto basics XOR ⊕ Refresher •Basically a bit flipping machine •A ⊕ A = 0
Symmetric Crypto basics XOR ⊕ Refresher 1. A ⊕ A = 0 2. A ⊕ 0 = A 3. A ⊕ B = B ⊕ A (commutativity) 4. A ⊕ ( B ⊕ C ) = ( A ⊕ B) ⊕ C (associativity) 5. Let K ⊕ M = C , then: C ⊕ K = K ⊕ M ⊕ K = K ⊕ K ⊕ M = 0 ⊕ M = M
Stream ciphers •Historic stream cipher example – One-time Pads • Sender and Receiver must have identical Pads • Pads fully filled with random data • Sender computes Message ⊕ Pad and sends result • Receiver does Ciphertext ⊕ Pad to get Message •One-time Pads are mathematically proven to be unbreakable! YAY! VICTORY! Let’s all go home now.
THE END QUESTIONS?
Stream ciphers •Historic stream cipher example – One-time Pads • Sender and Receiver must have identical Pads • Pads fully filled with random data • Sender computes Message ⊕ Pad and sends result • Receiver does Ciphertext ⊕ Pad to get Message •One-time Pads are mathematically proven to be unbreakable! YAY! VICTORY! Let’s all go home now. •Cons? One-time Pads are horribly impractical  • And unbreakable, well… Only as long as Pads’ data is truly random and they are never used twice
Stream ciphers •Modern electronic Stream Ciphers • Were inspired by One-time pads • Have almost all of their problems + some more! • Derive high entropy Key from Passphrase • Generate Keystream via a PRNG algorithm from Key • It’s output is effectively used instead of one-time pads • Employ Initialization Vectors - transmitted in cleartext • They are mixed with the Key to avoid key reuse (pad reuse)
Stream ciphers Basic vulnerabilities: bit flipping •With Steam Ciphers, a flipped bit in the Ciphertext ALWAYS results in a flipped bit in the Plaintext •Having only a Ciphertext, an attacker can make it say ANYTHING when decrypted! • Needs to know the target position in the plaintext • How? E.g. via reverse engineering the app or Crib-dragging •Requires no knowledge of the encryption key •Every stream cipher is vulnerable to it!
Stream ciphers Basic vulnerabilities: bit flipping example •Given: an encrypted cookie with data like …&user=john.doe&admin=0&… •Whose encrypted bytes in binary look like …10010011 11011001 01101000… •A flip of only 1 bit of ciphertext is necessary …10010011 11011000 01101000… •To make the decrypted plaintext say …&user=john.doe&admin=1&…
Stream ciphers Basic vulnerabilities: key reuse What’s so terrible about key (pad) reuse? •So we have 2 plaintexts P1 and P2, and we encrypt them separately under the same Key, IV pair: C1=P1⊕F(Key,IV) C2=P2⊕F(Key,IV) When attacker intercepts them, he can then compute: C1⊕C2=P1⊕P2 •“Oh, please! How bad could that possibly be?..”
Stream ciphers Basic vulnerabilities: key reuse
Stream ciphers Basic vulnerabilities: key reuse •Edge case: if one of the plaintexts, e.g. P1, is known, restoring the other one is trivial C1⊕C2⊕P1 = (P1⊕K)⊕(P2⊕K)⊕P1 = 0⊕P2 = P2 •Edge case: if a portion of Plaintext is known, the Keystream in corresponding position is revealed C = P⊕E(Key,IV)  C⊕P = E(Key,IV) • Now, having the Keystream at some position, we can decrypt data at that position from ALL other ciphertexts • We can also change and re-encrypt any data there
Stream ciphers Basic vulnerabilities: Why does key reuse happen? •No IV is used •Static IV • For example, the encryption key itself • Or a hash of the password – good entropy, still useless •Very short IV • E.g. WEP had a 24 bit IV == 16777216 values • Birthday paradox - in 4096 packets IV is reused with P=0.5 • Birthday paradox??
Stream ciphers Birthday paradox • For what number of people, the chances that two of them share a birthday are 50-50? • 𝑛 ≈ 2𝑚 × 𝑝 𝑛 → 2 × 224 × 0.5 = 212 = 4096
Stream ciphers Basic vulnerabilities: Why does key reuse happen? •Bad IV • Caused by bad random • Specifically, where a PRNG is used instead of CSPRNG • “Oh please, what’s the difference?”
Stream ciphers: random •Popular PRNG named RANDU •Dots as (x,y) and (x,y,z) – all fall in 15 3D planes!
Stream ciphers: random •CSPRNG sequence attractor analysis
Stream ciphers: random •Windows 98 PRNG attractor analysis
Stream ciphers: random Hacking Java’s Random(): predicting the future •Linear Congruential PRNG: seed = (seed * multiplier + addend) mod (2 ^ precision) • Has 48 bits of state, but discloses only 32 at a time e.g. nextInt() • The remaining 16 bits are easily bruteforcible on modern PCs:
Stream ciphers: random Hacking Java’s Random(): peeking into the past • Long story short, one bit at a time we unwind the changes a previous seed would’ve had on the current number • And can do so recursively as far back as we wish
Stream ciphers Case-study •Used a circular XOR cipher • Meaning, “keystream”, the passphrase, was reused • Well, not exactly XOR operation but close enough •With a hardcoded key  • That had barely any entropy •Without an IV •All this made it vulnerable to every kind of attack
Stream ciphers Case-study Differential Cryptanalysis via chosen plaintext attack 1. ‘aaaaa’ user session cookie, first 10 “bytes” : 131!167!208!205!204!194!184!192!164!124!... 2. ‘bbbbb’ user session cookie: 131!167!209!206!205!195!185!192!164!124!... 3. This is basically an “encryption” oracle 4. From this, we can already deduce the “keystream” 5. But it’s revealed clearly if we use ‘0’ for username 6. But what if we couldn’t control the plaintext?..
Stream ciphers Case-study Statistical analysis • Only the end part of cookies changed between sessions • We can already see what’s encrypted here • Now just bruteforce 1 byte for each column • Voila! We have our keystream symbol!
Stream ciphers So, how to do it right? •NEVER be clever and invent your own crypto! •Use well-known Crypto suits, e.g. Bouncy Castle •Never use a vulnerable cipher! E.g., RC4 • Instead, go for ChaCha20 – no known attacks •When you’re asked for an IV, get it from CSPRNG! • And make it LOOOOONG •Never use the Passphrase as the Key! • Instead, google how to use PBKDF2 from RFC 2898
goo.gl/tuKku7
«Applied cryptanalysis stream ciphers» by Vladimir Garbuz

Recommended

Applied cryptanalysis - stream ciphers
Applied cryptanalysis - stream ciphersApplied cryptanalysis - stream ciphers
Applied cryptanalysis - stream ciphers
Vlad Garbuz
 
Applied cryptanalysis - everything else
Applied cryptanalysis - everything elseApplied cryptanalysis - everything else
Applied cryptanalysis - everything else
Vlad Garbuz
 
CNIT 141: 1. Encryption
CNIT 141: 1. EncryptionCNIT 141: 1. Encryption
CNIT 141: 1. Encryption
Sam Bowne
 
CNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersCNIT 141: 4. Block Ciphers
CNIT 141: 4. Block Ciphers
Sam Bowne
 
CNIT 141: 3. Cryptographic Security
CNIT 141: 3. Cryptographic SecurityCNIT 141: 3. Cryptographic Security
CNIT 141: 3. Cryptographic Security
Sam Bowne
 
Pushing a camel through the eye of a needle
Pushing a camel through the eye of a needlePushing a camel through the eye of a needle
Pushing a camel through the eye of a needle
SensePost
 
CNIT 141: 1. Encryption
CNIT 141: 1. EncryptionCNIT 141: 1. Encryption
CNIT 141: 1. Encryption
Sam Bowne
 
CNIT 141: 1. Encryption
CNIT 141: 1. EncryptionCNIT 141: 1. Encryption
CNIT 141: 1. Encryption
Sam Bowne
 

Recommended

Applied cryptanalysis - stream ciphers
Applied cryptanalysis - stream ciphersApplied cryptanalysis - stream ciphers
Applied cryptanalysis - stream ciphers
Vlad Garbuz
 
Applied cryptanalysis - everything else
Applied cryptanalysis - everything elseApplied cryptanalysis - everything else
Applied cryptanalysis - everything else
Vlad Garbuz
 
CNIT 141: 1. Encryption
CNIT 141: 1. EncryptionCNIT 141: 1. Encryption
CNIT 141: 1. Encryption
Sam Bowne
 
CNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersCNIT 141: 4. Block Ciphers
CNIT 141: 4. Block Ciphers
Sam Bowne
 
CNIT 141: 3. Cryptographic Security
CNIT 141: 3. Cryptographic SecurityCNIT 141: 3. Cryptographic Security
CNIT 141: 3. Cryptographic Security
Sam Bowne
 
Pushing a camel through the eye of a needle
Pushing a camel through the eye of a needlePushing a camel through the eye of a needle
Pushing a camel through the eye of a needle
SensePost
 
CNIT 141: 1. Encryption
CNIT 141: 1. EncryptionCNIT 141: 1. Encryption
CNIT 141: 1. Encryption
Sam Bowne
 
CNIT 141: 1. Encryption
CNIT 141: 1. EncryptionCNIT 141: 1. Encryption
CNIT 141: 1. Encryption
Sam Bowne
 
CNIT 141: 10. RSA
CNIT 141: 10. RSACNIT 141: 10. RSA
CNIT 141: 10. RSA
Sam Bowne
 
Jvm memory model
Jvm memory modelJvm memory model
Jvm memory model
Yoav Avrahami
 
CNIT 126: 13: Data Encoding
CNIT 126: 13: Data EncodingCNIT 126: 13: Data Encoding
CNIT 126: 13: Data Encoding
Sam Bowne
 
2. Stream Ciphers
2. Stream Ciphers2. Stream Ciphers
2. Stream Ciphers
Sam Bowne
 
5 stream ciphers
5 stream ciphers5 stream ciphers
5 stream ciphersHarish Sahu
 
CNIT 141 10. RSA
CNIT 141 10. RSACNIT 141 10. RSA
CNIT 141 10. RSA
Sam Bowne
 
Stream ciphers presentation
Stream ciphers presentationStream ciphers presentation
Stream ciphers presentationdegarden
 
Bitcoin Keys, Addresses & Wallets
Bitcoin Keys, Addresses & WalletsBitcoin Keys, Addresses & Wallets
Bitcoin Keys, Addresses & Wallets
Christopher Allen
 
Reinventing anon email
Reinventing anon emailReinventing anon email
Reinventing anon email
antitree
 
Flaying the Blockchain Ledger for Fun, Profit, and Hip Hop
Flaying the Blockchain Ledger for Fun, Profit, and Hip HopFlaying the Blockchain Ledger for Fun, Profit, and Hip Hop
Flaying the Blockchain Ledger for Fun, Profit, and Hip Hop
Andrew Morris
 
Laverna vs etherpad
Laverna vs etherpadLaverna vs etherpad
Laverna vs etherpad
antitree
 
Symmetric encryption
Symmetric encryptionSymmetric encryption
Symmetric encryption
DR RICHMOND ADEBIAYE
 
Introduction to ethereum_public
Introduction to ethereum_publicIntroduction to ethereum_public
Introduction to ethereum_public
antitree
 
Hacking Blind
Hacking BlindHacking Blind
Hacking Blind
NikitaAndhale
 
Shmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSHShmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSH
Andrew Morris
 
Proof of x
Proof of xProof of x
Proof of x
Mikal Villa
 
NBTC#2 - Why instrumentation is cooler then ice
NBTC#2 - Why instrumentation is cooler then iceNBTC#2 - Why instrumentation is cooler then ice
NBTC#2 - Why instrumentation is cooler then ice
Alexandre Moneger
 
Practical rsa padding oracle attacks
Practical rsa padding oracle attacksPractical rsa padding oracle attacks
Practical rsa padding oracle attacks
Alexandre Moneger
 
DEFCON 23 - Eijah - crypto for hackers
DEFCON 23 - Eijah - crypto for hackersDEFCON 23 - Eijah - crypto for hackers
DEFCON 23 - Eijah - crypto for hackers
Felipe Prado
 
RC4&RC5
RC4&RC5RC4&RC5
RC4&RC5guestff64339
 
IJCER (www.ijceronline.com) International Journal of computational Engineerin...
IJCER (www.ijceronline.com) International Journal of computational Engineerin...IJCER (www.ijceronline.com) International Journal of computational Engineerin...
IJCER (www.ijceronline.com) International Journal of computational Engineerin...ijceronline
 
Secure Hashing Techniques - Introduction
Secure Hashing Techniques - IntroductionSecure Hashing Techniques - Introduction
Secure Hashing Techniques - Introduction
Udhayyagethan Mano
 

More Related Content

What's hot

CNIT 141: 10. RSA
CNIT 141: 10. RSACNIT 141: 10. RSA
CNIT 141: 10. RSA
Sam Bowne
 
Jvm memory model
Jvm memory modelJvm memory model
Jvm memory model
Yoav Avrahami
 
CNIT 126: 13: Data Encoding
CNIT 126: 13: Data EncodingCNIT 126: 13: Data Encoding
CNIT 126: 13: Data Encoding
Sam Bowne
 
2. Stream Ciphers
2. Stream Ciphers2. Stream Ciphers
2. Stream Ciphers
Sam Bowne
 
5 stream ciphers
5 stream ciphers5 stream ciphers
5 stream ciphersHarish Sahu
 
CNIT 141 10. RSA
CNIT 141 10. RSACNIT 141 10. RSA
CNIT 141 10. RSA
Sam Bowne
 
Stream ciphers presentation
Stream ciphers presentationStream ciphers presentation
Stream ciphers presentationdegarden
 
Bitcoin Keys, Addresses & Wallets
Bitcoin Keys, Addresses & WalletsBitcoin Keys, Addresses & Wallets
Bitcoin Keys, Addresses & Wallets
Christopher Allen
 
Reinventing anon email
Reinventing anon emailReinventing anon email
Reinventing anon email
antitree
 
Flaying the Blockchain Ledger for Fun, Profit, and Hip Hop
Flaying the Blockchain Ledger for Fun, Profit, and Hip HopFlaying the Blockchain Ledger for Fun, Profit, and Hip Hop
Flaying the Blockchain Ledger for Fun, Profit, and Hip Hop
Andrew Morris
 
Laverna vs etherpad
Laverna vs etherpadLaverna vs etherpad
Laverna vs etherpad
antitree
 
Symmetric encryption
Symmetric encryptionSymmetric encryption
Symmetric encryption
DR RICHMOND ADEBIAYE
 
Introduction to ethereum_public
Introduction to ethereum_publicIntroduction to ethereum_public
Introduction to ethereum_public
antitree
 
Hacking Blind
Hacking BlindHacking Blind
Hacking Blind
NikitaAndhale
 
Shmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSHShmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSH
Andrew Morris
 
Proof of x
Proof of xProof of x
Proof of x
Mikal Villa
 
NBTC#2 - Why instrumentation is cooler then ice
NBTC#2 - Why instrumentation is cooler then iceNBTC#2 - Why instrumentation is cooler then ice
NBTC#2 - Why instrumentation is cooler then ice
Alexandre Moneger
 
Practical rsa padding oracle attacks
Practical rsa padding oracle attacksPractical rsa padding oracle attacks
Practical rsa padding oracle attacks
Alexandre Moneger
 
DEFCON 23 - Eijah - crypto for hackers
DEFCON 23 - Eijah - crypto for hackersDEFCON 23 - Eijah - crypto for hackers
DEFCON 23 - Eijah - crypto for hackers
Felipe Prado
 

What's hot (20)

CNIT 141: 10. RSA
CNIT 141: 10. RSACNIT 141: 10. RSA
CNIT 141: 10. RSA
 
Jvm memory model
Jvm memory modelJvm memory model
Jvm memory model
 
CNIT 126: 13: Data Encoding
CNIT 126: 13: Data EncodingCNIT 126: 13: Data Encoding
CNIT 126: 13: Data Encoding
 
2. Stream Ciphers
2. Stream Ciphers2. Stream Ciphers
2. Stream Ciphers
 
5 stream ciphers
5 stream ciphers5 stream ciphers
5 stream ciphers
 
CNIT 141 10. RSA
CNIT 141 10. RSACNIT 141 10. RSA
CNIT 141 10. RSA
 
Stream ciphers presentation
Stream ciphers presentationStream ciphers presentation
Stream ciphers presentation
 
Bitcoin Keys, Addresses & Wallets
Bitcoin Keys, Addresses & WalletsBitcoin Keys, Addresses & Wallets
Bitcoin Keys, Addresses & Wallets
 
Reinventing anon email
Reinventing anon emailReinventing anon email
Reinventing anon email
 
Flaying the Blockchain Ledger for Fun, Profit, and Hip Hop
Flaying the Blockchain Ledger for Fun, Profit, and Hip HopFlaying the Blockchain Ledger for Fun, Profit, and Hip Hop
Flaying the Blockchain Ledger for Fun, Profit, and Hip Hop
 
Laverna vs etherpad
Laverna vs etherpadLaverna vs etherpad
Laverna vs etherpad
 
Symmetric encryption
Symmetric encryptionSymmetric encryption
Symmetric encryption
 
Introduction to ethereum_public
Introduction to ethereum_publicIntroduction to ethereum_public
Introduction to ethereum_public
 
Hacking Blind
Hacking BlindHacking Blind
Hacking Blind
 
Shmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSHShmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSH
 
Proof of x
Proof of xProof of x
Proof of x
 
NBTC#2 - Why instrumentation is cooler then ice
NBTC#2 - Why instrumentation is cooler then iceNBTC#2 - Why instrumentation is cooler then ice
NBTC#2 - Why instrumentation is cooler then ice
 
Practical rsa padding oracle attacks
Practical rsa padding oracle attacksPractical rsa padding oracle attacks
Practical rsa padding oracle attacks
 
DEFCON 23 - Eijah - crypto for hackers
DEFCON 23 - Eijah - crypto for hackersDEFCON 23 - Eijah - crypto for hackers
DEFCON 23 - Eijah - crypto for hackers
 
RC4&RC5
RC4&RC5RC4&RC5
RC4&RC5
 

Viewers also liked

IJCER (www.ijceronline.com) International Journal of computational Engineerin...
IJCER (www.ijceronline.com) International Journal of computational Engineerin...IJCER (www.ijceronline.com) International Journal of computational Engineerin...
IJCER (www.ijceronline.com) International Journal of computational Engineerin...ijceronline
 
Secure Hashing Techniques - Introduction
Secure Hashing Techniques - IntroductionSecure Hashing Techniques - Introduction
Secure Hashing Techniques - Introduction
Udhayyagethan Mano
 
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...OpenDNS
 
Hash Functions, the MD5 Algorithm and the Future (SHA-3)
Hash Functions, the MD5 Algorithm and the Future (SHA-3)Hash Functions, the MD5 Algorithm and the Future (SHA-3)
Hash Functions, the MD5 Algorithm and the Future (SHA-3)
Dylan Field
 
Hashing Technique In Data Structures
Hashing Technique In Data StructuresHashing Technique In Data Structures
Hashing Technique In Data Structures
SHAKOOR AB
 
32 Ways a Digital Marketing Consultant Can Help Grow Your Business
32 Ways a Digital Marketing Consultant Can Help Grow Your Business32 Ways a Digital Marketing Consultant Can Help Grow Your Business
32 Ways a Digital Marketing Consultant Can Help Grow Your Business
Barry Feldman
 

Viewers also liked (6)

IJCER (www.ijceronline.com) International Journal of computational Engineerin...
IJCER (www.ijceronline.com) International Journal of computational Engineerin...IJCER (www.ijceronline.com) International Journal of computational Engineerin...
IJCER (www.ijceronline.com) International Journal of computational Engineerin...
 
Secure Hashing Techniques - Introduction
Secure Hashing Techniques - IntroductionSecure Hashing Techniques - Introduction
Secure Hashing Techniques - Introduction
 
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
 
Hash Functions, the MD5 Algorithm and the Future (SHA-3)
Hash Functions, the MD5 Algorithm and the Future (SHA-3)Hash Functions, the MD5 Algorithm and the Future (SHA-3)
Hash Functions, the MD5 Algorithm and the Future (SHA-3)
 
Hashing Technique In Data Structures
Hashing Technique In Data StructuresHashing Technique In Data Structures
Hashing Technique In Data Structures
 
32 Ways a Digital Marketing Consultant Can Help Grow Your Business
32 Ways a Digital Marketing Consultant Can Help Grow Your Business32 Ways a Digital Marketing Consultant Can Help Grow Your Business
32 Ways a Digital Marketing Consultant Can Help Grow Your Business
 

Similar to «Applied cryptanalysis stream ciphers» by Vladimir Garbuz

CNIT 141: 1. Encryption
CNIT 141: 1. EncryptionCNIT 141: 1. Encryption
CNIT 141: 1. Encryption
Sam Bowne
 
Block Ciphers Modes of Operation
Block Ciphers Modes of OperationBlock Ciphers Modes of Operation
Block Ciphers Modes of Operation
Shafaan Khaliq Bhatti
 
Cns 13f-lec03- Classical Encryption Techniques
Cns 13f-lec03- Classical Encryption TechniquesCns 13f-lec03- Classical Encryption Techniques
Cns 13f-lec03- Classical Encryption Techniques
babak danyal
 
Classical Encryption Techniques in Network Security
Classical Encryption Techniques in Network SecurityClassical Encryption Techniques in Network Security
Classical Encryption Techniques in Network Security
babak danyal
 
Cryptography
CryptographyCryptography
Cryptography
Jens Patel
 
Cryptography.ppt
Cryptography.pptCryptography.ppt
Cryptography.ppt
PriyanshuGupta896141
 
Chapter# 3 modified.pptx
Chapter# 3 modified.pptxChapter# 3 modified.pptx
Chapter# 3 modified.pptx
Maryam522887
 
CNIT 125 Ch 4. Security Engineering (Part 2)
CNIT 125 Ch 4. Security Engineering (Part 2)CNIT 125 Ch 4. Security Engineering (Part 2)
CNIT 125 Ch 4. Security Engineering (Part 2)
Sam Bowne
 
overview of cryptographic techniques
overview of cryptographic techniquesoverview of cryptographic techniques
overview of cryptographic techniques
Shubham Jain
 
CISSP Prep: Ch 4. Security Engineering (Part 2)
CISSP Prep: Ch 4. Security Engineering (Part 2)CISSP Prep: Ch 4. Security Engineering (Part 2)
CISSP Prep: Ch 4. Security Engineering (Part 2)
Sam Bowne
 
Blockchain Technology Introduction and Basics
Blockchain Technology Introduction and BasicsBlockchain Technology Introduction and Basics
Blockchain Technology Introduction and Basics
jayasris2023
 
Sullivan randomness-infiltrate 2014
Sullivan randomness-infiltrate 2014Sullivan randomness-infiltrate 2014
Sullivan randomness-infiltrate 2014
Cloudflare
 
4. Block Ciphers
4. Block Ciphers 4. Block Ciphers
4. Block Ciphers
Sam Bowne
 
Modern Cryptography
Modern CryptographyModern Cryptography
Modern Cryptography
James McGivern
 
CRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYCRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITY
Kathirvel Ayyaswamy
 
CNIT 126 13: Data Encoding
CNIT 126 13: Data EncodingCNIT 126 13: Data Encoding
CNIT 126 13: Data Encoding
Sam Bowne
 
CNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersCNIT 141: 4. Block Ciphers
CNIT 141: 4. Block Ciphers
Sam Bowne
 
Cryptography & Steganography
Cryptography & SteganographyCryptography & Steganography
Cryptography & Steganography
Animesh Shaw
 
CNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersCNIT 141: 4. Block Ciphers
CNIT 141: 4. Block Ciphers
Sam Bowne
 
cryptography.ppt
cryptography.pptcryptography.ppt
cryptography.ppt
AkshayaPriyaJanartha
 

Similar to «Applied cryptanalysis stream ciphers» by Vladimir Garbuz (20)

CNIT 141: 1. Encryption
CNIT 141: 1. EncryptionCNIT 141: 1. Encryption
CNIT 141: 1. Encryption
 
Block Ciphers Modes of Operation
Block Ciphers Modes of OperationBlock Ciphers Modes of Operation
Block Ciphers Modes of Operation
 
Cns 13f-lec03- Classical Encryption Techniques
Cns 13f-lec03- Classical Encryption TechniquesCns 13f-lec03- Classical Encryption Techniques
Cns 13f-lec03- Classical Encryption Techniques
 
Classical Encryption Techniques in Network Security
Classical Encryption Techniques in Network SecurityClassical Encryption Techniques in Network Security
Classical Encryption Techniques in Network Security
 
Cryptography
CryptographyCryptography
Cryptography
 
Cryptography.ppt
Cryptography.pptCryptography.ppt
Cryptography.ppt
 
Chapter# 3 modified.pptx
Chapter# 3 modified.pptxChapter# 3 modified.pptx
Chapter# 3 modified.pptx
 
CNIT 125 Ch 4. Security Engineering (Part 2)
CNIT 125 Ch 4. Security Engineering (Part 2)CNIT 125 Ch 4. Security Engineering (Part 2)
CNIT 125 Ch 4. Security Engineering (Part 2)
 
overview of cryptographic techniques
overview of cryptographic techniquesoverview of cryptographic techniques
overview of cryptographic techniques
 
CISSP Prep: Ch 4. Security Engineering (Part 2)
CISSP Prep: Ch 4. Security Engineering (Part 2)CISSP Prep: Ch 4. Security Engineering (Part 2)
CISSP Prep: Ch 4. Security Engineering (Part 2)
 
Blockchain Technology Introduction and Basics
Blockchain Technology Introduction and BasicsBlockchain Technology Introduction and Basics
Blockchain Technology Introduction and Basics
 
Sullivan randomness-infiltrate 2014
Sullivan randomness-infiltrate 2014Sullivan randomness-infiltrate 2014
Sullivan randomness-infiltrate 2014
 
4. Block Ciphers
4. Block Ciphers 4. Block Ciphers
4. Block Ciphers
 
Modern Cryptography
Modern CryptographyModern Cryptography
Modern Cryptography
 
CRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYCRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITY
 
CNIT 126 13: Data Encoding
CNIT 126 13: Data EncodingCNIT 126 13: Data Encoding
CNIT 126 13: Data Encoding
 
CNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersCNIT 141: 4. Block Ciphers
CNIT 141: 4. Block Ciphers
 
Cryptography & Steganography
Cryptography & SteganographyCryptography & Steganography
Cryptography & Steganography
 
CNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersCNIT 141: 4. Block Ciphers
CNIT 141: 4. Block Ciphers
 
cryptography.ppt
cryptography.pptcryptography.ppt
cryptography.ppt
 

Recently uploaded

block diagram and signal flow graph representation
block diagram and signal flow graph representationblock diagram and signal flow graph representation
block diagram and signal flow graph representation
Divya Somashekar
 
road safety engineering r s e unit 3.pdf
road safety engineering r s e unit 3.pdfroad safety engineering r s e unit 3.pdf
road safety engineering r s e unit 3.pdf
VENKATESHvenky89705
 
MCQ Soil mechanics questions (Soil shear strength).pdf
MCQ Soil mechanics questions (Soil shear strength).pdfMCQ Soil mechanics questions (Soil shear strength).pdf
MCQ Soil mechanics questions (Soil shear strength).pdf
Osamah Alsalih
 
Planning Of Procurement o different goods and services
Planning Of Procurement o different goods and servicesPlanning Of Procurement o different goods and services
Planning Of Procurement o different goods and services
JoytuBarua2
 
ethical hacking in wireless-hacking1.ppt
ethical hacking in wireless-hacking1.pptethical hacking in wireless-hacking1.ppt
ethical hacking in wireless-hacking1.ppt
Jayaprasanna4
 
AKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdf
AKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdfAKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdf
AKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdf
SamSarthak3
 
WATER CRISIS and its solutions-pptx 1234
WATER CRISIS and its solutions-pptx 1234WATER CRISIS and its solutions-pptx 1234
WATER CRISIS and its solutions-pptx 1234
AafreenAbuthahir2
 
Event Management System Vb Net Project Report.pdf
Event Management System Vb Net Project Report.pdfEvent Management System Vb Net Project Report.pdf
Event Management System Vb Net Project Report.pdf
Kamal Acharya
 
Forklift Classes Overview by Intella Parts
Forklift Classes Overview by Intella PartsForklift Classes Overview by Intella Parts
Forklift Classes Overview by Intella Parts
Intella Parts
 
Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...
Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...
Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...
AJAYKUMARPUND1
 
Gen AI Study Jams _ For the GDSC Leads in India.pdf
Gen AI Study Jams _ For the GDSC Leads in India.pdfGen AI Study Jams _ For the GDSC Leads in India.pdf
Gen AI Study Jams _ For the GDSC Leads in India.pdf
gdsczhcet
 
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
MdTanvirMahtab2
 
LIGA(E)11111111111111111111111111111111111111111.ppt
LIGA(E)11111111111111111111111111111111111111111.pptLIGA(E)11111111111111111111111111111111111111111.ppt
LIGA(E)11111111111111111111111111111111111111111.ppt
ssuser9bd3ba
 
COLLEGE BUS MANAGEMENT SYSTEM PROJECT REPORT.pdf
COLLEGE BUS MANAGEMENT SYSTEM PROJECT REPORT.pdfCOLLEGE BUS MANAGEMENT SYSTEM PROJECT REPORT.pdf
COLLEGE BUS MANAGEMENT SYSTEM PROJECT REPORT.pdf
Kamal Acharya
 
Nuclear Power Economics and Structuring 2024
Nuclear Power Economics and Structuring 2024Nuclear Power Economics and Structuring 2024
Nuclear Power Economics and Structuring 2024
Massimo Talia
 
Student information management system project report ii.pdf
Student information management system project report ii.pdfStudent information management system project report ii.pdf
Student information management system project report ii.pdf
Kamal Acharya
 
Standard Reomte Control Interface - Neometrix
Standard Reomte Control Interface - NeometrixStandard Reomte Control Interface - Neometrix
Standard Reomte Control Interface - Neometrix
Neometrix_Engineering_Pvt_Ltd
 
weather web application report.pdf
weather web application report.pdfweather web application report.pdf
weather web application report.pdf
Pratik Pawar
 
The Benefits and Techniques of Trenchless Pipe Repair.pdf
The Benefits and Techniques of Trenchless Pipe Repair.pdfThe Benefits and Techniques of Trenchless Pipe Repair.pdf
The Benefits and Techniques of Trenchless Pipe Repair.pdf
Pipe Restoration Solutions
 
TECHNICAL TRAINING MANUAL GENERAL FAMILIARIZATION COURSE
TECHNICAL TRAINING MANUAL GENERAL FAMILIARIZATION COURSETECHNICAL TRAINING MANUAL GENERAL FAMILIARIZATION COURSE
TECHNICAL TRAINING MANUAL GENERAL FAMILIARIZATION COURSE
DuvanRamosGarzon1
 

Recently uploaded (20)

block diagram and signal flow graph representation
block diagram and signal flow graph representationblock diagram and signal flow graph representation
block diagram and signal flow graph representation
 
road safety engineering r s e unit 3.pdf
road safety engineering r s e unit 3.pdfroad safety engineering r s e unit 3.pdf
road safety engineering r s e unit 3.pdf
 
MCQ Soil mechanics questions (Soil shear strength).pdf
MCQ Soil mechanics questions (Soil shear strength).pdfMCQ Soil mechanics questions (Soil shear strength).pdf
MCQ Soil mechanics questions (Soil shear strength).pdf
 
Planning Of Procurement o different goods and services
Planning Of Procurement o different goods and servicesPlanning Of Procurement o different goods and services
Planning Of Procurement o different goods and services
 
ethical hacking in wireless-hacking1.ppt
ethical hacking in wireless-hacking1.pptethical hacking in wireless-hacking1.ppt
ethical hacking in wireless-hacking1.ppt
 
AKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdf
AKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdfAKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdf
AKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdf
 
WATER CRISIS and its solutions-pptx 1234
WATER CRISIS and its solutions-pptx 1234WATER CRISIS and its solutions-pptx 1234
WATER CRISIS and its solutions-pptx 1234
 
Event Management System Vb Net Project Report.pdf
Event Management System Vb Net Project Report.pdfEvent Management System Vb Net Project Report.pdf
Event Management System Vb Net Project Report.pdf
 
Forklift Classes Overview by Intella Parts
Forklift Classes Overview by Intella PartsForklift Classes Overview by Intella Parts
Forklift Classes Overview by Intella Parts
 
Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...
Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...
Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...
 
Gen AI Study Jams _ For the GDSC Leads in India.pdf
Gen AI Study Jams _ For the GDSC Leads in India.pdfGen AI Study Jams _ For the GDSC Leads in India.pdf
Gen AI Study Jams _ For the GDSC Leads in India.pdf
 
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
 
LIGA(E)11111111111111111111111111111111111111111.ppt
LIGA(E)11111111111111111111111111111111111111111.pptLIGA(E)11111111111111111111111111111111111111111.ppt
LIGA(E)11111111111111111111111111111111111111111.ppt
 
COLLEGE BUS MANAGEMENT SYSTEM PROJECT REPORT.pdf
COLLEGE BUS MANAGEMENT SYSTEM PROJECT REPORT.pdfCOLLEGE BUS MANAGEMENT SYSTEM PROJECT REPORT.pdf
COLLEGE BUS MANAGEMENT SYSTEM PROJECT REPORT.pdf
 
Nuclear Power Economics and Structuring 2024
Nuclear Power Economics and Structuring 2024Nuclear Power Economics and Structuring 2024
Nuclear Power Economics and Structuring 2024
 
Student information management system project report ii.pdf
Student information management system project report ii.pdfStudent information management system project report ii.pdf
Student information management system project report ii.pdf
 
Standard Reomte Control Interface - Neometrix
Standard Reomte Control Interface - NeometrixStandard Reomte Control Interface - Neometrix
Standard Reomte Control Interface - Neometrix
 
weather web application report.pdf
weather web application report.pdfweather web application report.pdf
weather web application report.pdf
 
The Benefits and Techniques of Trenchless Pipe Repair.pdf
The Benefits and Techniques of Trenchless Pipe Repair.pdfThe Benefits and Techniques of Trenchless Pipe Repair.pdf
The Benefits and Techniques of Trenchless Pipe Repair.pdf
 
TECHNICAL TRAINING MANUAL GENERAL FAMILIARIZATION COURSE
TECHNICAL TRAINING MANUAL GENERAL FAMILIARIZATION COURSETECHNICAL TRAINING MANUAL GENERAL FAMILIARIZATION COURSE
TECHNICAL TRAINING MANUAL GENERAL FAMILIARIZATION COURSE
 

«Applied cryptanalysis stream ciphers» by Vladimir Garbuz

  • 2. Intro •Why do I need to learn about Crypto generally? • It’s often used to create Cookies, hidden parameters • To do TLS the right way • For hashes and data integrity checks • Password and sensitive info storage • To have more marketable skills during an interview •To whom is this useful? • Devs, QA, anyone interested in security and crypto •What do I need to understand this? • School math knowledge • Desire to learn
  • 3. Overview •Symmetric encryption • Stream ciphers • Block ciphers • Modes of operation •Cryptographic hash • Key derivation • Authenticated Encryption, AEAD •Asymmetric encryption •Conclusions and best practices
  • 5. Symmetric Crypto basics •To Encrypt is to take Plaintext, key and convert them into Ciphertext: C = E(P, k) •To Decrypt is to take Ciphertext, key and convert them back into Plaintext: P = D(C, k) •An attacker must, ideally, try (bruteforce) all possible keys – for 256 bit key – 1077 combinations
  • 7. Symmetric Crypto basics •OK, what’s a cryptographic attack? • Anything better than bruteforce •What’s a practical attack? • Any attack an adversary with best technology available can conduct in “reasonable” amount of time • “reasonable” is determined based on how long the plaintext keeps it’s value • Normally, due to exponential nature of cryptanalytic difficulty, attacks are either impossible or very much possible
  • 8. Symmetric Crypto basics Main cryptanalytic methods, at a glance •Known plaintext •Chosen plaintext (encryption oracles) •Chosen ciphertext (decryption oracles, bit flipping) •Statistical cryptanalysis •Differential cryptanalysis •Side-channel attacks
  • 10. Symmetric Crypto basics XOR ⊕ Refresher •Basically a bit flipping machine •A ⊕ A = 0
  • 11. Symmetric Crypto basics XOR ⊕ Refresher 1. A ⊕ A = 0 2. A ⊕ 0 = A 3. A ⊕ B = B ⊕ A (commutativity) 4. A ⊕ ( B ⊕ C ) = ( A ⊕ B) ⊕ C (associativity) 5. Let K ⊕ M = C , then: C ⊕ K = K ⊕ M ⊕ K = K ⊕ K ⊕ M = 0 ⊕ M = M
  • 12. Stream ciphers •Historic stream cipher example – One-time Pads • Sender and Receiver must have identical Pads • Pads fully filled with random data • Sender computes Message ⊕ Pad and sends result • Receiver does Ciphertext ⊕ Pad to get Message •One-time Pads are mathematically proven to be unbreakable! YAY! VICTORY! Let’s all go home now.
  • 14. Stream ciphers •Historic stream cipher example – One-time Pads • Sender and Receiver must have identical Pads • Pads fully filled with random data • Sender computes Message ⊕ Pad and sends result • Receiver does Ciphertext ⊕ Pad to get Message •One-time Pads are mathematically proven to be unbreakable! YAY! VICTORY! Let’s all go home now. •Cons? One-time Pads are horribly impractical  • And unbreakable, well… Only as long as Pads’ data is truly random and they are never used twice
  • 15. Stream ciphers •Modern electronic Stream Ciphers • Were inspired by One-time pads • Have almost all of their problems + some more! • Derive high entropy Key from Passphrase • Generate Keystream via a PRNG algorithm from Key • It’s output is effectively used instead of one-time pads • Employ Initialization Vectors - transmitted in cleartext • They are mixed with the Key to avoid key reuse (pad reuse)
  • 16. Stream ciphers Basic vulnerabilities: bit flipping •With Steam Ciphers, a flipped bit in the Ciphertext ALWAYS results in a flipped bit in the Plaintext •Having only a Ciphertext, an attacker can make it say ANYTHING when decrypted! • Needs to know the target position in the plaintext • How? E.g. via reverse engineering the app or Crib-dragging •Requires no knowledge of the encryption key •Every stream cipher is vulnerable to it!
  • 17. Stream ciphers Basic vulnerabilities: bit flipping example •Given: an encrypted cookie with data like …&user=john.doe&admin=0&… •Whose encrypted bytes in binary look like …10010011 11011001 01101000… •A flip of only 1 bit of ciphertext is necessary …10010011 11011000 01101000… •To make the decrypted plaintext say …&user=john.doe&admin=1&…
  • 18. Stream ciphers Basic vulnerabilities: key reuse What’s so terrible about key (pad) reuse? •So we have 2 plaintexts P1 and P2, and we encrypt them separately under the same Key, IV pair: C1=P1⊕F(Key,IV) C2=P2⊕F(Key,IV) When attacker intercepts them, he can then compute: C1⊕C2=P1⊕P2 •“Oh, please! How bad could that possibly be?..”
  • 20. Stream ciphers Basic vulnerabilities: key reuse •Edge case: if one of the plaintexts, e.g. P1, is known, restoring the other one is trivial C1⊕C2⊕P1 = (P1⊕K)⊕(P2⊕K)⊕P1 = 0⊕P2 = P2 •Edge case: if a portion of Plaintext is known, the Keystream in corresponding position is revealed C = P⊕E(Key,IV)  C⊕P = E(Key,IV) • Now, having the Keystream at some position, we can decrypt data at that position from ALL other ciphertexts • We can also change and re-encrypt any data there
  • 21. Stream ciphers Basic vulnerabilities: Why does key reuse happen? •No IV is used •Static IV • For example, the encryption key itself • Or a hash of the password – good entropy, still useless •Very short IV • E.g. WEP had a 24 bit IV == 16777216 values • Birthday paradox - in 4096 packets IV is reused with P=0.5 • Birthday paradox??
  • 22. Stream ciphers Birthday paradox • For what number of people, the chances that two of them share a birthday are 50-50? • 𝑛 ≈ 2𝑚 × 𝑝 𝑛 → 2 × 224 × 0.5 = 212 = 4096
  • 23. Stream ciphers Basic vulnerabilities: Why does key reuse happen? •Bad IV • Caused by bad random • Specifically, where a PRNG is used instead of CSPRNG • “Oh please, what’s the difference?”
  • 24. Stream ciphers: random •Popular PRNG named RANDU •Dots as (x,y) and (x,y,z) – all fall in 15 3D planes!
  • 25. Stream ciphers: random •CSPRNG sequence attractor analysis
  • 26. Stream ciphers: random •Windows 98 PRNG attractor analysis
  • 27. Stream ciphers: random Hacking Java’s Random(): predicting the future •Linear Congruential PRNG: seed = (seed * multiplier + addend) mod (2 ^ precision) • Has 48 bits of state, but discloses only 32 at a time e.g. nextInt() • The remaining 16 bits are easily bruteforcible on modern PCs:
  • 28. Stream ciphers: random Hacking Java’s Random(): peeking into the past • Long story short, one bit at a time we unwind the changes a previous seed would’ve had on the current number • And can do so recursively as far back as we wish
  • 29. Stream ciphers Case-study •Used a circular XOR cipher • Meaning, “keystream”, the passphrase, was reused • Well, not exactly XOR operation but close enough •With a hardcoded key  • That had barely any entropy •Without an IV •All this made it vulnerable to every kind of attack
  • 30. Stream ciphers Case-study Differential Cryptanalysis via chosen plaintext attack 1. ‘aaaaa’ user session cookie, first 10 “bytes” : 131!167!208!205!204!194!184!192!164!124!... 2. ‘bbbbb’ user session cookie: 131!167!209!206!205!195!185!192!164!124!... 3. This is basically an “encryption” oracle 4. From this, we can already deduce the “keystream” 5. But it’s revealed clearly if we use ‘0’ for username 6. But what if we couldn’t control the plaintext?..
  • 31. Stream ciphers Case-study Statistical analysis • Only the end part of cookies changed between sessions • We can already see what’s encrypted here • Now just bruteforce 1 byte for each column • Voila! We have our keystream symbol!
  • 32. Stream ciphers So, how to do it right? •NEVER be clever and invent your own crypto! •Use well-known Crypto suits, e.g. Bouncy Castle •Never use a vulnerable cipher! E.g., RC4 • Instead, go for ChaCha20 – no known attacks •When you’re asked for an IV, get it from CSPRNG! • And make it LOOOOONG •Never use the Passphrase as the Key! • Instead, google how to use PBKDF2 from RFC 2898