RC4
RC4
What is RC4
RC4 designed in 1987 by RSA (Ron Rivest, Adi Shamir, and Leonard Adleman) .
A symmetric key encryption algorithm . Stream Cipher .
A symmetric key encryption algorithm Symmetric-key algorithms are a class
of algorithms for cryptography that use trivially related, often identical, cryptographic keys for both decryption and encryption.
Types of symmetric-key algorithms1- stream ciphers
2- block ciphers
Stream Cipher
While block ciphers operate on large blocks of data, stream ciphers typically operate on smaller units of plaintext, usually bits or bytes .
A stream cipher generates what is called a key stream (a sequence of bits used as a key).
Encryption is accomplished by combining the key stream with the plaintext, usually with the bitwise XOR operation .
11001100 plaintext 01101100 key
stream 10100000 Cipher
text
RC4 Block Diagram
How does it work ?
1. Initialize an array of 256 bytes.2. Run the Key Scheduling Algorithm
(KSA) on them.3. Run the Pseudo-Random Generation
Algorithm (PRGA) on the (KSA) output to generate Key stream.
4. XOR the data with a key stream.
Initialization of array
[S] .. To begin, the entries of S are set equal to the values from 0 through 255 in ascending order; that is; S[0] = 0, S[1] = 1,..., S[255] = 255.
[T] .. A temporary vector, T, is also created.
[K] .. Array of bytes of Secret Key. [key len] .. Length of (K)
for i = 0 to 255 do S[i] = i; T[i] = K[i mod keylen];
for i = 0 to 255 do S[i] = i; T[i] = K[i mod keylen];
Key Scheduling Algorithm
Next we use T to produce the initial permutation of (S)
Because the only operation on S is a swap, the only effect is a permutation. S still contains all the numbers from 0 through 255.
j = 0; for i = 0 to 255
do j = (j + S[i] + T[i]) mod
256;Swap (S[i], S[j]);
j = 0; for i = 0 to 255
do j = (j + S[i] + T[i]) mod
256;Swap (S[i], S[j]);
Pseudo-Random Generation Algorithm Once the S vector is initialized, the input
key is no longer used.
i, j = 0; for (int x = 0; x < byteLen; x++)
doi = (i + 1) mod 256; j = (j + S[i]) mod 256; Swap (S[i], S[j]); t = (S[i] + S[j]) mod 256; k = S[t];
i, j = 0; for (int x = 0; x < byteLen; x++)
doi = (i + 1) mod 256; j = (j + S[i]) mod 256; Swap (S[i], S[j]); t = (S[i] + S[j]) mod 256; k = S[t];
Pseudo-Random Generation Algorithm
RC4
Security of RC4
Bit-flipping attack Roos' Biases and Key
Reconstruction from Permutation Biased Outputs of the RC4 Fluhrer, Mantin and Shamir attack Klein's Attack Combinatorial problem
Bit-flipping attack
A bit-flipping attack is an attack on a cryptographic cipher in which the attacker can change the ciphertext in such a way as to result in a predictable change of the plaintext, although the attacker is not able to learn the plaintext itself. Note that this type of attack is not—directly—against the cipher itself (as cryptanalysis of it would be), but against a particular message or series of messages. In the extreme, this could become a Denial of service attack against all messages on a particular channel using that cipher.
The attack is especially dangerous when the attacker knows the format of the message. In such a situation, the attacker can turn it into a similar message but one in which some important information is altered. For example, a change in the destination address might alter the message route in a way that will force re-encryption with a weaker cipher, thus possibly making it easier for an attacker to decipher the message.
When applied to digital signatures, the attacker might be able to change a promissory note stating "I owe you $10.00" into one stating "I owe you $10000".
Roos' Biases and Key Reconstruction from Permutation In 1995, Andrew Roos experimentally observed that the first
byte of the keystream is correlated to the first three bytes of the key and the first few bytes of the permutation after the KSA are correlated to some linear combination of the key bytes. These biases remained unproved until 2007, when Paul, Rathi and Maitra proved the keystream-key correlation and Paul and Maitra proved the permutation-key correlations. The latter work also used Roos' permutation-key correlations to design the first algorithm for complete key reconstruction from the final permutation after the KSA, without any assumption on the key or IV. This algorithm has a constant probability of success in a time which is the square root of the exhaustive key search complexity. Subsequently, many other works have been done on key reconstruction from RC4 internal states. In another work, Maitra and Paulshowed that the Roos type biases still persist even when one considers nested permutation indices, like S[S[i]] or S[S[S[i]]]. These types of biases are used in some of the later key reconstruction methods for increasing the success probability.
Biased Outputs of the RC4 The keystream generated by the RC4 is
biased in varying degrees towards certain sequences. The best such attack is due to Itsik Mantin and Adi Shamir who showed that the second output byte of the cipher was biased toward zero with probability 1/128 (instead of 1/256). This is due to the fact that if the third byte of the original state is zero, and the second byte is not equal to 2, then the second output byte is always zero. Such bias can be detected by observing only 256 bytes
Fluhrer, Mantin and Shamir attack In 2001, a new and surprising discovery was
made by Fluhrer, Mantin and Shamir: over all possible RC4 keys, the statistics for the first few bytes of output key stream are strongly non-random, leaking information about the key. If the long-term key and nonce are simply concatenated to generate the RC4 key, this long-term key can be discovered by analyzing a large number of messages encrypted with this key. This and related effects were then used to break the WEP ("wired equivalent privacy") encryption used with 802.11 wireless networks. This caused a scramble for a standards-based replacement for WEP in the 802.11 market, and led to the IEEE 802.11i effort and WPA.
Klein's Attack
In 2005, Andreas Klein presented an analysis of the RC4 stream cipher showing more correlations between the RC4 keystream and the key.Erik Tews, Ralf-Philipp Weinmann, and Andrei Pychkine used this analysis to create aircrack-ptw, a tool which cracks 104-bit RC4 used in 128-bit WEP in under a minute Whereas the Fluhrer, Mantin, and Shamir attack used around 10 million messages, aircrack-ptw can break 104-bit keys in 40,000 frames with 50% probability, or in 85,000 frames with 95% probability
Combinatorial problem
A combinatorial problem related to the number of inputs and outputs of the RC4 cipher was first posed by Itsik Mantin and Adi Shamir in 2001, whereby, of the total 256 elements in the typical state of RC4, if x number of elements (x ≤ 256) are only known (all other elements can be assumed empty), then the maximum number of elements that can be produced deterministically is also x in the next 256 rounds. This conjecture was put to rest in 2004 with a formal proof given by Souradyuti Paul and Bart Preneel.
RC4-based cryptosystems
WEP WPA (default algorithm, but can be
configured to use AES-CCMP instead of RC4) Bit Torrent protocol encryption Microsoft Point-to-Point Encryption Secure Sockets Layer (optionally) Secure shell (optionally) Remote Desktop Protocol Kerberos (optionally) SASL Mechanism Digest-MD5 (optionally)
RC5
Outline
Introduction (Feistel Networks) What is RC5 Parameterization Algorithm The security of RC5 Conclusion
If you don’t know where to go all roads will get you there.
Introduction (Feistel Networks)
Feistel Network
block cipher is a symmetric key cipher operating on fixed-length groups of bits, called blocks.
One of the most structures used in construction block ciphers is Feistel Network Structure
Feistel Network
Feistel networks were first seen commercially in IBM's Lucifer cipher, designed by Horst Feistel and Don Coppersmith.
Feistel networks gained respectability when the U.S. Federal Government adopted the DES (a cipher based on Lucifer, with some changes NSA).
RC5 is like a Feistel Network structure.
Feistel Network - Construction Details
Recap
Introduction (Feistel Networks) What is RC5 Parameterization Algorithm The security of RC5 Conclustion
What is RC5
What is RC5
RC5 is a block cipher notable for its simplicity. Designed by Ronald Rivest in 1994.
RC stands for "Rivest Cipher", or alternatively, "Ron's Code.
Rivest announced also RC2 and RC4 and now there is RC6 which is The Advanced Encryption Standard (AES) candidate (RC6 was based on RC5).
Features
Symmetric block cipher (Like Feistel Network Structure) the same secret cryptographic key is used
for encryption and decryption Suitable for hardware and software
It uses only computational primitive operations commonly found on typical microprocessors
Fast Cause it uses Word-Oriented operations
Features count.
Adaptable to processors of different word lengths For example with 64 bit processor RC5 can exploit
their longer work length Therefore the number w of bits in a word is a
parameter of RC5, different choices of this parameter results different algorithms.
Variable number of rounds The user can explicitly manipulate the trade-off
between higher speed and higher security. So the number of rounds i is a second parameter of
RC5
Features count.
Variable length cryptographic key The user can choose the level of security
appropriate for his application the key length b in bytes is thus a third parameter of RC5
Simple It is simple to implement, This simplicity makes it
more interesting to analyze and evaluate, so that the cryptographic strength can be more rapidly determined
Low memory requirements So it is easily implemented on devices with
restricted memory
Features count.
Data-dependent rotations RC5 highlight the use of data-dependent
rotations and encourage the assessment of the cryptographic strength data-dependent can provide
Features - Highlight
Data-dependent rotations Variable block size Variable number of rounds Variable key size
Recap
Introduction (Feistel Networks) What is RC5 Parameterization Algorithm The security of RC5 Conclusion
Parameterization
Parameterization
Parameterization count.
RC5 algorithm example: RC5-32/16/7 similar to DES Two 32-bit word inputs and outputs 16 rounds 7-byte(56-bit) secret key
Choices for w and r speed vs. security
Choosing larger number of rounds provides an increased level of security
Dropped parameters
RC5 Dropped parameters The default is 32/12/ 7 for 32 bit words The default is 64/16/7 for 64 bit words So if any parameter is dropped use the
corresponding default parameter Examples
RC5-32 Means32/12/7
RC5-32, 9 Means 32/9/ 7 RC5-64 Means
64/16/7
Notations and Primitive operations
Recap
Introduction (Feistel Networks) What is RC5 Parameterization Algorithm The security of RC5 Conclusion
Algorithm
Algorithm
The are three components of RC5 Key expansion algorithm Encryption algorithm Decryption algorithm
Key ExpansionAlgorithm
DecryptionAlgorithm
EncryptionAlgorithm
Plaintext
Ciphertext
Plaintext
Ciphertext
Expanded Key SSecret Key K
Encryption
Encryption
A = A + S[0];B = B + S[1];
for i = 1 to r do A = ((A ⊕ B) <<< B) + S[2*i]; B = ((B ⊕ A) <<< A) + S[2*i + 1];
A <<< B Bits in A are rotated to left by the amount specified by lower log2(w) bits in B
Decryption
Decryption
for i = r downto 1 do
B = ((B - S[2*i +1]) >>> A) ⊕ A; A = ((A - S[2*i]) >>> B) ⊕ B;
B = B - S[1];
A = A - S[0];
A >>> B Bits in A are rotated to right by the amount specified by lower log2(w) bits in B
Encryption and Decryption
Key Expansion
RC5 performs some operations on the secret key to generate a total of t sub keys, which are stored in S array, S[0],S[1], …, S[t-1]
The key expansion algorithm consists of two constants (Magic numbers) and three simple algorithm parts Step-1: Convert secret key bytes to words Step-2: Initialize sub key array S (S[0], S[1], …,
S[t-1]) Step-3: Mix the secret key into sub key array S
RC5
Key Expansion
The magic constants
In key expansion, magic constants are used Pw = Odd((e - 2)2w); e=2.718281828….
(base of natural logarithms) Qw = Odd(( - 1)2w); =1.618033988….
(golden ratio = (1+sqr(5))/2) Odd(x): odd integer nearest to x
Examplew 16 32 64Pw B7E1 B7E15163 B7E151628AED2A6BQw 9E37 9E3779B9 9E3779B97F4A7C15
Step-1: Convert secret key bytes to words
Copy the Key into new array L of Words with size equal c Any unfilled byte positions of L are zeroedIn case b = c = 0 we reset c =1 and set L[0] = 0
Step-2: Initialize sub key array S create an expanded key table, S[0...t-1]
has t entries, t = 2(r + 1) w-bit words Initialize array S
S[0] = Pw;
for i = 1 to t - 1 doS[i] = S[i - 1] + Qw;
Step-3: Mix the secret key into sub key array S
Mix the secret key into table, Si = j = 0; A = B = 0;
do 3 * max(t, c) times:
A = S[i] = (S[i] + A + B) <<< 3;
B = L[j] = (L[j] + A + B) <<< (A + B);
i = (i + 1) mod(t);
j = (j + 1) mod(c);
Key Expansion Algorithm
Recap
Introduction (Feistel Networks) What is RC5 Parameterization Algorithm The security of RC5 Conclusion
The security of RC5
The security of RC5
Exhaustive Search Differential cryptanalysis Linear cryptanalysis Timing Attacks
Exhaustive Search
RC5-32/r/b allows a maximum of 2040 secret key bits a maximum of 25(2r + 2) expanded key table
bits Choosing large values for r and b can
prevent exhaustive attacks
Differential cryptanalysis
Pioneered by Biham and Shamir It has a quite evolutionary effect on the design
and analysis of block ciphers The basic Idea
Two plaint text are chose with a certain difference P` (The difference here is measured by xor but for other cipher alternative measure may be applied)
The two plaintexts are enciphered to give two cipher texts such that their difference C`
Such a pair (P` , C`) is called a characteristic Depending on the cipher and the analysis the
behavior of this characteristics can be useful in deriving certain bit of the key
Linear cryptanalysis
Introduced By Matsui. The basic idea is
to find relations among certain bits of plaintext, cipher text and key
Such as relation is called linear approximation which can be used to obtain information about the key
Becomes impractical for r > 6
Differential and Linear attack
Timing Attacks
Developed by Kocher The opponent can obtain some information
about the secret key by recording and analyzing the time used for cryptographic operations that involve the key.
Kocher found that RC5 may be subject to Timing attack if RC5 is implemented on platforms for which the time for computing a single rotation is proportional to the rotation amount
RC5 can easily implemented to make the total time is data-independent (ex by computing the rotation of t bits using left-shift of t bits and right shift of w-t bits)
Conclusion
Provides good security against the four main attacks
Simple encryption/decryption algorithms RC5 is relatively is still under scrutiny by
other cryptanalysis attack
Thank you for your
attention