Applied cryptanalysis - stream ciphers

Applied Cryptanalysis:Stream ciphers

Vladimir Garbuz

Intro

•Why do I need to learn about Crypto generally?• It’s often used to create Cookies, hidden parameters• To do TLS the right way• For hashes and data integrity checks• Password and sensitive info storage• To have more marketable skills during an interview

•To whom is this useful?•Devs, QA, anyone interested in security and crypto

•What do I need to understand this?• School math knowledge•Desire to learn

Overview

•Symmetric encryption• Stream ciphers• Block ciphers

• Modes of operation

•Cryptographic hash• Key derivation•Authenticated Encryption, AEAD

•Asymmetric encryption

•Conclusions and best practices

Symmetric Crypto basics

Jean-PhillipeAumasson


•To Encrypt is to take Plaintext, key and convert them into Ciphertext: C = E(P, k)

•To Decrypt is to take Ciphertext, key and convert them back into Plaintext: P = D(C, k)

•An attacker must, ideally, try (bruteforce) all possible keys – for 256 bit key – 1077 combinations


•What’s an attack?


•OK, what’s a cryptographic attack?•Anything better than bruteforce

•What’s a practical attack?•Any attack an adversary with best technology available

can conduct in “reasonable” amount of time• “reasonable” is determined based on how long the plaintext keeps it’s

value

• Normally, due to exponential nature of cryptanalytic difficulty, attacks are either impossible or very much possible


Main cryptanalytic methods, at a glance

•Known plaintext

•Chosen plaintext (encryption oracles)

•Chosen ciphertext (decryption oracles, bit flipping)

•Statistical cryptanalysis

•Differential cryptanalysis

•Side-channel attacks


http://www.washingtonpost.com/wp-srv/politics/special/clinton/stories/pizza121998.htm

http://www.washingtonpost.com/wp-srv/politics/special/clinton/stories/pizza121998.htm


XOR ⊕ Refresher

•Basically a bit flipping machine

•A ⊕ A = 0


XOR ⊕ Refresher

1. A ⊕ A = 0

2. A ⊕ 0 = A

3. A ⊕ B = B ⊕ A (commutativity)

4. A ⊕ ( B ⊕ C ) = ( A ⊕ B) ⊕ C (associativity)

5. Let K ⊕ M = C , then:

C ⊕ K = K ⊕ M ⊕ K = K ⊕ K ⊕ M = 0 ⊕ M = M

Stream ciphers

•Historic stream cipher example – One-time Pads• Sender and Receiver must have identical Pads• Pads fully filled with random data

• Sender computes Message ⊕ Pad and sends result• Receiver does Ciphertext ⊕ Pad to get Message

•One-time Pads are mathematically proven to be unbreakable! YAY! VICTORY! Let’s all go home now.

THE END

QUESTIONS?

Stream ciphers

•Historic stream cipher example – One-time Pads• Sender and Receiver must have identical Pads• Pads fully filled with random data

• Sender computes Message ⊕ Pad and sends result• Receiver does Ciphertext ⊕ Pad to get Message

•One-time Pads are mathematically proven to be unbreakable! YAY! VICTORY! Let’s all go home now.

•Cons? One-time Pads are horribly impractical •And unbreakable, well… Only as long as Pads’ data is

truly random and they are never used twice

Stream ciphers

•Modern electronic Stream Ciphers•Were inspired by One-time pads•Have almost all of their problems + some more!•Derive high entropy Key from Passphrase•Generate Keystream via a PRNG algorithm from Key

• It’s output is effectively used instead of one-time pads

• Employ Initialization Vectors - transmitted in cleartext• They are mixed with the Key to avoid key reuse (pad reuse)

Stream ciphers

Basic vulnerabilities: bit flipping

•With Steam Ciphers, a flipped bit in the CiphertextALWAYS results in a flipped bit in the Plaintext

•Having only a Ciphertext, an attacker can make it say ANYTHING when decrypted!•Needs to know the target position in the plaintext

• How? E.g. via reverse engineering the app or Crib-dragging

•Requires no knowledge of the encryption key

•Every stream cipher is vulnerable to it!

Stream ciphers

Basic vulnerabilities: bit flipping example

•Given: an encrypted cookie with data like

…&user=john.doe&admin=0&…

•Whose encrypted bytes in binary look like

…10010011 11011001 01101000…

•A flip of only 1 bit of ciphertext is necessary

…10010011 11011000 01101000…

•To make the decrypted plaintext say

…&user=john.doe&admin=1&…

Stream ciphers

Basic vulnerabilities: key reuse

What’s so terrible about key (pad) reuse?

•So we have 2 plaintexts P1 and P2, and we encrypt them separately under the same Key, IV pair:

C1=P1⊕F(Key,IV)

C2=P2⊕F(Key,IV)

When attacker intercepts them, he can then compute:

C1⊕C2=P1⊕P2

•“Oh, please! How bad could that possibly be?..”

Stream ciphers


Stream ciphers


•Edge case: if one of the plaintexts, e.g. P1, is known, restoring the other one is trivial

C1⊕C2⊕P1 = (P1⊕K)⊕(P2⊕K)⊕P1 = 0⊕P2 = P2

•Edge case: if a portion of Plaintext is known, the Keystream in corresponding position is revealed

C = P⊕E(Key,IV) C⊕P = E(Key,IV)•Now, having the Keystream at some position, we can

decrypt data at that position from ALL other ciphertexts•We can also change and re-encrypt any data there

Stream ciphers

Basic vulnerabilities: Why does key reuse happen?

•No IV is used

•Static IV• For example, the encryption key itself•Or a hash of the password – good entropy, still useless

•Very short IV• E.g. WEP had a 24 bit IV == 16777216 values

• Birthday paradox - in 4096 packets IV is reused with P=0.5

• Birthday paradox??

Stream ciphers

Birthday paradox• For what number of people, the chances that two of them

share a birthday are 50-50?

• 𝑛 ≈ 2𝑚 × 𝑝 𝑛 → 2 × 224 × 0.5 = 212 = 4096

Stream ciphers

Basic vulnerabilities: Why does key reuse happen?

•Bad IV• Caused by bad random

• Specifically, where a PRNG is used instead of CSPRNG• “Oh please, what’s the difference?”

Stream ciphers: random

•Popular PRNG named RANDU

•Dots as (x,y) and (x,y,z) – all fall in 15 3D planes!


•CSPRNG sequence attractor analysis


•Windows 98 PRNG attractor analysis


Hacking Java’s Random(): predicting the future

•Linear Congruential PRNG:seed = (seed * multiplier + addend) mod (2 ^ precision)

• Has 48 bits of state, but discloses only 32 at a time e.g. nextInt()

• The remaining 16 bits are easily bruteforcible on modern PCs:


Hacking Java’s Random(): peeking into the past• Long story short, one bit at a time we unwind the changes a

previous seed would’ve had on the current number• And can do so recursively as far back as we wish

Stream ciphers

Case-study

•Used a circular XOR cipher•Meaning, “keystream”, the passphrase, was reused•Well, not exactly XOR operation but close enough

•With a hardcoded key • That had barely any entropy

•Without an IV

•All this made it vulnerable to every kind of attack

Stream ciphers

Case-studyDifferential Cryptanalysis via chosen plaintext attack

1. ‘aaaaa’ user session cookie, first 10 “bytes” : 131!167!208!205!204!194!184!192!164!124!...

2. ‘bbbbb’ user session cookie: 131!167!209!206!205!195!185!192!164!124!...

3. This is basically an “encryption” oracle4. From this, we can already deduce the

“keystream”5. But it’s revealed clearly if we use ‘\0’ for

username6. But what if we couldn’t control the plaintext?..

Stream ciphers

Case-study

Statistical analysis•Only the end part of cookies changed between sessions

•We can already see what’s encrypted here

•Now just bruteforce 1 byte for each column

• Voila! We have our keystream symbol!

Stream ciphers

So, how to do it right?

•NEVER be clever and invent your own crypto!

•Use well-known Crypto suits, e.g. Bouncy Castle

•Never use a vulnerable cipher! E.g., RC4• Instead, go for ChaCha20 – no known attacks

•When you’re asked for an IV, get it from CSPRNG! •And make it LOOOOONG

•Never use the Passphrase as the Key!• Instead, google how to use PBKDF2 from RFC 2898

goo.gl/tuKku7

https://goo.gl/tuKku7

Applied cryptanalysis - stream ciphers

Software

Transcript of Applied cryptanalysis - stream ciphers