Stream cipher attacks

Last updated September 10, 2021

Stream ciphers, where plaintext bits are combined with a cipher bit stream by an exclusive-or operation (xor), can be very secure if used properly^{[ citation needed ]}. However, they are vulnerable to attacks if certain precautions are not followed:

Reused key attack

Stream ciphers are vulnerable to attack if the same key is used twice (depth of two) or more.

Say we send messages A and B of the same length, both encrypted using same key, K. The stream cipher produces a string of bits C(K) the same length as the messages. The encrypted versions of the messages then are:

E(A) = A xor C

E(B) = B xor C

where xor is performed bit by bit.

Say an adversary has intercepted E(A) and E(B). He can easily compute:

E(A) xor E(B)

However, xor is commutative and has the property that X xor X = 0 (self-inverse) so:

E(A) xor E(B) = (A xor C) xor (B xor C) = A xor B xor C xor C = A xor B

If one message is longer than the other, our adversary just truncates the longer message to the size of the shorter and his attack will only reveal that portion of the longer message. In other words, if anyone intercepts two messages encrypted with the same key, they can recover A xor B, which is a form of running key cipher. Even if neither message is known, as long as both messages are in a natural language, such a cipher can often be broken by paper-and-pencil methods. During World War II, British cryptanalyst John Tiltman accomplished this with the Lorenz cipher (dubbed "Tunny"). With an average personal computer, such ciphers can usually be broken in a matter of minutes. If one message is known, the solution is trivial.

Another situation where recovery is trivial is if traffic-flow security measures have each station sending a continuous stream of cipher bits, with null characters (e.g. LTRS in Baudot) being sent when there is no real traffic. This is common in military communications. In that case, and if the transmission channel is not fully loaded, there is a good likelihood that one of the ciphertext streams will be just nulls. The NSA goes to great lengths to prevent keys from being used twice. 1960s-era encryption systems often included a punched card reader for loading keys. The mechanism would automatically cut the card in half when the card was removed, preventing its reuse.^[1]^{:p. 6}

One way to avoid this problem is to use an initialization vector (IV), sent in the clear, that is combined with a secret master key to create a one-time key for the stream cipher. This is done in several common systems that use the popular stream cipher RC4, including Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA) and Ciphersaber. One of the many problems with WEP was that its IV was too short, 24 bits. This meant that there was a high likelihood that the same IV would be used twice if more than a few thousand packets were sent with the same master key (see birthday attack), subjecting the packets with duplicated IV to the key reuse attack. This problem was fixed in WPA by changing the "master" key frequently.

Bit-flipping attack

Suppose an adversary knows the exact content of all or part of one of our messages. As a part of a man in the middle attack or replay attack, he can alter the content of the message without knowing the key, K. Say, for example, he knows a portion of the message, say an electronics fund transfer, contains the ASCII string "$1000.00". He can change that to "$9500.00" by XORing that portion of the ciphertext with the string: "$1000.00" xor "$9500.00". To see how this works, consider that the cipher text we send is just C(K) xor "$1000.00". The new message the adversary is creating is:

(C(K) xor "$1000.00") xor ("$1000.00" xor "$9500.00") = C(K) xor "$1000.00" xor "$1000.00" xor "$9500.00" = C(K) xor "$9500.00"

Recall that a string XORed with itself produces all zeros and that a string of zeros XORed with another string leaves that string intact. The result, C(K) xor "$9500.00", is what our ciphertext would have been if $9500 were the correct amount.

Bit-flipping attacks can be prevented by including message authentication code to increase the likelihood that tampering will be detected.

Chosen-IV attack

Stream ciphers combine a secret key with an agreed initialization vector (IV) to produce a pseudo-random sequence which from time-to-time is re-synchronized.^[2] A "Chosen IV" attack relies on finding particular IV's which taken together probably will reveal information about the secret key. Typically multiple pairs of IV are chosen and differences in generated key-streams are then analysed statistically for a linear correlation and/or an algebraic boolean relation (see also Differential cryptanalysis). If choosing particular values of the initialization vector does expose a non-random pattern in the generated sequence, then this attack computes some bits and thus shortens the effective key length. A symptom of the attack would be frequent re-synchronisation. Modern stream ciphers include steps to adequately mix the secret key with an initialization vector, usually by performing many initial rounds.

Related Research Articles

Blowfish is a symmetric-key block cipher, designed in 1993 by Bruce Schneier and included in many cipher suites and encryption products. Blowfish provides a good encryption rate in software, and no effective cryptanalysis of it has been found to date. However, the Advanced Encryption Standard (AES) now receives more attention, and Schneier recommends Twofish for modern applications.

In cryptography, a block cipher is a deterministic algorithm operating on fixed-length groups of bits, called blocks. They are specified elementary components in the design of many cryptographic protocols and are widely used to implement the encryption of large amounts of data, including data exchange protocols. It uses blocks as an unvarying transformation.

In cryptography, RC4 is a stream cipher. While it is remarkable for its simplicity and speed in software, multiple vulnerabilities have been discovered in RC4, rendering it insecure. It is especially vulnerable when the beginning of the output keystream is not discarded, or when nonrandom or related keys are used. Particularly problematic uses of RC4 have led to very insecure protocols such as WEP.

A stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream (keystream). In a stream cipher, each plaintext digit is encrypted one at a time with the corresponding digit of the keystream, to give a digit of the ciphertext stream. Since encryption of each digit is dependent on the current state of the cipher, it is also known as state cipher. In practice, a digit is typically a bit and the combining operation is an exclusive-or (XOR).

Symmetric-key algorithms are algorithms for cryptography that use the same cryptographic keys for both the encryption of plaintext and the decryption of ciphertext. The keys may be identical, or there may be a simple transformation to go between the two keys. The keys, in practice, represent a shared secret between two or more parties that can be used to maintain a private information link. The requirement that both parties have access to the secret key is one of the main drawbacks of symmetric-key encryption, in comparison to public-key encryption.

In cryptography, unicity distance is the length of an original ciphertext needed to break the cipher by reducing the number of possible spurious keys to zero in a brute force attack. That is, after trying every possible key, there should be just one decipherment that makes sense, i.e. expected amount of ciphertext needed to determine the key completely, assuming the underlying message has redundancy.

Malleability is a property of some cryptographic algorithms. An encryption algorithm is "malleable" if it is possible to transform a ciphertext into another ciphertext which decrypts to a related plaintext. That is, given an encryption of a plaintext $, it is possible to generate another ciphertext which decrypts to, for a known function, without necessarily knowing or learning .$

In cryptography, an initialization vector (IV) or starting variable (SV) is an input to a cryptographic primitive being used to provide the initial state. The IV is typically required to be random or pseudorandom, but sometimes an IV only needs to be unpredictable or unique. Randomization is crucial for some encryption schemes to achieve semantic security, a property whereby repeated usage of the scheme under the same key does not allow an attacker to infer relationships between segments of the encrypted message. For block ciphers, the use of an IV is described by the modes of operation.

In cryptography, a block cipher mode of operation is an algorithm that uses a block cipher to provide information security such as confidentiality or authenticity. A block cipher by itself is only suitable for the secure cryptographic transformation of one fixed-length group of bits called a block. A mode of operation describes how to repeatedly apply a cipher's single-block operation to securely transform amounts of data larger than a block.

In cryptography, DES-X is a variant on the DES symmetric-key block cipher intended to increase the complexity of a brute-force attack using a technique called key whitening.

In cryptography, the simple XOR cipher is a type of additive cipher, an encryption algorithm that operates according to the principles:

In cryptography, ciphertext stealing (CTS) is a general method of using a block cipher mode of operation that allows for processing of messages that are not evenly divisible into blocks without resulting in any expansion of the ciphertext, at the cost of slightly increased complexity.

In cryptography, a cipher block chaining message authentication code (CBC-MAC) is a technique for constructing a message authentication code from a block cipher. The message is encrypted with some block cipher algorithm in CBC mode to create a chain of blocks such that each block depends on the proper encryption of the previous block. This interdependence ensures that a change to any of the plaintext bits will cause the final encrypted block to change in a way that cannot be predicted or counteracted without knowing the key to the block cipher.

Disk encryption is a special case of data at rest protection when the storage medium is a sector-addressable device. This article presents cryptographic aspects of the problem. For an overview, see disk encryption. For discussion of different software packages and hardware devices devoted to this problem, see disk encryption software and disk encryption hardware.

In cryptography, a one-way compression function is a function that transforms two fixed-length inputs into a fixed-length output. The transformation is "one-way", meaning that it is difficult given a particular output to compute inputs which compress to that output. One-way compression functions are not related to conventional data compression algorithms, which instead can be inverted exactly or approximately to the original data.

In cryptography, Galois/Counter Mode (GCM) is a mode of operation for symmetric-key cryptographic block ciphers which is widely adopted for its performance. GCM throughput rates for state-of-the-art, high-speed communication channels can be achieved with inexpensive hardware resources. The operation is an authenticated encryption algorithm designed to provide both data authenticity (integrity) and confidentiality. GCM is defined for block ciphers with a block size of 128 bits. Galois Message Authentication Code (GMAC) is an authentication-only variant of the GCM which can form an incremental message authentication code. Both GCM and GMAC can accept initialization vectors of arbitrary length.

In cryptography, M8 is a block cipher designed by Hitachi in 1999. The algorithm negotiates introduced in 1997 M6, with the modified key length, which is enlarged to 64 bits or more. This cipher operates with Feistel network and designed to reach high performance on small implementation or 32 bits devices. For instance, by using round numbers = 10 it present encryption speed at 32 Mbit/s for dedicated hardware of 6K gates and 25 MHz clock or 208 Mbit/s for program, that uses C-language and Pentium-I 266 MHz. Due to the openness of description, it should not be used in open or multivendor software.

In cryptography, a distinguishing attack is any form of cryptanalysis on data encrypted by a cipher that allows an attacker to distinguish the encrypted data from random data. Modern symmetric-key ciphers are specifically designed to be immune to such an attack. In other words, modern encryption schemes are pseudorandom permutations and are designed to have ciphertext indistinguishability. If an algorithm is found that can distinguish the output from random faster than a brute force search, then that is considered a break of the cipher.

In cryptography, Mutual Irregular Clocking KEYstream generator (MICKEY) is a stream cipher algorithm developed by Steve Babbage and Matthew Dodd. The cipher is designed to be used in hardware platforms with limited resources, and was one of the three ciphers accepted into Profile 2 of the eSTREAM portfolio. The algorithm is not patented and is free for any use.

Speck is a family of lightweight block ciphers publicly released by the National Security Agency (NSA) in June 2013. Speck has been optimized for performance in software implementations, while its sister algorithm, Simon, has been optimized for hardware implementations. Speck is an add–rotate–xor (ARX) cipher.

References

↑ Securing Record Communications: The TSEC/KW-26, Melville Klein, NSA history series
↑ Englund, Hakan; Johansson, Thomas; Sonmez Turan, Meltem (2007). "A Framework for Chosen IV Statistical Analysis of Stream Ciphers". Progress in Cryptology – INDOCRYPT 2007 (PDF). Lecture Notes in Computer Science. 4859 (INDOCRYPT / volume 4859 of LNCS ed.). Springer. pp. 268–281. doi:10.1007/978-3-540-77026-8_20. ISBN 978-3-540-77025-1. S2CID 18097959. Archived from the original (PDF) on 2018-10-01. Retrieved 1 October 2018.

External links

Security of the WEP algorithm
"Attacks in Stream Ciphers: A Survey" – a brief 2014 overview of different stream cipher attacks
"Attacks on Stream Ciphers: A Perspective" – talk slides from 2011

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Securing Record Communications: The TSEC/KW-26, Melville Klein, NSA history series

[2] Englund, Hakan; Johansson, Thomas; Sonmez Turan, Meltem (2007). "A Framework for Chosen IV Statistical Analysis of Stream Ciphers". Progress in Cryptology – INDOCRYPT 2007 (PDF). Lecture Notes in Computer Science. 4859 (INDOCRYPT / volume 4859 of LNCS ed.). Springer. pp. 268–281. doi:10.1007/978-3-540-77026-8_20. ISBN 978-3-540-77025-1. S2CID 18097959. Archived from the original (PDF) on 2018-10-01. Retrieved 1 October 2018.

[1]

[2]