Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Basics of Cryptography - Stream ciphers and PRNG

553 vues

Publié le

Basics of Cryptography - Stream ciphers and PRNG

Publié dans : Technologie
  • Soyez le premier à commenter

Basics of Cryptography - Stream ciphers and PRNG

  1. 1. Basics of cryptography Shift registers and stream ciphers
  2. 2. Menu  Can't explain the whole cryptography here  Let's try to explain how it works  Simply  Let's see then some concrete examples  Among so many other fields of application...
  3. 3. Menu  Cryptography main rule  Vernam One Time Pad (OTP)  Computer applications  Problems  Solutions  Symetric computer-based cryptography  PRNG & LFSR  Designing a stream cipher using PHP and C  Applications :  DVD-Blu-Ray encryption (CSS / AACS)  Wifi (WEP : RC4)  GSM (A5/1)
  4. 4. About me  Julien PAULI - @julienpauli - github.com/jpauli  Working for Sensiolabs in Paris  Release manager of PHP 5.5 / 5.6  PHP internals contributor from time to time (bug fixes, internal API, performances)  Knowledges about CPU architectures, C lang, Linux and networking
  5. 5. Vernam OTP (One Time Password)  The only method of encryption that is mathematically absolutely 100% sure and uncrackable
  6. 6. Vernam OTP  The only method of encryption that is mathematically absolutely 100% sure and uncrackable Hello foo secretkey ????????? clear key encrypted +
  7. 7. Vernam OTP  You modulo-add clear text + a key, randomly chosen and of the same size (or more) than the clear text  The operation is fully bijective and can be undone , just like a classical math addition 3 + 8 = 11 11 - 8 = 3
  8. 8. Vernam OTP 3 + 8 = 11 11 ??? = ??? clear + key = encrypted  This cryptography method is the only one being 100% safe and not violable.  If you get the crypted content only, you'll never be able to get back the clear text, without having the key
  9. 9. Vernam OTP  Used in the image field this time : + =
  10. 10. Vernam conditions  Vernam OTP is 100% sure if and only if :  The key is random and cant be guessed  The key is kept secret  The key size is >= to the clear content size  The key is never reused (One Time Password : OTP)  The same key is used to encrypt and decrypt  This is called symetric encryption
  11. 11. Vernam conditions  If the key is reused : + = + = + = 1 1 2 2 keykey keykey
  12. 12. Vernam  Used during WW II  Enigma  Used in red phone  To link Moscow to Washington  Keys (physical) were carried using extra safe planes
  13. 13. In computer science  Machines make use of basis 2 (binary)  "modulo 2 addition" is called XOR (exclusive OR)  Noted or ^ A B A ^ B 0 0 0 0 1 1 1 0 1 1 1 0
  14. 14. XOR for cryptography  XOR satisfies Vernam OTP conditions  Having A a clear text  Having B a secret key  Crypted C = A ^ B  Clear A = C ^ B Symetric cryptography using key C
  15. 15. Vernam in computer sciences  Vernam based cryptography is inviolable if :  The key is kept secret  The key size is >= the clear size  The key is random  The key is never reused  Those 4 rules seem hard to achieve in modern computers world
  16. 16. 1 - The key is kept secret
  17. 17. The key is secret  It is possible, while not best, to exchange the key securely  Hand to hand  "What's the wifi password please ?"  Usually, asymetric cryptography is used to create a secure channel to exchange the symetric crypto key
  18. 18. And then ?  Vernam based cryptography is inviolable if :  The key is kept secret  The key size is >= the clear size  The key is random  The key is not used more than once
  19. 19. 2 - The key size is >= the clear size
  20. 20. Key size  To crypt 25Mb of data , one will need a 25Mb key  that's 26214400 characters  How to do to use a "reasonnably finite-size" key ?  Think about Wifi keys, often long sized, but not that long of thousands of thousands of chars
  21. 21. LFSR
  22. 22. LFSR  Linear Feedback Shift Register  Solution chosen to solve the problem "The key size must be >= the clear size to crypt"  How does that work ?
  23. 23. LFSR  Linear Feedback Shift Register  Computer and electronic structure  Easy to code in computer language  Easy to make into electronic chips  Very powerful, very fast
  24. 24. One byte : 8 digits (bits)  2^7 + 2^5 + 2^2 + 2^1 + 2^0 = 167 (decimal)  In computer science, 1 byte = 1 character (like 'f')  or one integer between 0 and 255 if you prefer  Let's take one byte from the secret key 1 01 10 1101 7 6 5 4 3 2 1 0
  25. 25. LFSR 1 01 10 1101  Shift register. At each clock tick ...  Shift digits one slot to the right  Reinject the right-out digit to the left  We got an infinite source of digits  This is a circular shift Extracted digit used to crypt one digit of the payload (using XOR)
  26. 26. LFSR 1 01 10 1101  Shift register  Shift to the right  Reinject on the left  We got an infinite number of digits but ...  We got a finite digit sequence (repeating itself) 1 10 11 1001 1 01 11 0011 1 11 01 0101 1- 2- 3- 4-
  27. 27. LFSR 1 01 10 1101  Shift register  We got an infinite digit sequence  But not random  The feedback function is 1 1 10 11 1001 1 01 11 0011 1 11 01 0101 . .. 1- 2- 3- 4- . . .
  28. 28. Where are we ?  Vernam based cryptography is inviolable if :  The key is secret  The key size is >= the clear size  The key is random  The key is never reused
  29. 29. LFSR 1 01 10 1101  The sequence is going to repeat itself  How to add it some randomness ? 1 10 11 1001 1 01 11 0011 1 11 01 0101 . .. 1- 2- 3- 4-
  30. 30. LFSR 1 01 10 1101  It's all about the feedback function  Let's complexify the feedback function
  31. 31. LFSR 1 01 10 1101 1 01 10 1101 1 10 11 1000 1 10 10 0001 1 11 01 0001 1- 2- 3- 4-
  32. 32. LFSR  That starts looking random right ? 1 01 10 1101 1 10 11 1000 1 10 10 0001 1 11 01 0001 167 83 145 240 bits Integer
  33. 33. LFSR vs Maths 1 01 10 1101  This can be mathematically modelized :  S = X^8 + X^7 + X^6 + X^5 + 1  This is a classic polynom , that can be solved
  34. 34. m-sequence LFSR 1 01 10 1101  As the output is injected back into the input, this LFSR will generate a finite number of states  The maximum sequence is 2^n - 1  "n" is the LFSR degree (number of digits)  This maximum sequence is called the "m-sequence"  In the above example, n is 8, the LFSR will have a maximum period of 255 states
  35. 35. m-sequence LFSR 1 01 10 1101  To get an m-sequence  The number of feedback digits must be odd  Their factors must be prime between them  S = X^8 + X^7 + X^6 + X^5 + 1  Works, this LFSR will have a m-sequence (255 states)  S = X^8 + 1  Doesn't work, this LFSR will repeat before 255 states
  36. 36. m-sequence LFSR 1 01 10 1101  If we extend LFSR to 32 digits, max period becomes 2^32 - 1  That's 4294967295 different states  Randomness slowly becomes more and more appearingly clear  With 32 digits (4 bytes or 4 secret key chars) we can encrypt 4294967295 digits, thus 512Mb.  Above that : the key repeats itself (and invalidates Vernam conditions)
  37. 37. LFSR example coded in PHP  https://github.com/jpauli/PHP-Crypto **Simple Galois LFSR, degree 7 (127 states m-sequence)** Used register bits for feedback : 7 6 Deducted Feedback function : 1100000 (0X60) Your initial state is : 00000000000000000000001110001100 (908) Let's now start the Linear Feedback Shift Register [Iteration] [-------Internal Register -------] [PRandom bit] | | | v v v 0 - 00000000000000000000001110001100 [ 0 ] 1 - 00000000000000000000000111000110 [ 0 ] 2 - 00000000000000000000000011100011 [ 1 ] 3 - 00000000000000000000000000010001 [ 1 ] 4 - 00000000000000000000000001101000 [ 0 ]
  38. 38. LFSR example coded in PHP for ($i = 0; $i < count(self::POLYNOMIAL_PRIME_COEFF[$this->degree]); $i++) $this->taps[ ] = self::POLYNOMIAL_PRIME_COEFF[$this->degree][$i]; $this->ff |= (1 << self::POLYNOMIAL_PRIME_COEFF[$this->degree][$i]); } /* LFSR always has first and last bit set */ $this->ff |= 1 << ($this->degree); $this->ff |=1; do { $this->iterations++; $this->currentState >>= 1; /* Shift register */ yield $this->iterations => $this->currentState; if ($this->currentState & 1) { $this->currentState ^= $this->ff; /* re-enter */ } } while ($this->currentState != $this->start);
  39. 39. Encryption with a LFSR ?  Pretty easy  Initialize LFSR with the secret key  Encrypt each clear digit with one digit generated from the LFSR using XOR operation  This is called a stream cipher  (bloc ciphers also exist)
  40. 40. Stream Cipher demo  https://github.com/jpauli/PHP-Crypto
  41. 41. Generating a random byte using an LFSR function getRandomByte(LFSR $lfsr) : int { $random = 0; $run = $lfsr->run(); for ($j=0; $j<8; $j++) { $random |= $lfsr->getCurrentBit() << $j; $run->next(); } return $random; }
  42. 42. Ciphering clear data with the random byte function cipher(string $input) : string { $dataSize = strlen($input); $i = 0; $output = ''; $lfsr = new LFSR($this->degree, $this->seed); do { $random = $this->getRandomByte($lfsr); $data = unpack('C', $input[$i]); $output .= pack('C', $outputByte = $data[1] ^ $random); } while (++$i < $dataSize); return $output; } Yeah !
  43. 43. Where are we ?  Vernam based cryptography is inviolable if :  The key is secret  The key size is >= the clear size  The key is random  The key is not reused
  44. 44. Stream ciphers can be secure if  The key is secret  The feedback digits are kept secret  The period is big enough (m-sequence) to never loop  The attacker cannot access the input stream  If the attacker can inject some data into the clear input, a linear equation system can be used to crack the LFSR and deduce the key  This, with only 2n states  "Berlekamp-Massey attack"
  45. 45. Having a good initialisation  Randomness will depend on how the key is used to initialize the LFSR in the stream cipher  The key is used to define the starting state of the LFSR  It can also be used to choose the feedback digits  The key is usually mixed with an initialization vector (IV), which is some piece of random bytes.  Thus, with the same key , the same LFSR will produce different output
  46. 46. Hacking the encryption process  If the LFSR starts looping, its going to produce the same output (repeat itself) and thus doesn't satisfy Vernam conditions anymore  If the attacker can inject some input, he can use Berlekamp- Massey attack to crack the LFSR key and states
  47. 47. How to strengthen the LFSR ?
  48. 48. Strengthen the encryption  Branch several LFSR together : 1 01 10 1101 1 11 00 output
  49. 49. Strengthen the encryption  Having several LFSR working together :  The loop is still linear  Thus can be cracked in polynomial time by injecting some traffic into the input  N-degree linear equation system  We push the time limit, only
  50. 50. Application examples  Well-known LFSR XOR based encryption systems  (And how they've been hacked)
  51. 51. Examples  Content Scrambling System (CSS)  DVD protection mechanism (from 1995)  Cracked in 1999 by hacking the LFSRs  Keys are cracked by injecting some input, watching the output and cracking the polynoms  DECSS is born, and movie piracy with it  Back then, less than 18 seconds were needed to a Pentium 3 @ 450Mhz to hack the LFSRs
  52. 52. CSS
  53. 53. DECSS  CSS keys are secret and distributed by DVDCCA to DVD- reader manufacturers  Keys are stored into the hardware (or soft for PC softwares)  Each device needs a key, this is costly  http://www.dvdcca.org/css.aspx  Hence, free world and Linux were forgotten from DVDCCA  The open/free world answered by cracking CSS  Lawsuits happened  Technical analysis of CSS :  http://www.lemuria.org/DeCSS/crypto.gq.nu/
  54. 54. CSS and VLC  Since, DECSS code is embeded into VLC  In libdvdcss  http://git.videolan.org/?p=libdvdcss.git;a=blob;f=src/css.c;  This code is the algorithm to hack CSS protected DVDs, to read them under Linux  Hacking the LFSRs and the keys  Otherwise the stream is crypted and unreadable
  55. 55.  LFSR cant be cryptographically secure, but we can still push the limits of the time needed to crack it  Time should be > brute force attack  If output is a linear function of the input, then it can be cracked  https://en.wikipedia.org/wiki/Correlation_attack  We need to have the output not being a linear function of the input.  Use a non-linear reentrancy function  NLFSR  Use a non-linear shift Strengthen the encryption
  56. 56. Trivium
  57. 57. Notes about Trivium  3 LFSR  A : 93 digits  B : 84 digits  C : 111 digits  On LFSR input depends on an other's output and one of its own digit  Period 2^64  Some of the output makes use of an AND  AND is a modulo-2 multiplication  Thus cryptanalysis of the output cant crack the LFSR in linear time anymore
  58. 58. Using Trivium  80 digits IV  loaded in the A LFSR left digits  secret key of 80 digits as well  loaded in the B LFSR left digits  All other digits are zeroed.  We shuffle 1152 round times.  Starting from 1153th time : we got our stream
  59. 59. Cracking Trivium  Today, no efficient attack has been discovered  We found algos in 2^68  Thus above brute force (2^64) , thus useless  As of today 2018, Trivium is recommanded by security experts
  60. 60. A5/1
  61. 61. A5/1  A5/1 makes use of 3 LFSR  19 / 22 / 23 digits  Introduces a non-linear shift :  LFSR are shifted only if it is in the MAJ(1,2,3) set
  62. 62. A5/1  A5/1 is used to crypt GSM communications  It took about 10 years, but today A5/1 is broken  In an acceptable time  Under acceptable computing hardware (CPU/Mem)  Often still needs some specific hardware  Some flaws were found in the GSM protocols that weaken A5/1 and allow an attack
  63. 63. RC4  Rivest Cipher 4 don't use LFSR, but still can be used as a pseudo random generator  The big picture of RC4 :  Byte based (unit is byte, not digit)  Works on a 256 bytes payload  Uses many permutations and one XOR only  Huge period, about 10^100  Depending on the key used  Max theoric period is : 2^170000
  64. 64. RC4  We put 256 bytes into an array  We shuffle the array by adding bytes and swapping them  We get one byte from the array at indexes i and j  We shuffle 2 array slots, then i and j
  65. 65. RC4
  66. 66. RC4 , demo in PHP and C  https://github.com/jpauli/PHP-Crypto
  67. 67. RC4 is cracked  As its been massively used since its creation (1987), RC4 has been cracked  Today, it is cracked. Flaws have been discovered  The first bytes leak some informations about the key  KSA (Key Scheduling Algo) is too weak  RC4 doesnt define how to use the IV  So weak usage started to appear (concatenation of IV with the key)  algo has some weaknesses  You can recognize RC4 from a P-random output stream
  68. 68. RC4 in practice  RC4 was used in 802.11 WEP (Wired Equivalent Privacy).  WEP is very weak :  Ability to inject some trafic in input, and watch the output, thus hijacking the internal state of RC4  Control checksum are weak (CRC32 : which is linear)  Reusage of the key (overflow of the stream cipher period)
  69. 69. Conclusions
  70. 70. Memorize  We talked about stream ciphers  There exists block ciphers  DES/AES/BlowFish/RC5  Every cipher uses the only 100% cryptographically secure Vernam one-time pad  A secret key  A key length >= the clear length  A modulo-2 addition (XOR in radix 2)
  71. 71. Memorize  100% cryptographically secure Vernam one-time pad  A secret key  A key length >= the clear length  A modulo-2 addition (XOR in radix 2)  ... is difficult to gather in computer world  We then use compromises : LFSR f.e  From XOR operations, we try to push the limits so far that it goes over brute force time  But cryptanalysers often use high level math tools to try to hack such systems  Daniel J Bernstein should be the most known engineer about cryptanalysis
  72. 72. Crypto using PHP ?  Don't use ext/mcrypt  Old, unmaintained, bugged and unsecure  Don't use mt_*() or rand() for crypto purposes  Use ext/hash if you need to hash  Use ext/sodium if you need to crypt  2018 crypto. secured stream ciphers :  trivium / salsa20 ...  Have a look at the "estream" project  http://www.ecrypt.eu.org/stream/
  73. 73. Thank you for listening !

×