08

E3
N
C
U
AC

Cryptography and Network Security

PRNG & Stream cipher RC4 155
Dr. Abdellatif Elkouny
Cryptographic Algorithms

08
E3
N
C
U
AC
 Dr. Abdellatif Elkouny

Random Numbers 157

• many uses of random numbers in

08
cryptography
• nonces in authentication protocols to

E3
prevent replay
• session keys

N
• public key generation
C
• keystream for a one-time pad
U
• in all cases its critical that these values be
AC

• statistically random, uniform distribution,

independent
• unpredictability of future values from
previous values
• True random numbers provide this care
needed with generated random numbers
Pseudorandom Number
Generators (PRNGs) 158

08
• often use deterministic algorithmic techniques to

E3
create “random numbers”
• although are not truly random

N
• can pass many tests of “randomness”

C
• known as “pseudorandom numbers”
U
• created by “Pseudorandom Number Generators
AC

(PRNGs)”

Dr. Abdellatif Elkouny

 Random & Pseudorandom Number 159
Generators

08
user ID or
application ID.

E3
N
C
U
AC

Dr. Abdellatif Elkouny

PRNG Requirements 160

08
• randomness
• uniformity, scalability, consistency

E3
• unpredictability
• forward & backward unpredictability

N
• use same tests to check
• characteristics of the seed C
U
• secure
AC

• if known adversary can determine output

• so must be random or pseudorandom number

Dr. Abdellatif Elkouny

Using Block Ciphers as PRNGs 161

08
• for cryptographic applications, can use a
block cipher to generate random numbers

E3
• often for creating session keys from master

N
key
• CTR
C
U
Xi = EK[Vi]
AC

• OFB
Xi = EK[Xi-1]

Dr. Abdellatif Elkouny

 Dr. Abdellatif Elkouny

ANSI X9.17 PRG 162

08
One of the strongest (cryptographically speaking) PRNGs is specified in ANSI X9.17. It uses date/time &
seed inputs and 3 triple-DES encryptions to generate a new seed & random value.

E3
DTi - Date/time value at the beginning of ith generation
stage
Vi - Seed value at the beginning of ith generation stage

N
Ri - Pseudorandom number produced by the ith
generation stage
K1, K2 - DES keys used for each stage
Then compute successive values as:
C
U
Ri = EDE([K1, K2], [Vi XOR EDE([K1, K2], DTi)])
AC
Vi+1 = EDE([K1, K2], [Ri XOR EDE([K1, K2], DTi)])
The technique involves a 112-bit key and three EDE
encryptions for a total of nine DES encryptions. The
scheme is driven by two pseudorandom inputs, the date
and time value, and a seed produced by the generator
that is distinct from the pseudo-random number produced
by the generator. Thus the amount of material that must
be compromised by an opponent is overwhelming.
Stream Ciphers 163

08
E3
• process message bit by bit (as a stream)
• have a pseudo random keystream

N
• combined (XOR) with plaintext bit by bit

C
• randomness of stream key completely destroys statistically
U
properties in message
• Ci = Mi XOR StreamKeyi
AC

• but must never reuse stream key

• otherwise can recover messages (cf book cipher)

Dr. Abdellatif Elkouny

Stream Cipher Structure 164

08
E3
N
C
U
AC

Dr. Abdellatif Elkouny

Stream Cipher Properties 165

08
 some design considerations are:

E3
 long period with no repetitions
 statistically random

N
 depends on large enough key
C
 large linear complexity
U
 properly designed, can be as secure as a block cipher
AC

with same size key

 but usually simpler & faster

Dr. Abdellatif Elkouny

RC4 166

08
a proprietary cipher owned by RSA DSI

E3
another Ron Rivest design, simple but
effective

N
variable key size, byte-oriented stream cipher
C
widely used (web SSL/TLS, wireless WEP/WPA)
U
key forms random permutation of all 8-bit
AC

values
uses that permutation to scramble input info
processed a byte at a time
Dr. Abdellatif Elkouny
RC4 Key Schedule 167

08
 starts with an array S of numbers: 0..255

E3
 use key to well and truly shuffle
 S forms internal state of the cipher

N
for i = 0 to 255 do
S[i] = i
C
U
T[i] = K[i mod keylen])
AC
j = 0
for i = 0 to 255 do
j = (j + S[i] + T[i]) (mod 256)
swap (S[i], S[j])

Dr. Abdellatif Elkouny

RC4 Encryption 168

08
• encryption continues shuffling array values

E3
• sum of shuffled pair selects "stream key" value
from permutation

N
• XOR S[t] with next byte of message to en/decrypt
i = j = 0
C
U
for each message byte Mi
i = (i + 1) (mod 256)
AC

j = (j + S[i]) (mod 256)

swap(S[i], S[j])
t = (S[i] + S[j]) (mod 256)
Ci = Mi XOR S[t]
Dr. Abdellatif Elkouny
 RC4 Steps 169

08
1- Get the data to be encrypted
and the selected key.

E3
2- Create two string arrays.
3- Initiate one array with numbers
from 0 to 255.

N
4- Fill the other array with the
selected key.
C
U
5- Randomize the first array
depending on the array of the key.
AC

6- Randomize the first array within

itself to generate the final key
stream.
7- XOR the final key stream with
the data to be encrypted to give
cipher text.
Dr. Abdellatif Elkouny
RC4 example
• Let's consider the stream cipher RC4, but instead of the full 256 bytes, we will use 8 x 3-bits. That is, the state vector S is 8
x 3-bits. We will operate on 3-bits of plaintext at a time since S can take the values 0 to 7, which can be represented as 3
bits.
• Assume we use a 4 x 3-bit key of K = [1 2 3 6]. And a plaintext P = [1 2 2 ] 170
• The first step is to generate the stream.
• Initialize the state vector S and temporary vector T. S is initialized so the S[i] = i, and T is initialized so it is the key K
(repeated as necessary).

08
• S = [0 1 2 3 4 5 6 7] T = [1 2 3 6 1 2 3 6]

E3
• Now perform the initial permutation on S. For i = 0: For i = 2: For i = 4: For i = 6:
j = (0 + 0 + 1) mod 8 j=0 j=3 j = 5;
• j = 0; =1 Swap(S[2],S[0]); Swap(S[4],S[3]) Swap(S[6],S[4])
• for i = 0 to 7 do Swap(S[0],S[1]); S = [2 3 1 0 4 5 6 7]; S = [2 3 1 4 6 5 0 7]; S = [2 3 5 4 0 1 6 7];

N
S = [1 0 2 3 4 5 6 7] For i = 3: For i = 5: For i = 7:
• j = (j + S[i] + T[i]) mod 8 For i = 1: j = 6; j=2 j = 2;

C
j=3 Swap(S[3],S[6]) Swap(S[5],S[2]); Swap(S[7],S[2])
• Swap(S[i],S[j]); Swap(S[1],S[3]) S = [2 3 1 6 4 5 0 7]; S = [2 3 5 4 6 1 0 7]; S = [2 3 7 4 0 1 6 5];
• end
U S = [1 3 2 0 4 5 6 7];

• Now we generate 3-bits at a time, k, that we XOR with each 3-bits of plaintext to produce the ciphertext. The 3-bits k is
AC

generated by: The first iteration: The second iteration: The third iteration:
• i, j = 0; S = [2 3 7 4 0 1 6 5] S = [2 4 7 3 0 1 6 5] S = [2 7 4 3 0 1 6 5]
i = (0 + 1) mod 8 = 1 i = (1 + 1 ) mod 8 = 2 i = (2 + 1 ) mod 8 = 3
• while (true) { j = (0 + S[1]) mod 8 = 3 j = (2 + S[2]) mod 8 = 1 j = (1 + S[3]) mod 8 = 4
Swap(S[1],S[3]) Swap(S[2],S[1]) Swap(S[3],S[4])
• i = (i + 1) mod 8; S = [2 4 7 3 0 1 6 5] S = [2 7 4 0 3 1 6 5]
S = [2 7 4 3 0 1 6 5]
• j = (j + S[i]) mod 8; t = (S[1] + S[3]) mod 8 = 7 t = (S[2] + S[1]) mod 8 = 3 t = (S[3] + S[4]) mod 8 = 3
k = S[7] = 5 k = S[3] = 3 k = S[3] = 0
• Swap (S[i], S[j]); Remember, P = [1 2 2 2] Second 3-bits of ciphertext are: Third 3-bits of ciphertext are:
Dr. Abdellatif ElkounySo our first 3-bits of ciphertext 3 XOR 2 = 011 XOR 010 = 001 = 1 0 XOR 2 = 000 XOR 010 = 010 = 2
• t = (S[i] + S[j]) mod 8;
is obtained by: k XOR P
So to encrypt the plaintext stream P = [1 2 2] with key K = [1 2 3 6] using our
• k = S[t]; } 5 XOR 1 = 101 XOR 001 = 100 = 4
simplified RC4 stream cipher we get C = [4 1 2].
(or in binary: P = 001 010 010, K = 001 010 011 110 and C = 100 001 010 )
RC4 Security 171

08
claimed secure against known attacks

E3
 have some analyses, none practical
result is very non-linear

N
since RC4 is a stream cipher, must never
reuse a key C
U
AC

have a concern with WEP, but due to key

handling rather than RC4 itself

Dr. Abdellatif Elkouny

 best source is natural
randomness in real world

find a regular but random event

and monitor

do generally need special h/w

to do this

08
• eg. radiation counters, radio noise, audio

Natural noise, thermal noise in diodes, leaky

E3
capacitors, mercury discharge tubes etc

Random starting to see such h/w in new

N
CPU's
Noise C
U problems of bias or uneven
distribution in signal
AC

• have to compensate for this when

sample, often by passing bits through a
hash function
• best to only use a few noisiest bits from
each sample
• RFC4086 recommends using multiple
sources + hash

Dr. Abdellatif Elkouny 172

Published Sources 173

08
a few published collections of random
numbers

E3
Rand Co, in 1955, published 1 million
numbers

N
generated using an electronic roulette wheel
C
has been used in some cipher designs cf Khafre
U
earlier Tippett in 1927 published a
AC

collection
issues are that:
these are limited
too well-known for most uses
Dr. Abdellatif Elkouny
Summary 174

08
• pseudorandom number generation

E3
• stream ciphers
• RC4

N
• true random numbers
C
U
AC

Dr. Abdellatif Elkouny