Stream cipher attack
Encyclopedia : S : ST : STR : Stream cipher attack
Stream ciphers where plaintext bits are combined with a cipher bit stream by an exclusive-or operation (xor) can be very secure if used properly. However they are vulnerable to attack if certain precautions are not followed:
- keys must never be used twice
- valid encryption should never be relied on to indicate authenticity
Reused key attack
Stream ciphers are vulnerable to attack if the same key is used twice (depth of two) or more.
Say we send messages A and B of the same length, both encrypted using same key, K. The stream cipher produces a string of bits C(K) the same length as the messages. The encrypted versions of the messages then are:
- E(A) = A xor C
- E(B) = B xor C
Say an adversary has intercepted E(A) and E(B). He can easily compute:
- E(A) xor E(B)
- E(A) xor E(B) = (A xor C) xor (B xor C) = A xor B xor C xor C = A xor B
Another situation where recovery is trivial is if traffic-flow security measures have each stations sending a continuous stream of cipher bits, with null characters (e.g. LTRS in Baudot) being sent when there is no real traffic. This is common in military communications. In that case, and if the transmission channel is not fully loaded, there is a good likelihood that one of the ciphertext streams will be just nulls. The NSA goes to great lengths to prevent keys being used twice. 1960s-era encryption systems often included a punch card reader for loading keys. The mechanism would automatically cut the card in half when the card was removed, preventing its reuse.
One way to avoid this problem is to use an initialization vector (IV), sent in the clear, that is combined with a secret master key to create a one-time key for the stream cipher. This is done in several common systems that use the popular stream cipher RC4, including Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA) and Ciphersaber. One of the many problems with WEP was that its IV was too short, 24 bits. This meant that there was a high likelihood that the same IV would be used twice if more than a few thousand packets were sent with the same master key (see birthday attack), subjecting the packets with duplicated IV to the key reuse attack. This problem was fixed in WPA by changing the "master" key frequently.
Substitution attack
Suppose an adversary knows the exact content of all or part of one of our messages. As a part of a man in the middle attack, she can alter the content of the message without knowing the key, K. Say, for example, she knows a portion of the message contains the ASCII string "$1000.00". She can change that to "$9500.00" by xor'ing that portion of the ciphertext with the string: "$1000.00" xor "$9500.00". To see how this works, consider that the cipher text we send is just C(K) xor "$1000.00". What she is creating is:
- C(K) xor "$1000.00" xor "$1000.00" xor "$9500.00" = C(K) xor "$9500.00"
Substitution attacks are prevented by including message authentication code to increase the likelihood that tampering will be detected.
From Wikipedia, the Free Encyclopedia. Original article here. Support Wikipedia by contributing or donating.
All text is available under the terms of the GNU Free Documentation License See Wikipedia Copyrights for details.