attack on broadcast rc4
play

Attack on Broadcast RC4 Revisited S. Maitra 1 G. Paul 2 S. Sen Gupta - PowerPoint PPT Presentation

Mar 30, 2024 •342 likes •739 views

Attack on Broadcast RC4 Revisited S. Maitra 1 G. Paul 2 S. Sen Gupta 1 1 Indian Statistical Institute, Kolkata 2 Jadavpur University, Kolkata FSE 2011, Lyngby, Denmark 15 February 2011 Outline of the Talk Introduction Basics of RC4 Stream

  1. Attack on Broadcast RC4 Revisited S. Maitra 1 G. Paul 2 S. Sen Gupta 1 1 Indian Statistical Institute, Kolkata 2 Jadavpur University, Kolkata FSE 2011, Lyngby, Denmark 15 February 2011

  2. Outline of the Talk Introduction Basics of RC4 Stream Cipher Motivation and Contribution Our Result: Bias of Output Bytes Computing the Bias Exploiting the Bias Attack on RC4 Broadcast Scheme Study: Non-Randomness of j Non-randomness in Different Rounds Conclusion Summary of the Paper 2 of 26

  3. Introduction RC4 Stream Cipher � Designed by Ron Rivest in 1987 Data Structure � S -array of size N = 256 bytes � Key k of size 5 to 16 bytes � Final key K of N = 256 bytes � Two indices i and j � Output: Stream of bytes Photo: http://people.csail.mit.edu/rivest/ 3 of 26

  4. Introduction RC4 Stream Cipher Key Scheduling Algo (KSA) j = j + S [ i ] + K [ i ] 0 1 2 i j 254 255 · · · · · · 4 of 26

  5. Introduction RC4 Stream Cipher Key Scheduling Algo (KSA) j = j + S [ i ] + K [ i ] 0 1 2 i j 254 255 · · · · · · Pseudo-Random Gen. Algo (PRGA) j = j + S [ i ] 0 1 2 S [ i ] + S [ j ] i j 254 255 · · · Z · · · · · · ⊞ 4 of 26

  6. Introduction Cryptanalysis of RC4 More than 20 years of cryptanalytic results � Finney Cycle [1994] � Key-Output Correlation [Roos, 1995] [Paul & Maitra, 2007, 2008] � Key-Permutation Correlation [Roos, 1995] [Paul & Maitra, 2007] � Non-Randomness of Permutation [Mantin, 2001] � Fault Attacks [Hoch & Shamir, 2004] [Mantin, 2005] [Biham et al, 2005] � State Recovery [Knudsen et al, 1998] [Tomasevic et al, 2004] [Maximov, 2008] � Non-random event: Glimpse Bias [Jenkins, 1996] 5 of 26

  7. Introduction Cryptanalysis of RC4 More than 20 years of cryptanalytic results � Finney Cycle [1994] � Key-Output Correlation [Roos, 1995] [Paul & Maitra, 2007, 2008] � Key-Permutation Correlation [Roos, 1995] [Paul & Maitra, 2007] � Non-Randomness of Permutation [Mantin, 2001] � Fault Attacks [Hoch & Shamir, 2004] [Mantin, 2005] [Biham et al, 2005] � State Recovery [Knudsen et al, 1998] [Tomasevic et al, 2004] [Maximov, 2008] � Non-random event: Glimpse Bias [Jenkins, 1996] � Distinguishing Attacks 5 of 26

  8. Introduction Distinguishing Attacks Goal: Find an event which occurs with different probability in RC4 than in case of a perfectly random source. Existing Distinguishers � Digraph Repetition Bias (Occurrence of ABTAB ) [Mantin, 2001] � Biased Second Output Byte ( z 2 = 0) [Mantin & Shamir, 2001] � A set of new linear biases of RC4 [Sepehrdad et al, 2010] � . . . a few more in this work 6 of 26

  9. Introduction Motivation for this Work FSE 2001. A Practical Attack on Broadcast RC4 . I. Mantin and A. Shamir. LNCS 2355, pp. 152–164, 2001. Main Claim: Pr( z 2 = 0) ≈ 2 N (bias of second byte) 7 of 26

  10. Introduction Motivation for this Work FSE 2001. A Practical Attack on Broadcast RC4 . I. Mantin and A. Shamir. LNCS 2355, pp. 152–164, 2001. Main Claim: Pr( z 2 = 0) ≈ 2 N (bias of second byte) Two related claims 1. Pr( z r = 0) ≈ 1 N at PRGA rounds 3 ≤ r ≤ 255. 2. Pr( z r = 0 | j r = 0) > 1 N and Pr( z r = 0 | j r � = 0) < 1 N for 3 ≤ r ≤ 255. These two biases, when combined, cancel each other to give no bias at z r = 0 for rounds 3 to 255. 7 of 26

  11. Introduction Contribution of this Work FSE 2011. Attack on Broadcast RC4 Revisited . 1. Pr( z r = 0) ≈ 1 N at PRGA rounds 3 ≤ r ≤ 255. Pr( z r = 0) �≈ 1 N for 3 ≤ r ≤ 255 Additional results exploiting the above bias 8 of 26

  12. Introduction Contribution of this Work FSE 2011. Attack on Broadcast RC4 Revisited . 1. Pr( z r = 0) ≈ 1 N at PRGA rounds 3 ≤ r ≤ 255. Pr( z r = 0) �≈ 1 N for 3 ≤ r ≤ 255 Additional results exploiting the above bias 2. Pr( z r = 0 | j r = 0) > 1 N and Pr( z r = 0 | j r � = 0) < 1 N for 3 ≤ r ≤ 255. These two biases, when combined, cancel each other to give no bias at z r = 0 for rounds 3 to 255. Further investigation of the events Careful analysis of non-randomness of j 8 of 26

  13. Our Result: Bias of Output Bytes Our Result Bias of Output Bytes 9 of 26

  14. Our Result: Bias of Output Bytes Our Result Output bytes 3 to 255 are also biased to Zero Theorem For 3 ≤ r ≤ 255 , the probability that the r-th RC4 keystream byte is equal to 0 is Pr( z r = 0) ≈ 1 N + c r N 2 . where c r is given by �� N − 1 � r + � N − 1 � N − r − 1 − � N − 1 �� N − 1 � r − 2 − � N − 1 � � 1 · . N − 1 N N N N 10 of 26

  15. Our Result: Bias of Output Bytes Motivation for Proof (our result) Proposition (Jenkins’ Correlation) After the r-th (r ≥ 1 ) round of the PRGA, Pr( S r [ j r ] = i r − z r ) = Pr( S r [ i r ] = j r − z r ) ≈ 2 N . Corollary After the r-th (r ≥ 1 ) round of the PRGA, Pr( z r = r − S r − 1 [ r ]) ≈ 2 N . 11 of 26

  16. Our Result: Bias of Output Bytes Motivation for Proof (our result) Proposition (Jenkins’ Correlation) After the r-th (r ≥ 1 ) round of the PRGA, Pr( S r [ j r ] = i r − z r ) = Pr( S r [ i r ] = j r − z r ) ≈ 2 N . Corollary After the r-th (r ≥ 1 ) round of the PRGA, Pr( z r = r − S r − 1 [ r ]) ≈ 2 N . How about Pr( S r − 1 [ r ] = r )? 11 of 26

  17. Our Result: Bias of Output Bytes Mantin’s Observation At the end of KSA, for 0 ≤ u ≤ N − 1, 0 ≤ v ≤ N − 1, �� N − 1 � v + � N − 1 � v � � N − 1 � � N − u − 1 � Pr( S 0 [ u ] = v ) = 1 1 − v ≤ u N N N N � N − u − 1 + �� N − 1 � N − 1 � v � Pr( S 0 [ u ] = v ) = 1 v > u N N N 12 of 26

  18. Our Result: Bias of Output Bytes Mantin’s Observation At the end of KSA, for 0 ≤ u ≤ N − 1, 0 ≤ v ≤ N − 1, �� N − 1 � v + � N − 1 � v � � N − 1 � � N − u − 1 � Pr( S 0 [ u ] = v ) = 1 1 − v ≤ u N N N N � N − u − 1 + �� N − 1 � N − 1 � v � Pr( S 0 [ u ] = v ) = 1 v > u N N N Does this propagate to PRGA? 12 of 26

  19. Our Result: Bias of Output Bytes Sketch of Proof (our result) � Mantin’s Observation: Bias for S 0 [ r ] = r � S r − 1 [ r ] = r may happen in two ways: 1. S 0 [ r ] = r and i , j never touches this cell 2. S 0 [ r ] � = r but S r − 1 [ r ] = r occurs at random 13 of 26

  20. Our Result: Bias of Output Bytes Sketch of Proof (our result) � Mantin’s Observation: Bias for S 0 [ r ] = r � S r − 1 [ r ] = r may happen in two ways: 1. S 0 [ r ] = r and i , j never touches this cell 2. S 0 [ r ] � = r but S r − 1 [ r ] = r occurs at random Lemma For r ≥ 3 , the probability that S r − 1 [ r ] = r is �� N − 1 � r − 1 � − 1 + 1 Pr( S r − 1 [ r ] = r ) ≈ Pr( S 0 [ r ] = r ) · N . N N 13 of 26

  21. Our Result: Bias of Output Bytes Sketch of the Proof (our result) z r = 0 can be branched as follows: � S r − 1 [ r ] = r ( lemma ) and z r = r − S r − 1 [ r ] ( Jenkin ) � S r − 1 [ r ] � = r ( lemma ) and z r = 0 ( random ) 14 of 26

  22. Our Result: Bias of Output Bytes Sketch of the Proof (our result) z r = 0 can be branched as follows: � S r − 1 [ r ] = r ( lemma ) and z r = r − S r − 1 [ r ] ( Jenkin ) � S r − 1 [ r ] � = r ( lemma ) and z r = 0 ( random ) Hence the result: Pr( z r = 0) ≈ 1 N + c r N 2 �� N − 1 � r + � N − 1 � N − r − 1 − � N − 1 � N − 1 � �� N − 1 � r − 2 − � 1 with c r = . N − 1 N N N N 14 of 26

  23. Our Result: Bias of Output Bytes Numerical Bound on c r 3 ≤ r ≤ 255 c r = c 3 = 0 . 98490994 and max 3 ≤ r ≤ 255 c r = c 255 = 0 . 36757467 min N + 0 . 98490994 1 N + 0 . 36757467 1 ≥ Pr( z r = 0) ≥ N 2 N 2 15 of 26

  24. Our Result: Bias of Output Bytes Experimental Verification � Number of trials = 1 Billion � Key size = 16 Bytes [Note: Sepehrdad et al (2010) do not cover these biases] 16 of 26

  25. Our Result: Bias of Output Bytes Applications Of the Biases Discovered 17 of 26

  26. Our Result: Bias of Output Bytes Appl. 1: A Class of New Distinguishers E occurs in X with probability p and in Y with probability p (1 + ǫ ) implies a possible distinguisher with O ( p − 1 ǫ − 2 ) required samples. In case of our E : z r = 0 for 3 ≤ r ≤ 255, � Random source: p = 1 N � RC4 Keystream: p (1 + ǫ ) = 1 � 1 + c r � N N 18 of 26

  27. Our Result: Bias of Output Bytes Appl. 1: A Class of New Distinguishers E occurs in X with probability p and in Y with probability p (1 + ǫ ) implies a possible distinguisher with O ( p − 1 ǫ − 2 ) required samples. In case of our E : z r = 0 for 3 ≤ r ≤ 255, � Random source: p = 1 N � RC4 Keystream: p (1 + ǫ ) = 1 � 1 + c r � N N We get 253 new distinguishers, each requiring O ( N 3 ) samples! [Note: Mantin & Shamir (2001) distinguisher is much stronger] 18 of 26

  28. Our Result: Bias of Output Bytes Appl. 2: Guessing State Information Idea: Guess S r − 1 [ r ] = r using output information z r = 0 Pr( S r − 1 [ r ] = r | z r = 0) = Pr( S r − 1 [ r ]= r ) · Pr( z r = 0 | S r − 1 [ r ] = r ) Pr( z r =0) � 1 � − 1 ≥ N + c r N − c r 1 + c r 2 � � ≈ 2 · · N 2 N N 19 of 26

  29. Our Result: Bias of Output Bytes Appl. 3: Attack on RC4 Broadcast Scheme Situation: Message M is broadcast to k parties (random keys) Attack: Reliably extract byte(s) of M from the k ciphertexts 20 of 26

Recommend

Broadcast Receiver Why do we need Broadcast Receiver? Broadcast Receivers Broadcast receiver

Broadcast Receiver Why do we need Broadcast Receiver? Broadcast Receivers Broadcast receiver

Broadcast Receiver Why do we need Broadcast Receiver? Broadcast Receivers Broadcast receiver (a BroadcastReceiver subclass) is one of the application's components. Broadcast receivers enable applications to receive intents that are

597 views • 17 slides
Broadcast Receiver Why do we need Broadcast Receiver? Broadcast Receivers Broadcast receiver

Broadcast Receiver Why do we need Broadcast Receiver? Broadcast Receivers Broadcast receiver

Broadcast Receiver Why do we need Broadcast Receiver? Broadcast Receivers Broadcast receiver (a BroadcastReceiver subclass) is one of the application's components. Broadcast receivers enable applications to receive intents that are

560 views • 18 slides
BROADCAST RECEIVER SERVICES Broadcast receiver A broadcast receiver is a dormant component of

BROADCAST RECEIVER SERVICES Broadcast receiver A broadcast receiver is a dormant component of

BROADCAST RECEIVER SERVICES Broadcast receiver A broadcast receiver is a dormant component of the Android system. Only an Intent (for which it is registered) can bring it into action. Using a Broadcast Receiver, applications can

789 views • 50 slides
BROADCAST RECEIVER SERVICE Broadcast receiver A broadcast receiver is a dormant component of

BROADCAST RECEIVER SERVICE Broadcast receiver A broadcast receiver is a dormant component of

BROADCAST RECEIVER SERVICE Broadcast receiver A broadcast receiver is a dormant component of the Android system. Only an Intent (for which it is registered) can bring it into action. Using a Broadcast Receiver, applications can

951 views • 51 slides
Attack on Traffic Systems These attack examples have happened in the past. We will take an

Attack on Traffic Systems These attack examples have happened in the past. We will take an

From start to finish how a cyber attack would be performed on traffic system, we will go over first day &gt;&gt; exploitation of the device &gt;&gt; the real-world aftermath. Mission Secure, Inc. Attack on Traffic Systems These attack examples

556 views • 18 slides
Broadcast Algorithms BJRN A. JOHNSSON Overview Best-Effort Broadcast (Regular) Reliable

Broadcast Algorithms BJRN A. JOHNSSON Overview Best-Effort Broadcast (Regular) Reliable

Broadcast Algorithms BJRN A. JOHNSSON Overview Best-Effort Broadcast (Regular) Reliable Broadcast (2) Uniform Reliable Broadcast (2) Stubborn Broadcast Logged Best-Effort Broadcast Logged Uniform Reliable Broadcast

438 views • 39 slides
Input from Finance Telenor Broadcast Q4 2009 10.2.2010 1 Q4 2 0 0 9 Telenor Broadcast

Input from Finance Telenor Broadcast Q4 2009 10.2.2010 1 Q4 2 0 0 9 Telenor Broadcast

Input from Finance Telenor Broadcast Q4 2009 10.2.2010 1 Q4 2 0 0 9 Telenor Broadcast Revenues ( NOKm ) and EBI TDA% 2 212 2167 2160 2102 2084 2022 + 16k cable Internet net adds in Norway reaching 13% market share. + 5%

392 views • 6 slides
Broadcast infrastructure Monitoring &amp; automation LoriotPro Broadcast Edition A Microsoft

Broadcast infrastructure Monitoring &amp; automation LoriotPro Broadcast Edition A Microsoft

Broadcast infrastructure Monitoring &amp; automation LoriotPro Broadcast Edition A Microsoft Windows compatible software with multi-user WEB access Real time monitoring Backbone, Datacenter, HFC Networks, Earth Station, Headends, DVB

544 views • 9 slides
Broadcast Encryption and Some Other Primitives Lecture 24 Broadcast Encryption Broadcast

Broadcast Encryption and Some Other Primitives Lecture 24 Broadcast Encryption Broadcast

Broadcast Encryption and Some Other Primitives Lecture 24 Broadcast Encryption Broadcast Encryption Encrypt to a subset of users in the system Broadcast Encryption Encrypt to a subset of users in the system e.g., subscribers who haven t

1.62k views • 113 slides
-Reliable Broadcast: A Probabilistic Measure of Broadcast Reliability Patrick Th. Eugster

-Reliable Broadcast: A Probabilistic Measure of Broadcast Reliability Patrick Th. Eugster

-Reliable Broadcast: A Probabilistic Measure of Broadcast Reliability Patrick Th. Eugster Rachid Guerraoui Petr Kouznetsov Sun Microsystems Distributed Programming Lab, EPFL Switzerland Switzerland ICDCS 2004 2/15 Outline 1. The

663 views • 17 slides
Telenor Broadcast Q2 - 2 0 0 8 July 23rd Broadcast Content investment to boost HDTV Revenues

Telenor Broadcast Q2 - 2 0 0 8 July 23rd Broadcast Content investment to boost HDTV Revenues

Telenor Broadcast Q2 - 2 0 0 8 July 23rd Broadcast Content investment to boost HDTV Revenues (NOKm)/ EBITDA% 2 066 1922 1898 1776 1763 1700 16% revenue growth More than doubled HD penetration in DTH subscriber base in 1H

219 views • 8 slides
Broadcasting your attack: Security testing DAB radio in cars Andy Davis, Research Director

Broadcasting your attack: Security testing DAB radio in cars Andy Davis, Research Director

Broadcasting your attack: Security testing DAB radio in cars Andy Davis, Research Director Image: computerworld.com.au Agenda Who am I and why am I interested in security testing DAB? Overview of DAB How do we broadcast DAB?

790 views • 33 slides
Thank you for joining us for this AmerisourceBergen webinar. The broadcast has not started yet.

Thank you for joining us for this AmerisourceBergen webinar. The broadcast has not started yet.

Thank you for joining us for this AmerisourceBergen webinar. The broadcast has not started yet. Both audio and visuals are available through the Skype Meeting Broadcast link and are accessible via any mobile browser. Second Manufacturer

175 views • 14 slides
Thank you for joining us for this AmerisourceBergen webinar. The broadcast has not started yet.

Thank you for joining us for this AmerisourceBergen webinar. The broadcast has not started yet.

Thank you for joining us for this AmerisourceBergen webinar. The broadcast has not started yet. Both audio and visuals are available through the Skype Meeting Broadcast link and are accessible via any mobile browser. Third Manufacturer

346 views • 22 slides
Thank you for joining us for this AmerisourceBergen webinar. The broadcast has not started yet.

Thank you for joining us for this AmerisourceBergen webinar. The broadcast has not started yet.

Thank you for joining us for this AmerisourceBergen webinar. The broadcast has not started yet. Both audio and visuals are available through the Skype Meeting Broadcast link and are accessible via any mobile browser. Fifth Manufacturer

372 views • 16 slides
www.sbe.org Society of Broadcast Engineers Ralph Beaver Society of Broadcast Engineers

www.sbe.org Society of Broadcast Engineers Ralph Beaver Society of Broadcast Engineers

www.sbe.org Society of Broadcast Engineers Ralph Beaver Society of Broadcast Engineers Society of Broadcast Engineers Ex-Frequency Coordination Chair Present sub-committee chair wireless mics NFL Gameday Frequency Coordinator NFL Gameday

507 views • 24 slides
CS 525M Mobile and Ubiquitous Computing Seminar Ioanna Symeou Broadcast Disks Broadcast

CS 525M Mobile and Ubiquitous Computing Seminar Ioanna Symeou Broadcast Disks Broadcast

CS 525M Mobile and Ubiquitous Computing Seminar Ioanna Symeou Broadcast Disks Broadcast Disks: Data Management for Asymmetric Communication Environments Swarup Acharya, Brown University Rafael Alonso MITL Michael Franklin, University of

625 views • 14 slides
Isnt this fancy?! Growing Chefs! Video Broadcast system Built for live broadcast

Isnt this fancy?! Growing Chefs! Video Broadcast system Built for live broadcast

Isnt this fancy?! Growing Chefs! Video Broadcast system Built for live broadcast Virtual Can add graphics and Programming slides into live video feed What weve learned to date Adds to final production value Is

307 views • 9 slides
Broadcast goes Mobile. Broadcast goes Mobile. From DVB- -T to DVB T to DVB- -H. H. From DVB

Broadcast goes Mobile. Broadcast goes Mobile. From DVB- -T to DVB T to DVB- -H. H. From DVB

Broadcast goes Mobile. Broadcast goes Mobile. From DVB- -T to DVB T to DVB- -H. H. From DVB Gerard POUSSET Gerard POUSSET V.P. marketing V.P. marketing MMC05 January 05 Berlin 1 What is MOBILE TV ? In the car ' In the street ' DVB-T :

451 views • 20 slides
The Direct Broadcast User Perspective Graeme Martin University of Wisconsin-Madison Space

The Direct Broadcast User Perspective Graeme Martin University of Wisconsin-Madison Space

The Direct Broadcast User Perspective Graeme Martin University of Wisconsin-Madison Space Science and Engineering Center NOAA Satellite Conference, 20 July 2017 Direct Broadcast Direct Broadcast allows users to generate products locally

241 views • 8 slides
ATTACK: Learning the Distributions of Adversarial Examples for an Improved Black-Box Attack on

ATTACK: Learning the Distributions of Adversarial Examples for an Improved Black-Box Attack on

ATTACK: Learning the Distributions of Adversarial Examples for an Improved Black-Box Attack on Deep Neural Networks Yandong Li* 1 Lijun Li* 1 Liqiang Wang 1 Tong Zhang 2 Boqing Gong 3 *Equal Contribution 1 University of Central Florida 2 Hong

440 views • 11 slides
Detecting a Biological Attack The attack will not be obvious; it may take hours or days to know.

Detecting a Biological Attack The attack will not be obvious; it may take hours or days to know.

Detecting a Biological Attack The attack will not be obvious; it may take hours or days to know. Current biological diagnostics are very effective at identifying agents, but theyre slow. We already have an infrastruc- ture in place to

233 views • 8 slides
Broadcast Incentive Auction 101 June 25, 26 &amp; 27, 2014 Basics of the Broadcast Television

Broadcast Incentive Auction 101 June 25, 26 &amp; 27, 2014 Basics of the Broadcast Television

Broadcast Incentive Auction 101 June 25, 26 &amp; 27, 2014 Basics of the Broadcast Television Incentive Auction Background How Will the Auction Work? Why Should a Broadcaster Participate? What About Broadcasters that Choose Not to

746 views • 32 slides
ss 8 Class Cl CSC 495/583 Topics of Software Security PLT, GOT &amp; Return-to-plt Attack

ss 8 Class Cl CSC 495/583 Topics of Software Security PLT, GOT &amp; Return-to-plt Attack

ss 8 Class Cl CSC 495/583 Topics of Software Security PLT, GOT &amp; Return-to-plt Attack &amp; GOT Overwrite Attack Dr. Si Chen (schen@wcupa.edu) Review Page 2 ret2libc Attack Page 3 libc C standard library Provides

662 views • 36 slides

More recommend