How to Recover Any Byte of Plaintext on RC4 Toshihiro Ohigashi - PowerPoint PPT Presentation

15 August, 2013 SAC 2013 @ Simon Fraser University How to Recover Any Byte of Plaintext on RC4 Toshihiro Ohigashi (Hiroshima University) Takanori Isobe (Kobe University) Yuhei Watanabe (Kobe University) Masakatu Morii (Kobe University) 1

Target  Broadcast setting  Same plaintext is encrypted with different (user) keys (e.g. Group mail)  can be easily converted into the multi-session setting of SSL/TLS – Target plaintext blocks are repeatedly sent in the same position of plaintext Plaintext C (1) P Ciphertexts C (2) C (x)  Plaintext Recovery Attack in the broadcast/multi-session setting  Recover a plaintext from ONLY ciphertexts encrypted by different keys  Passive attack – What attacker should do is to collect ciphertexts – NOT use additional information such as side channel information P Plaintext Recovery C (x) C (1) C (2) Plaintext Recovery 2

Related Works  Plaintext Recovery Attack on (pure) RC4 in these settings  Mantin-Shamir Attack (FSE 2001) – recover 2 nd byte of a plaintext from Ω ( N ) ciphertexts with probability more than a random search, where N = 256  Maitra-Paul-SenGupta Attack (FSE 2011) – recover 3 rd to 255 th bytes of a plaintext from Ω ( N 3 ) ciphertexts with probability more than a random search, where N = 256  Isobe-Ohigashi-Watanabe-Morii Attack (FSE 2013) – recover 1 st to 257 th bytes of a plaintext from 2 32 ciphertexts with probability of > 0.5 – recovery first 1 petabytes of a plaintext from 2 34 ciphertexts with probability closed to one  AlFardan-Bernstein-Paterson-Poettering-Schuldt Attack (USENIX Security 2013, Aug. 15, 2013, Today ! ) – recover 1 st to 256 th bytes of a plaintext from 2 32 ciphertexts with probability of > 0.96 3

Related Works  Plaintext Recovery Attack on (pure) RC4 in these settings  Mantin-Shamir Attack (FSE 2001) – recover 2 nd byte of a plaintext from Ω ( N ) ciphertexts with probability more than a random search, where N = 256  Maitra-Paul-SenGupta Attack (FSE 2011) – recover 3 rd to 255 th bytes of a plaintext from Ω ( N 3 ) ciphertexts with probability more than a random search, where N = 256  Isobe-Ohigashi-Watanabe-Morii Attack (FSE 2013) – recover 1 st to 257 th bytes of a plaintext from 2 32 ciphertexts with probability of > 0.5 – recovery first 1 petabytes of a plaintext from 2 34 ciphertexts But, these attacks do not work on a relatively secure implementation with probability of > 0.97 of RC4 (RC4-drop)  AlFardan-Bernstein-Paterson-Poettering-Schuldt Attack - disregards the first n bytes of a keystream of RC4 (USENIX Security 2013, Aug. 15, 2013) * recommendation: n =512 or 768, (conservative) n = 3072 – recover 1 st to 256 th bytes of a plaintext from 2 32 ciphertexts by Mironov in CRYPTO 2002 with probability of > 0.96 4

Summary of Our Results Security Evaluation of RC4-drop in the Broadcast/Multi-session Setting  Results  Plaintext recovery attack using Known Partial Plaintext Bytes – Based on Mantin’s long-term bias in EUROCRYPT 2005 – Given consecutive 6 bytes of a target plaintext and 2 34 ciphertexts with different keys, consecutive 1 petabytes of the plaintext are recovered with probability more than 0.6 2 34 ciphertexts Consecutive 1 petabytes C (x) C (1) C (2) P Plaintext Recovery  Guess-and-Determine Plaintext Recovery Attack – Combine use of Mantin’s long-term bias and Fluhrer-McGrew long-term bias in FSE 2000 – Not Require any previous knowledge of a plaintext – Given 2 35 ciphertexts with different keys, any position of the plaintext byte is recovered with 2 35 ciphertexts probability close to one ANY byte Plaintext Recovery C (1) C (2) C (x) P 5

Agenda  RC4 Stream Cipher  Previous Plaintext Recovery Attacks  Plaintext Recovery Attack using Known Partial Plaintext Bytes  Guess-and-Determine Plaintext Recovery Attack  Conclusion 6

RC4  Stream Cipher designed by Ron Rivest in 1987  is widely used, e.g. SSL/TLS, WEP/WPA and more.  Parameter We focus on - 16 byte (128 bit) key  1-256 byte key (typically 16 byte (=128 bit) key) - 256 byte state  State size N bytes (typically N = 256) Pseudo Random Key Scheduling Generator Algorithm Key State Z 1 , Z 2 , … Algorithm (KSA) (PRGA) Keystream Plaintext P 1 , P 2 , … Ciphertext C 1 , C 2 , … 7

Mantin-Shamir Attack [MS01]  Proposed in FSE 2001  Second byte of the keystream is strongly biased to “0” Z 1 , Z 2 , Z 3 , Z 4 ,….. RC4 Key Z 2 = 0 occurs with twice Probability the probability of a random one. 2/N Ex.) N = 256, 1/N Pr(Z 2 = 0) = 2/256 0 N-1 Value of Z 2 8

Plaintext Recovery Attack [MS01]  Broadcast setting : same plaintext is encrypted with different keys Plaintext C (1) P Ciphertexts C (x) Frequency Table of C 2  Relation : “C 2 = P 2 XOR Z 2 ”  If Z 2 = 0 (strong bias), then C 2 = P 2  Most frequent value of C 2 can be regarded as P 2 255 0  Evaluation Value of C 2  Given Ω (N) ciphertexts encrypted by different keys, P 2 can be extracted with higher probability than a random search 9

Plaintext Recovery Attack in FSE 2013  Proposed by Isobe, Ohigashi, Watanabe and Morii  is constructed by two phases  Initial byte recovery phase: recover initial 257 bytes of a plaintext  Sequential recovery phase: recover the later bytes of a plaintext using a knowledge of the first 257 bytes of a plaintext Step 2: recovered by the sequential recovery phase (using Mantin’s long-term bias) P 1 P 2 … P 192 … P 256 P 257 P 258 P 259 P 260 … Z 1 Z 2 … Z 192 … Z 256 Z 257 Z 258 Z 259 Z 260 … C 1 C 2 … C 192 … C 256 C 257 C 258 C 259 C 260 … Other previous attacks are also included Step 1: Recovered by the initial bytes recovery phase Conditional bias Z 1 =0|Z 2 =0 Single byte biases: Z 2 = 0, Z 3 = 131, Z 4 = 0, Z r = r for r = 5…31, Z 0 = 0 for r = 32…256 Z r = - r for r =16,32,48,64,80,96,112, Z 257 != 0 (negative bias) 10

Countermeasure: RC4-drop  is relatively secure RC4 implementation  disregards the first n bytes of a keystream of RC4 - recommendation(conservative) : n=3072 Plaintext P 1 , P 2 , … keystram Z 1 , Z 2 , … Z n , Z n +1 , … Ciphertext C 1 , C 2 , … RC4 disregard Initial byte biases are removed in RC4-drop (Initial bytes recovery phase does not work) Previous Attacks does not work on RC4-drop 11

Agenda  RC4 Stream Cipher  Previous Plaintext Recovery Attacks  Plaintext Recovery Attack using Known Partial Plaintext Bytes  Guess-and-Determine Plaintext Recovery Attack  Conclusion 12

Plaintext Recovery Attack using Known Partial Plaintext Bytes  is simply extension of FSE 2013 attack  use partial knowledge of a target plaintext  Based on sequential recovery phase ( Mantin’s long-term bias) Forward attack function P r-X … P r-2 P r-1 P r Recover Partial knowledge of a target (consecutive - The success probability increases X bytes) Ciphertexts with the increasing the value of X C (1) (when X < 67) - If X=66, then the function is equivalent to that of sequential recovery phase Backward attack function of FSE 2013 attack P r P r+1 P r+2 … P r+X Recover 13

Attack Procedure  Example: consecutive 6 bytes of a target plaintext are known Pre-known P r-6 P r-5 … P r-2 P r-1 P r recover P r with X = 6 P r-6 P r-5 … P r-2 P r-1 P r P r+1 recover P r+1 with X = 7 P r-6 P r-5 … P r-2 P r-1 P r P r+1 … P r+59 P r+60 recover P r+60 with X = 66 recover P r+61 P r-6 P r-5 … P r-2 P r-1 P r P r+1 … P r+59 P r+60 P r+61 with X = 66 (later processes are similar to FSE2013 attack) 14

Experimental Result  Probability for recovering (X+1)th byte of a plaintext using the knowledge of X bytes of the plaintext on RC4-drop(3072)  Obtained from 128 test 1 2^31  # of ciphertexts: 2^32 0.8 2 31 , 2 32 …, 2 36 2^33 Probability 0.6 2^34  X = 3, 4, …, 66 2^35 0.4 2^36 0.2 0 Evaluation 0 20 40 60 80 # of known partial plaintext bytes (X) ex.) consecutive 6 bytes of a target plaintext and 2 34 ciphertexts are given Consecutive 1petabyte of plaintext are recovered with probability of 15

Experimental Result  Probability for recovering (X+1)th byte of a plaintext using the knowledge of X bytes of the plaintext on RC4-drop(3072)  Obtained from 128 test 1 2^31  # of ciphertexts: 2^32 0.8 2 31 , 2 32 …, 2 36 2^33 Probability 0.6 2^34  X = 3, 4, …, 66 2^35 0.4 2^36 0.2 0 Evaluation 0 20 40 60 80 # of known partial plaintext bytes (X) ex.) consecutive 6 bytes of a target plaintext and 2 34 ciphertexts are given Consecutive 1petabyte of plaintext are recovered with probability of 𝟏. 𝟗𝟐𝟑𝟔 × 𝟏. 𝟗𝟖𝟔𝟏 × 𝟏. 𝟘𝟒𝟖𝟔 × 𝟏. 𝟘𝟕𝟗𝟗 × 𝟏. 𝟘𝟘𝟑𝟑 × 𝟏. 𝟘𝟘𝟑𝟑 ~ 𝟏. 𝟕𝟒𝟕 16

Agenda  RC4 Stream Cipher  Previous Plaintext Recovery Attacks  Plaintext Recovery Attack using Known Partial Plaintext Bytes  Guess-and-Determine Plaintext Recovery Attack  Conclusion 17