state-recovery analysis of spritz Stefan Klbl 2 rc4 and tls RC4 - PowerPoint PPT Presentation

Ralph Ankele 1 Christian Rechberger 2 August 25, 2015 1 RHUL, Royal Holloway University of London, United Kingdom 2 DTU Compute, Technical University of Denmark, Denmark state-recovery analysis of spritz Stefan Kölbl 2

rc4 and tls

RC4 ∙ Stream Cipher ∙ Designed in 1987 by Ron Rivest ∙ Fast in Software ∙ Used in TLS (Transport Layer Security) Produces key stream (1) 2 RC4 z = z 0 || z 1 || . . . || z k

∙ Needs around 2 30 sessions. ∙ Break WPA-TKIP and decrypt cookies in 75 hours [MF15] 1 . 3 Attack on TLS using RC4 1 https://www.rc4nomore.com ∙ Password Recovery TLS [CPdMT15] Usenix’15 ∙ Plaintext recovery for TLS using RC4 [ABP 13] 1 1 1 RC4 Output bytes z i of RC4 are biased ∙ Pr [ z 2 = 0 ] ≈ 128 [FMS01] ∙ Distribution of z 1 [Mir02] ∙ Pr [ z l = 256 − l ] ≥ 256 + 256 2 [GMPS11]

∙ Break WPA-TKIP and decrypt cookies in 75 hours [MF15] 1 . 3 Attack on TLS using RC4 1 https://www.rc4nomore.com ∙ Password Recovery TLS [CPdMT15] Usenix’15 1 1 1 RC4 Output bytes z i of RC4 are biased ∙ Pr [ z 2 = 0 ] ≈ 128 [FMS01] ∙ Distribution of z 1 [Mir02] ∙ Pr [ z l = 256 − l ] ≥ 256 + 256 2 [GMPS11] ∙ Plaintext recovery for TLS using RC4 [ABP + 13] ∙ Needs around 2 30 sessions.

3 1 1 https://www.rc4nomore.com ∙ Password Recovery TLS [CPdMT15] Usenix’15 Attack on TLS using RC4 1 1 RC4 Output bytes z i of RC4 are biased ∙ Pr [ z 2 = 0 ] ≈ 128 [FMS01] ∙ Distribution of z 1 [Mir02] ∙ Pr [ z l = 256 − l ] ≥ 256 + 256 2 [GMPS11] ∙ Plaintext recovery for TLS using RC4 [ABP + 13] ∙ Needs around 2 30 sessions. ∙ Break WPA-TKIP and decrypt cookies in 75 hours [MF15] 1 .

∙ In July 2014, 10% of servers do not support RC4. ∙ In July 2015, 40% of servers do not support RC4 2 . 2 SSL Pulse, July 07, 2015 4 RC4 RC4 should NOT be used anymore! ∙ IETF Draft to remove RC4 from TLS RFC7465.

5 RC4 RC4

spritz

7 return z return z z = S[j + S[i + S[z + k]]] SWAP(S[i], S[j]) k = i + k + S[j] j = k + S[j + S[i]] i = i + w Spritz z = S[S[i] + S[j]] A redesign of RC4 by Ron Rivest and Jacob C. N. Schuldt SWAP(S[i], S[j]) j = j + S[i] i = i + 1 RC4 ∙ Uses a Sponge-like construction. ∙ Update function chosen using extensive computations. ∙ Avoid statistical weakness of RC4. Spritz

8 Salsa20 3 16 byte key, 512 bytes Spritz implementation is not optimized in this comparison. 146 MB/s 152 MB/s AES-CTR 268 MB/s 296 MB/s 32 MB/s 95 MB/s Spritz 142 MB/s 293 MB/s RC4 Short Msg. 3 Long Msg. Cipher Spritz Table 1: Performance of stream ciphers for Software.

9 12 9 9 10 10 11 11 12 13 8 13 14 14 15 15 j i k 8 7 Internal structure: 7 ∙ Permutation: S: 0 0 1 1 2 2 3 3 4 4 5 5 6 6 Spritz ∙ Six registers: i , j , k , w , z and a .

Sponge-like construction supports many applications ∙ Encryption ∙ Hashing ∙ MAC Example Encryption: Encrypt(M, K): InitializeState() Absorb(K) C = M + Squeeze(M.length) 10 Spritz

11 11 8 9 9 10 10 11 12 7 12 13 13 14 14 15 15 8 7 InitializeState() 6 ∙ Initialize Permutation: S: 0 0 1 1 2 2 3 3 4 4 5 5 6 Spritz ∙ First all registers are initialized: i = j = k = z = a = 0 , w = 1 i , j , k

13 14 15 13 14 15 13 14 15 13 14 15 13 14 15 13 14 15 Absorb 1 7 6 5 4 3 9 8 10 S 2 : 12 x 1 a 12 11 0 9 1 7 6 5 4 N 2 0 2 5 S 4 : x N 2 a 12 11 3 2 1 7 6 4 2 0 9 8 10 S 3 : Absorb 2 x N 2 a 12 11 3 10 8 10 7 6 5 4 3 2 1 0 12 11 9 9 8 7 6 5 4 3 2 1 0 Example: 8 10 11 7 S 1 : Absorb 0 x N 2 a 12 11 0 9 8 6 5 4 3 2 1 10 S 0 : Absorb 2 x N 2 a 12 Spritz Absorb(x) using x = 2 || 0 || 1 || 2 ∙ Swap ( S [ a ] , S [ N / 2 + x ]) ∙ a = a + 1

13 14 15 13 14 15 13 14 15 13 14 15 12 x 6 5 4 3 9 8 10 S 2 : Absorb 1 a N 2 1 12 11 0 9 1 7 6 5 4 7 0 2 5 S 4 : x N 2 a 12 11 3 2 1 7 6 4 2 0 9 8 10 S 3 : Absorb 2 x N 2 a 12 11 3 10 8 10 7 6 5 4 3 2 1 0 12 11 9 10 8 7 6 5 4 3 2 1 0 Example: 8 9 11 12 S 1 : Absorb 0 x N 2 a 12 11 0 9 8 7 6 5 4 3 2 1 10 S 0 : Absorb 2 a Spritz Absorb(x) using x = 2 || 0 || 1 || 2 ∙ Swap ( S [ a ] , S [ N / 2 + x ]) ∙ a = a + 1 13 14 15 13 14 15 N / 2 + x

13 14 15 13 14 15 13 14 15 13 14 15 12 Absorb 1 6 5 4 3 9 8 10 S 2 : N 2 x 1 a 12 11 0 9 1 7 6 5 4 7 0 2 5 S 4 : x N 2 a 12 11 3 2 1 7 6 4 2 0 9 8 10 S 3 : Absorb 2 x N 2 a 12 11 3 10 8 10 7 6 5 4 3 2 1 0 12 11 9 10 8 7 6 5 4 3 2 1 0 Example: 8 9 11 5 S 1 : Absorb 0 a 12 11 0 9 8 7 12 6 4 S 0 : a N 2 Absorb 2 x 10 1 2 3 Spritz Absorb(x) using x = 2 || 0 || 1 || 2 ∙ Swap ( S [ a ] , S [ N / 2 + x ]) ∙ a = a + 1 13 14 15 13 14 15 N / 2 + x

13 14 15 13 14 15 13 14 15 13 14 15 12 Absorb 1 6 5 4 3 9 8 10 S 2 : 12 a 1 11 0 9 1 7 6 5 4 3 2 7 0 2 5 S 4 : x N 2 a 12 11 3 2 1 7 6 4 10 0 9 8 10 S 3 : Absorb 2 x N 2 a 12 11 8 S 1 : 9 1 10 Absorb 0 8 7 6 5 4 3 2 0 12 1 12 11 10 9 8 7 6 5 4 11 a 2 6 x N 2 a 12 11 0 9 8 7 5 N 2 Example: 4 0 3 2 1 10 S 0 : Absorb 2 x 3 Spritz Absorb(x) using x = 2 || 0 || 1 || 2 ∙ Swap ( S [ a ] , S [ N / 2 + x ]) ∙ a = a + 1 13 14 15 13 14 15 N / 2 + x

13 14 15 13 14 15 13 14 15 13 14 15 12 4 3 9 8 10 S 2 : Absorb 1 x N 2 a 12 6 11 0 9 1 7 6 5 4 3 2 5 7 10 5 S 4 : x N 2 a 12 11 3 2 1 7 6 4 1 0 9 8 10 S 3 : Absorb 2 a 12 11 0 2 8 S 1 : 7 1 8 Absorb 0 6 5 4 Example: 3 0 2 0 10 1 12 11 10 9 8 7 6 5 4 9 11 2 6 x N 2 a 12 11 0 9 8 7 5 12 4 3 2 1 10 S 0 : Absorb 2 x N 2 a 3 Spritz Absorb(x) using x = 2 || 0 || 1 || 2 ∙ Swap ( S [ a ] , S [ N / 2 + x ]) ∙ a = a + 1 13 14 15 13 14 15 N / 2 + x

13 14 15 13 14 15 13 14 15 13 14 15 a 4 3 9 8 10 S 2 : Absorb 1 x N 2 12 6 12 11 0 9 1 7 6 5 4 3 2 5 7 10 0 S 4 : a 12 11 3 2 1 7 6 5 4 9 1 8 10 S 3 : Absorb 2 x N 2 a 12 11 0 2 8 S 1 : 7 Example: 8 Absorb 0 6 5 4 3 2 1 0 12 10 11 10 9 8 7 6 5 4 3 2 9 11 0 6 x N 2 a 12 11 0 9 8 7 5 12 4 3 2 1 10 S 0 : Absorb 2 x N 2 a 1 Spritz Absorb(x) using x = 2 || 0 || 1 || 2 ∙ Swap ( S [ a ] , S [ N / 2 + x ]) ∙ a = a + 1 13 14 15 13 14 15 N / 2 + x

13 14 15 13 14 15 13 14 15 13 14 15 13 14 15 13 14 15 13 14 15 13 14 15 13 14 15 13 7 12 2 3 11 i 4 k j 10 8 9 0 1 5 6 6 0 5 12 j 10 8 9 0 1 5 6 7 2 1 3 11 4 k i j 10 8 9 7 2 12 11 0 1 5 6 7 12 2 3 8 4 Keystream output: z S 12 S 1 S 0 5 10 k i j 9 10 3 1 11 4 k i j 10 4 9 0 5 j 6 7 12 2 3 11 8 k i i 4 k 11 0 1 5 6 7 12 2 3 4 8 10 8 9 0 1 5 6 7 12 9 10 Update: 1 i = i + w j = k + S[j + S[i]] k = i + k + S[j] SWAP(S[i], S[j]) z = S[j + S[i + S[z + k]]] return z S 0 : 0 2 12 3 4 5 6 7 8 9 10 11 2 3 11 8 7 12 2 3 11 4 j k i 10 9 5 0 1 5 6 7 12 2 3 11 6 1 4 2 0 1 5 6 7 12 10 0 3 8 11 4 j k i 10 8 i j k 9 9 Spritz 13 14 15 13 14 15 i , j , k

13 14 15 13 14 15 13 14 15 13 14 15 13 14 15 13 14 15 13 14 15 13 14 15 13 14 15 13 7 12 2 3 11 k 4 i j 10 8 9 0 1 5 6 0 5 12 j 10 8 9 0 1 5 6 7 2 1 3 11 4 k i j 10 8 9 7 6 3 12 11 0 1 5 6 7 12 2 3 8 4 Keystream output: z S 12 S 1 S 0 5 10 k i j 9 10 2 1 11 4 k i j 10 4 9 0 5 j 6 7 12 2 3 11 8 k i i 4 k 4 1 5 6 7 12 2 3 11 i j k 9 10 8 9 0 1 5 6 7 12 0 8 3 2 i = i + w j = k + S[j + S[i]] k = i + k + S[j] SWAP(S[i], S[j]) z = S[j + S[i + S[z + k]]] return z S 0 : 0 1 3 10 4 5 6 7 8 9 10 11 12 2 11 Update: 8 7 12 2 3 11 4 j k i 10 9 4 0 1 5 6 7 12 2 3 11 6 5 1 0 10 8 9 0 1 5 6 7 12 2 3 11 4 j k i 10 8 9 Spritz 13 14 15 13 14 15 i , j , k

13 14 15 13 14 15 13 14 15 13 14 15 13 14 15 13 14 15 13 14 15 13 14 15 13 14 15 13 7 12 2 3 11 4 i k j 10 8 9 0 1 5 6 6 0 5 12 j 10 8 9 0 1 5 6 7 2 1 3 11 4 k i j 10 8 9 7 3 12 11 0 1 5 6 7 12 2 3 8 4 Keystream output: z S 12 S 1 S 0 5 10 k i j 9 10 2 1 11 4 k i j 10 4 9 0 5 j 6 7 12 2 3 11 8 k i i 4 k 4 1 5 6 7 12 2 3 11 i j k 9 10 8 9 0 1 5 6 7 12 0 8 3 2 i = i + w j = k + S[j + S[i]] k = i + k + S[j] SWAP(S[i], S[j]) z = S[j + S[i + S[z + k]]] return z S 0 : 0 1 3 10 4 5 6 7 8 9 10 11 12 2 11 Update: 8 7 12 2 3 11 4 j k i 10 9 4 0 1 5 6 7 12 2 3 11 6 5 1 12 i j k 10 8 9 0 1 5 6 7 2 0 3 11 4 i 10 8 9 Spritz 13 14 15 13 14 15 j , k