2. Menu
Can't explain the whole cryptography here
Let's try to explain how it works
Simply
Let's see then some concrete examples
Among so many other fields of application...
3. Menu
Cryptography main rule
Vernam One Time Pad (OTP)
Computer applications
Problems
Solutions
Symetric computer-based cryptography
PRNG & LFSR
Designing a stream cipher using PHP and C
Applications :
DVD-Blu-Ray encryption (CSS / AACS)
Wifi (WEP : RC4)
GSM (A5/1)
4. About me
Julien PAULI - @julienpauli - github.com/jpauli
Working for Sensiolabs in Paris
Release manager of PHP 5.5 / 5.6
PHP internals contributor from time to time (bug fixes,
internal API, performances)
Knowledges about CPU architectures, C lang, Linux and
networking
5. Vernam OTP (One Time Password)
The only method of encryption that is mathematically
absolutely 100% sure and uncrackable
6. Vernam OTP
The only method of encryption that is mathematically
absolutely 100% sure and uncrackable
Hello foo
secretkey
?????????
clear
key
encrypted
+
7. Vernam OTP
You modulo-add clear text + a key, randomly chosen and of
the same size (or more) than the clear text
The operation is fully bijective and can be undone , just like
a classical math addition
3 + 8 = 11
11 - 8 = 3
8. Vernam OTP
3 + 8 = 11
11 ??? = ???
clear + key = encrypted
This cryptography method is the only one being 100% safe
and not violable.
If you get the crypted content only, you'll never be able to
get back the clear text, without having the key
10. Vernam conditions
Vernam OTP is 100% sure if and only if :
The key is random and cant be guessed
The key is kept secret
The key size is >= to the clear content size
The key is never reused (One Time Password : OTP)
The same key is used to encrypt and decrypt
This is called symetric encryption
12. Vernam
Used during WW II
Enigma
Used in red phone
To link Moscow to Washington
Keys (physical) were carried using extra safe planes
13. In computer science
Machines make use of basis 2 (binary)
"modulo 2 addition" is called XOR (exclusive OR)
Noted or ^
A B A ^ B
0 0 0
0 1 1
1 0 1
1 1 0
14. XOR for cryptography
XOR satisfies Vernam OTP conditions
Having A a clear text
Having B a secret key
Crypted C = A ^ B
Clear A = C ^ B
Symetric cryptography using
key C
15. Vernam in computer sciences
Vernam based cryptography is inviolable if :
The key is kept secret
The key size is >= the clear size
The key is random
The key is never reused
Those 4 rules seem hard to achieve in modern computers world
17. The key is secret
It is possible, while not best, to exchange the key securely
Hand to hand
"What's the wifi password please ?"
Usually, asymetric cryptography is used to create a secure
channel to exchange the symetric crypto key
18. And then ?
Vernam based cryptography is inviolable if :
The key is kept secret
The key size is >= the clear size
The key is random
The key is not used more than once
20. Key size
To crypt 25Mb of data , one will need a 25Mb key
that's 26214400 characters
How to do to use a "reasonnably finite-size" key ?
Think about Wifi keys, often long sized, but not that long of
thousands of thousands of chars
22. LFSR
Linear Feedback Shift Register
Solution chosen to solve the problem "The key size must be
>= the clear size to crypt"
How does that work ?
23. LFSR
Linear Feedback Shift Register
Computer and electronic structure
Easy to code in computer language
Easy to make into electronic chips
Very powerful, very fast
24. One byte : 8 digits (bits)
2^7 + 2^5 + 2^2 + 2^1 + 2^0 = 167 (decimal)
In computer science, 1 byte = 1 character (like 'f')
or one integer between 0 and 255 if you prefer
Let's take one byte from the secret key
1 01 10 1101
7 6 5 4 3 2 1 0
25. LFSR
1 01 10 1101
Shift register. At each clock tick ...
Shift digits one slot to the right
Reinject the right-out digit to the left
We got an infinite source of digits
This is a circular shift
Extracted digit used to crypt
one digit of the payload (using
XOR)
26. LFSR
1 01 10 1101
Shift register
Shift to the right
Reinject on the left
We got an infinite number of digits but ...
We got a finite digit sequence (repeating itself)
1 10 11 1001
1 01 11 0011
1 11 01 0101
1-
2-
3-
4-
27. LFSR
1 01 10 1101
Shift register
We got an infinite digit sequence
But not random
The feedback function is 1
1 10 11 1001
1 01 11 0011
1 11 01 0101
. ..
1-
2-
3-
4-
. . .
28. Where are we ?
Vernam based cryptography is inviolable if :
The key is secret
The key size is >= the clear size
The key is random
The key is never reused
29. LFSR
1 01 10 1101
The sequence is going to repeat itself
How to add it some randomness ?
1 10 11 1001
1 01 11 0011
1 11 01 0101
. ..
1-
2-
3-
4-
30. LFSR
1 01 10 1101
It's all about the feedback function
Let's complexify the feedback function
33. LFSR vs Maths
1 01 10 1101
This can be mathematically modelized :
S = X^8 + X^7 + X^6 + X^5 + 1
This is a classic polynom , that can be solved
34. m-sequence LFSR
1 01 10 1101
As the output is injected back into the input, this LFSR will
generate a finite number of states
The maximum sequence is 2^n - 1
"n" is the LFSR degree (number of digits)
This maximum sequence is called the "m-sequence"
In the above example, n is 8, the LFSR will have a maximum
period of 255 states
35. m-sequence LFSR
1 01 10 1101
To get an m-sequence
The number of feedback digits must be odd
Their factors must be prime between them
S = X^8 + X^7 + X^6 + X^5 + 1
Works, this LFSR will have a m-sequence (255 states)
S = X^8 + 1
Doesn't work, this LFSR will repeat before 255 states
36. m-sequence LFSR
1 01 10 1101
If we extend LFSR to 32 digits, max period becomes 2^32 - 1
That's 4294967295 different states
Randomness slowly becomes more and more appearingly clear
With 32 digits (4 bytes or 4 secret key chars) we can
encrypt 4294967295 digits, thus 512Mb.
Above that : the key repeats itself (and invalidates Vernam
conditions)
37. LFSR example coded in PHP
https://github.com/jpauli/PHP-Crypto
**Simple Galois LFSR, degree 7 (127 states m-sequence)**
Used register bits for feedback : 7 6
Deducted Feedback function : 1100000 (0X60)
Your initial state is : 00000000000000000000001110001100 (908)
Let's now start the Linear Feedback Shift Register
[Iteration] [-------Internal Register -------] [PRandom bit]
| | |
v v v
0 - 00000000000000000000001110001100 [ 0 ]
1 - 00000000000000000000000111000110 [ 0 ]
2 - 00000000000000000000000011100011 [ 1 ]
3 - 00000000000000000000000000010001 [ 1 ]
4 - 00000000000000000000000001101000 [ 0 ]
38. LFSR example coded in PHP
for ($i = 0; $i < count(self::POLYNOMIAL_PRIME_COEFF[$this->degree]); $i++)
$this->taps[ ] = self::POLYNOMIAL_PRIME_COEFF[$this->degree][$i];
$this->ff |= (1 << self::POLYNOMIAL_PRIME_COEFF[$this->degree][$i]);
}
/* LFSR always has first and last bit set */
$this->ff |= 1 << ($this->degree);
$this->ff |=1;
do {
$this->iterations++;
$this->currentState >>= 1; /* Shift register */
yield $this->iterations => $this->currentState;
if ($this->currentState & 1) {
$this->currentState ^= $this->ff; /* re-enter */
}
} while ($this->currentState != $this->start);
39. Encryption with a LFSR ?
Pretty easy
Initialize LFSR with the secret key
Encrypt each clear digit with one digit generated from the LFSR
using XOR operation
This is called a stream cipher
(bloc ciphers also exist)
41. Generating a random byte using an LFSR
function getRandomByte(LFSR $lfsr) : int
{
$random = 0;
$run = $lfsr->run();
for ($j=0; $j<8; $j++) {
$random |= $lfsr->getCurrentBit() << $j;
$run->next();
}
return $random;
}
42. Ciphering clear data with the random byte
function cipher(string $input) : string
{
$dataSize = strlen($input);
$i = 0;
$output = '';
$lfsr = new LFSR($this->degree, $this->seed);
do {
$random = $this->getRandomByte($lfsr);
$data = unpack('C', $input[$i]);
$output .= pack('C', $outputByte = $data[1] ^ $random);
} while (++$i < $dataSize);
return $output;
}
Yeah !
43. Where are we ?
Vernam based cryptography is inviolable if :
The key is secret
The key size is >= the clear size
The key is random
The key is not reused
44. Stream ciphers can be secure if
The key is secret
The feedback digits are kept secret
The period is big enough (m-sequence) to never loop
The attacker cannot access the input stream
If the attacker can inject some data into the clear input, a linear
equation system can be used to crack the LFSR and deduce the
key
This, with only 2n states
"Berlekamp-Massey attack"
45. Having a good initialisation
Randomness will depend on how the key is used to initialize
the LFSR in the stream cipher
The key is used to define the starting state of the LFSR
It can also be used to choose the feedback digits
The key is usually mixed with an initialization vector (IV),
which is some piece of random bytes.
Thus, with the same key , the same LFSR will produce
different output
46. Hacking the encryption process
If the LFSR starts looping, its going to produce the same
output (repeat itself) and thus doesn't satisfy Vernam
conditions anymore
If the attacker can inject some input, he can use Berlekamp-
Massey attack to crack the LFSR key and states
49. Strengthen the encryption
Having several LFSR working together :
The loop is still linear
Thus can be cracked in polynomial time by injecting some traffic into the
input
N-degree linear equation system
We push the time limit, only
51. Examples
Content Scrambling System (CSS)
DVD protection mechanism (from 1995)
Cracked in 1999 by hacking the LFSRs
Keys are cracked by injecting some input, watching the output and
cracking the polynoms
DECSS is born, and movie piracy with it
Back then, less than 18 seconds were needed to a Pentium 3
@ 450Mhz to hack the LFSRs
53. DECSS
CSS keys are secret and distributed by DVDCCA to DVD-
reader manufacturers
Keys are stored into the hardware (or soft for PC softwares)
Each device needs a key, this is costly
http://www.dvdcca.org/css.aspx
Hence, free world and Linux were forgotten from DVDCCA
The open/free world answered by cracking CSS
Lawsuits happened
Technical analysis of CSS :
http://www.lemuria.org/DeCSS/crypto.gq.nu/
54. CSS and VLC
Since, DECSS code is embeded into VLC
In libdvdcss
http://git.videolan.org/?p=libdvdcss.git;a=blob;f=src/css.c;
This code is the algorithm to hack CSS protected DVDs, to
read them under Linux
Hacking the LFSRs and the keys
Otherwise the stream is crypted and unreadable
55. LFSR cant be cryptographically secure, but we can still push
the limits of the time needed to crack it
Time should be > brute force attack
If output is a linear function of the input, then it can be
cracked
https://en.wikipedia.org/wiki/Correlation_attack
We need to have the output not being a linear function of
the input.
Use a non-linear reentrancy function
NLFSR
Use a non-linear shift
Strengthen the encryption
57. Notes about Trivium
3 LFSR
A : 93 digits
B : 84 digits
C : 111 digits
On LFSR input depends on an other's output and one of its
own digit
Period 2^64
Some of the output makes use of an AND
AND is a modulo-2 multiplication
Thus cryptanalysis of the output cant crack the LFSR in linear time
anymore
58. Using Trivium
80 digits IV
loaded in the A LFSR left digits
secret key of 80 digits as well
loaded in the B LFSR left digits
All other digits are zeroed.
We shuffle 1152 round times.
Starting from 1153th time : we got our stream
59. Cracking Trivium
Today, no efficient attack has been discovered
We found algos in 2^68
Thus above brute force (2^64) , thus useless
As of today 2018, Trivium is recommanded by security
experts
61. A5/1
A5/1 makes use of 3 LFSR
19 / 22 / 23 digits
Introduces a non-linear shift :
LFSR are shifted only if it is in the MAJ(1,2,3) set
62. A5/1
A5/1 is used to crypt GSM communications
It took about 10 years, but today A5/1 is broken
In an acceptable time
Under acceptable computing hardware (CPU/Mem)
Often still needs some specific hardware
Some flaws were found in the GSM protocols that weaken A5/1
and allow an attack
63. RC4
Rivest Cipher 4 don't use LFSR, but still can be used as a
pseudo random generator
The big picture of RC4 :
Byte based (unit is byte, not digit)
Works on a 256 bytes payload
Uses many permutations and one XOR only
Huge period, about 10^100
Depending on the key used
Max theoric period is : 2^170000
64. RC4
We put 256 bytes into an array
We shuffle the array by adding bytes and swapping them
We get one byte from the array at indexes i and j
We shuffle 2 array slots, then i and j
66. RC4 , demo in PHP and C
https://github.com/jpauli/PHP-Crypto
67. RC4 is cracked
As its been massively used since its creation (1987), RC4
has been cracked
Today, it is cracked. Flaws have been discovered
The first bytes leak some informations about the key
KSA (Key Scheduling Algo) is too weak
RC4 doesnt define how to use the IV
So weak usage started to appear (concatenation of IV with the key)
algo has some weaknesses
You can recognize RC4 from a P-random output stream
68. RC4 in practice
RC4 was used in 802.11 WEP (Wired Equivalent Privacy).
WEP is very weak :
Ability to inject some trafic in input, and watch the output, thus
hijacking the internal state of RC4
Control checksum are weak (CRC32 : which is linear)
Reusage of the key (overflow of the stream cipher period)
70. Memorize
We talked about stream ciphers
There exists block ciphers
DES/AES/BlowFish/RC5
Every cipher uses the only 100% cryptographically secure
Vernam one-time pad
A secret key
A key length >= the clear length
A modulo-2 addition (XOR in radix 2)
71. Memorize
100% cryptographically secure Vernam one-time pad
A secret key
A key length >= the clear length
A modulo-2 addition (XOR in radix 2)
... is difficult to gather in computer world
We then use compromises : LFSR f.e
From XOR operations, we try to push the limits so far that it goes
over brute force time
But cryptanalysers often use high level math tools to try to hack such
systems
Daniel J Bernstein should be the most known engineer about cryptanalysis
72. Crypto using PHP ?
Don't use ext/mcrypt
Old, unmaintained, bugged and unsecure
Don't use mt_*() or rand() for crypto purposes
Use ext/hash if you need to hash
Use ext/sodium if you need to crypt
2018 crypto. secured stream ciphers :
trivium / salsa20 ...
Have a look at the "estream" project
http://www.ecrypt.eu.org/stream/