Deep Learning based Cryptanalysis of Stream Ciphers

Conventional cryptanalysis techniques necessitate an extensive analysis of non-linear functions defining the relationship of plain data, key, and corresponding cipher data. These functions have very high degree terms and make cryptanalysis work extremely difficult. The advent of deep learning algorithms along with the better and efficient computing resources has brought new opportunities to analyze cipher data in its raw form. The basic principle of designing a cipher is to introduce randomness into it, which means the absence of any patterns in cipher data. Due to this fact, the analysis of cipher data in its raw form becomes essential. Deep learning algorithms are different from conventional machine learning algorithms as the former directly work on raw data without any formal requirement of feature selection or feature extraction steps. With these facts and the assumption of the suitability of employing deep learning algorithms for cipher data, authors introduced a deep learning based method for finding biases in stream ciphers in the black-box analysis model. The proposed method has the objective to predict the occurrence of an output bit/byte at a specific location in the stream cipher generated keystream. The authors validate their method on stream cipher RC4 and its improved variant RC4A and discuss the results in detail. Further, the authors apply the method on two more stream ciphers namely Trivium and TRIAD. The proposed method can find bias in RC4 and shows the absence of this bias in its improved variant and other two ciphers. Focusing on RC4, the authors present a comparative analysis with some existing methods in terms of approach and observations and showed that their process is more straightforward and less complicated than the existing ones

RC4 Encryption-A Literature Survey

AbstractA chronological survey demonstrating the cryptanalysis of RC4 stream cipher is presented in this paper. We have summarized the various weaknesses of RC4 algorithm followed by the recently proposed enhancements available in the literature. It is established that innovative research efforts are required to develop secure RC4 algorithm, which can remove the weaknesses of RC4, such as biased bytes, key collisions, and key recovery attacks on WPA. These flaws in RC4 are still offering an open challenge for developers. Hence our chronological survey corroborates the fact that even though researchers are working on RC4 stream cipher since last two decades, it still offers a plethora of research issues. The attraction of community towards RC4 is still alive

Attacks Only Get Better:Password Recovery Attacks Against RC4 in TLS

Despite recent high-profile attacks on the RC4 algorithm in TLS, its usage is still running at about 30 % of all TLS traffic. This is attributable to the lack of practicality of the existing attacks, the desire to support legacy implementations, and resistance to change. We provide new attacks against RC4 in TLS that are focussed on recovering user passwords, still the pre-eminent means of user authentication on the Web today. Our attacks enhance the statistical techniques used in the existing attacks and exploit specific features of the password setting to produce attacks that are much closer to being practical. We report on extensive simulations that illustrate this. We also report on two “proof of concept ” implementations of the attacks for specific application layer protocols, namely BasicAuth and IMAP. Our work validates the truism that attacks only get better with time: we obtain good success rates in recovering user passwords with around 226 encryptions, whereas the previous generation of attacks required 234 encryptions to recover a

Spritz---a spongy RC4-like stream cipher and hash function.

This paper reconsiders the design of the stream cipher RC4, and proposes an improved variant, which we call ``Spritz\u27\u27 (since the output comes in fine drops rather than big blocks.) Our work leverages the considerable cryptanalytic work done on the original RC4 and its proposed variants. It also uses simulations extensively to search for biases and to guide the selection of intermediate expressions. We estimate that Spritz can produce output with about 24 cycles/byte of computation. Furthermore, our statistical tests suggest that about $2^{81}$ bytes of output are needed before one can reasonably distinguish Spritz output from random output; this is a marked improvement over RC4. [Footnote: However, see Appendix F for references to more recent work that suggest that our estimates of the work required to break Spritz may be optimistic.] In addition, we formulate Spritz as a ``sponge (or sponge-like) function,\u27\u27 (see Bertoni et al.), which can ``Absorb\u27\u27 new data at any time, and from which one can ``Squeeze\u27\u27 pseudorandom output sequences of arbitrary length. Spritz can thus be easily adapted for use as a cryptographic hash function, an encryption algorithm, or a message-authentication code generator. (However, in hash-function mode, Spritz is rather slow.

Statistical Attacks on Cookie Masking for RC4

Levillain et al. (AsiaCCS 2015) proposed two cookie masking methods, TLS Scramble and MCookies, to counter a class of attacks on SSL/TLS in which the attacker is able to exploit its ability to obtain many encryptions of a target HTTP cookie. In particular, the masking methods potentially make it viable to continue to use the RC4 algorithm in SSL/TLS. In this paper, we provide a detailed analysis of TLS Scramble and MCookies when used in conjunction with RC4 in SSL/TLS. We show that, in fact, both are vulnerable to variants of the known attacks against RC4 in SSL/TLS exploiting the Mantin biases (Mantin, EUROCRYPT 2005): * For the TLS Scramble mechanism, we provide a detailed statistical analysis coupled with extensive simulations that show that about $2^{37}$ encryptions of the cookie are sufficient to enable its recovery. * For the MCookies mechanism, our analysis is made more complex by the presence of a Base64 encoding step in the mechanism, which (unintentionally) acts like a classical block cipher S-box in the masking process. Despite this, we are able to develop a maximum likelihood analysis which provides a rigorous statistical procedure for estimating the unknown cookie. Based on simulations, we estimate that $2^{45}$ encryptions of the cookie are sufficient to enable its recovery. Taken together, our analyses show that the cookie masking mechanisms as proposed by Levillain et al. only moderately increase the security of RC4 in SSL/TLS

Securing Deployed Cryptographic Systems

In 2015 more than 150 million records and $400 billion were lost due to publicly-reported criminal and nation-state cyberattacks in the United States alone. The failure of our existing security infrastructure motivates the need for improved technologies, and cryptography provides a powerful tool for doing this. There is a misperception that the cryptography we use today is a "solved problem" and the real security weaknesses are in software or other areas of the system. This is, in fact, not true at all, and over the past several years we have seen a number of serious vulnerabilities in the cryptographic pieces of systems, some with large consequences. This thesis will discuss three aspects of securing deployed cryptographic systems. We will first explore the evaluation of systems in the wild, using the example of how to efficiently and effectively recover user passwords submitted over TLS encrypted with RC4, with applications to many methods of web authentication as well as the popular IMAP protocol for email. We will then address my work on developing tools to design and create cryptographic systems and bridge the often large gap between theory and practice by introducing AutoGroup+, a tool that automatically translates cryptographic schemes from the mathematical setting used in the literature to that typically used in practice, giving both a secure and optimal output. We will conclude with an exploration of how to actually build real world deployable systems by discussing my work on developing decentralized anonymous credentials in order to increase the security and deployability of existing anonymous credentials systems

Rethinking the Weakness of Stream Ciphers and Its Application to Encrypted Malware Detection

Encryption key use is a critical component to the security of a stream cipher: because many implementations simply consist of a key scheduling algorithm and logical exclusive or (XOR), an attacker can completely break the cipher by XORing two ciphertexts encrypted under the same key, revealing the original plaintexts and the key itself. The research presented in this paper reinterprets this phenomenon, using repeated-key cryptanalysis for stream cipher identification. It has been found that a stream cipher executed under a fixed key generates patterns in each character of the ciphertexts it produces and that these patterns can be used to create a fingerprint which is distinct to a certain stream cipher and encryption key pair. A discrimination function, trained on this fingerprint, optimally separates ciphertexts generated through an enciphering pair from those which are generated by any other means. The patterns were observed in the Rivest Cipher 4 (RC4), ChaCha20-Poly1305, and Salsa20 stream ciphers as well as block cipher modes of operation that perform similarly to stream ciphers, such as: Counter (CTR), Galois/Counter (GCM), and Output feedback (OFB) modes. The discriminatory scheme proposed in this study perfectly detects ciphertexts of a fixed-key stream cipher with or without explicit knowledge of the key which may be utilized to detect a specific type of malware that exploits a stream cipher with a stored key to encrypt or obfuscate its activity. Finally, using real-world example of this type of malware, it is shown that the scheme is capable of detecting packets sent by the DarkComet remote access trojan, which utilizes RC4, with 100% accuracy in about 36 μs, providing a fast and highly accurate tool to aid in detecting malware using encryption

Rethinking the Weakness of Stream Ciphers and Its Application to Encrypted Malware Detection

One critical vulnerability of stream ciphers is the reuse of an encryption key. Since most stream ciphers consist of only a key scheduling algorithm and an Exclusive OR (XOR) operation, an adversary may break the cipher by XORing two captured ciphertexts generated under the same key. Various cryptanalysis techniques based on this property have been introduced in order to recover plaintexts or encryption keys; in contrast, this research reinterprets the vulnerability as a method of detecting stream ciphers from the ciphertexts it generates. Patterns found in the values (characters) expressed across the bytes of a ciphertext make the ciphertext distinguishable from random and are unique to each combination of ciphers and encryption keys. We propose a scheme that uses these patterns as a fingerprint, which is capable of detecting all ciphertexts of a given length generated by an encryption pair. The scheme can be utilized to detect a specific type of malware that exploits a stream cipher with a stored key such as the DarkComet Remote Access Trojan (RAT). We show that our scheme achieves 100%; accuracy for messages longer than 13 bytes in about 17 mu sec, providing a fast and highly accurate tool to aid in encrypted malware detection

Cryptanalysis of MORUS

Item does not contain fulltextAdvances in Cryptology - ASIACRYPT 2018 - 24th International Conference on the Theory and Application of Cryptology and Information Security, Brisbane, QLD, Australia, December 2-