miércoles, 31 de octubre de 2012

Program 4


Hi there, this is my post for the homework(program number 4), my 6 images are the next:
3 of the 6 images(from internet to make it easier :P) have the message, so  let's to hack :P

arsenalforever :)

miércoles, 24 de octubre de 2012

Extra Points

Quantum stream cipher based on optical communications

Hello, for extra points i investigated about quantum stream cipher based on optical communication.

There is no much information about this topic (at least i did not find too much information) but, i found a notice about  Yuen protocol, Yuen protocol or Y-00 can realize a randomized stream cipher with high bit rate(Gbps) for long distance(several hundreds km). The randomized stream cipher with randomization by quantum noise based on Y-00 is called quantum stream cipher and it may have security against known plaintext attacks which has no analog with any conventional symmetric key ciphers.

In other publication of this notice i found that Y-00 is a physical cipher that has a possibility to avoid the decipher and hence it is a promising candidate to realize secure networks. The key to success of high capacity transmission was the use of wavelength division multiplexing (WDM) scheme.

Four lights with different wavelengths each carrying 10-Gbit/sec Y-00 encrypted optical signals were multiplexed into an optical fiber to attain the aggregate capacity of 40 Gbit/sec. In the experiment, it has been proved that the transmission capacity of Y-00 signals was increased by employing the WDM (Wave Division Multiplexing, this is a technology of transmission in optical fiber) scheme. The capacity can be further increased with use of more number of lights with different wavelengths. The result made a step closer to practical use of Y-00 stream cipher in the real network services. 

Tamagawa University is advancing the research on developing a cipher that is capable of disabling the decipher and realizing secure communications. The University aims at practical use of the cipher in a network to realize the unbreakable system. The quantum noise randomized stream cipher, Y-00, the University is developing is categorized into the multi-level intensity modulation from the viewpoint of modulation scheme. That is, it features that Y-00 requires no excess bandwidth. Therefore, the transmission capacity has been expected to increase with the WDM scheme that multiplexes the lights in wavelength. The scheme is widely utilized in the modern optical fiber communication for high capacity transmissions.

I know this is a short post, but i did not find more information, altough i´m not sure this is the correct topic cause i didn't prompt the the topic :S

Any doubt you can leave it in comments, however you can find more of this information in the next links(bibliography).



Report 3

Stream Cipher

Hi, this is the report 3, this report is about stream ciphers, the teacher let us choose a stream cipher, i choose Phelix Stream Cipher.

The total homework is:

- Choose a stream cipher.
- Describe its operation.
- Describe known attacks and vulnerabilities.

Ok, firstly i'm going to explain what the hell is a stream cipher and then i will conclude explaining  the stream cipher that i choose (Phelix).

Stream Cipher

Stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream.. In a stream cipher each plaintext digit is encrypted one at a time with the corresponding digit of the keystream, to give a digit of the cyphertext stream. An alternative name is a state cipher as the encryption of each digit is dependent on the current state. In practice, a digit is typically a bit and the combining operation an xor

The pseudorandom keystream is typically generated serially from a random seed value using digital shift registers. The seed value serves as the cryptographic key for decrypting the ciphertext stream.



Ok, now Phelix is a high speed stream cipher with a built-in single-pass message authentication code (MAC, don't confuse with Mac address hehe) functionality. Phelix was submitted in 2004 by Doug Whiting, Bruce Schneier, Stefan Lucks, and Frédéric Muller.

Phelix operation is as follows:

The origin of Phelix is a modified form of Helix (another stream cipher), is the strengthened version of Helix.

Phelix uses a 256-bit key and a 128-bit nonce. The key is secret, and the nonce is typically public knowledge. Phelix is optimized for 32-bit platforms; all operations are on 32-bit words. The only operations used are addition modulo 2^32, exclusive or, and rotation by ¯xed numbers of bits. The design philosophy of Phelix can be summarized as many simple rounds.

Phelix has a state that consists of nine words of 32 bits each. The state is broken up into two groups: 5 "active" state words, which participate in the block update function, and 4 "old" state words that are only used in the keystream output function. A single round of Phelix consists of adding (or xoring) one active state word into the next, and rotating the first word. This is shown in Figure 1, where the active state words are shown as vertical lines. Multiple rounds are applied in a cyclical pattern to the active state. The horizontal lines of the rounds wind themselves in helical fashion through the active state words. Twenty rounds make up one block (see Figure 2). Phelix actually uses two intertwined helices; a single block contains two full turns of each of the helices. 

I made a diagram to explain better the previous explanatio (is very simple, but it help to understand easily).

During each block, several other activities occur. During block i, one word of keystream is generated (Si), two words of key material are added (Xi;0 and Xi;1), and one word of plaintext is added (Pi). The output state of one block is used as input to the next, so the computations shown in ¯gure 2 are all that is required to process 4 bytes of the message. As with any stream cipher, the ciphertext is created by xoring the plaintext with the keystream.

At the start of an encryption, a starting state is derived from the key and nonce. The key words Xi;j depend on the key, the length of the input key, the nonce, and the block number i. State-guessing attacks are made more di±cult by adding key material at double the rate at which key stream material is extracted. At the end of the message, some extra processing is done, after which a 128-bit MAC tag is produced to authenticate the message.


A Phelix encryption is started by setting

Z^(-8) := K(j+3) "XOR" Nj         for j = 0, ... ,3

Z4^(-8) := K7

Z4^(i) := 0                                   for i = -12, ... , -9

Pi := 0                                         for i = -8, ..., -1

Eight blocks are then applied, using block number i = -8, ... ,-1. For these blocks, the generated keystream words are discarded.


After the initialization, the plaintext is encrypted. Let k := [(L(P) + 3)/4] be the number of words in the plaintext. The encryption consists of k blocks numbered 0 to k -1. Each block generates one word of keystream, which is used to encrypt one word of the plaintext. Depending on L(P) mod 4, between 1 and 4 of the bytes of the last keystream word are used.

Computing the mask

Just after the block that encrypted the last plaintext byte, one of the state words is modified. The internal state word Z0^(k) is xored with the value 0x912d94f1.

Using this modifed state, eight blocks, numbered k; ... ,k + 7 are applied for post-mixing. For these blocks, the plaintext word Pi is defined as L(P) mod 4, and the generated keystream is discarded . After the post-mixing, four more blocks, numbered k + 8, ... , k + 11, are applied, using the same plaintext input word (i.e., L(P) mod 4).


Decryption is almost identical to encryption. The only diferences are:

-The keystream "Si" generated after the first application of the H function in each block is used to decrypt the ciphertext, producing the plaintext word that is used in the second application of the H function within the block. The implementation must insure that any unused bytes of the final plaintext word are taken as zero for purposes of computing the block function, regardless of value of the extra keystream bytes.

- Once the tag has been generated, it is compared to the tag provided. If the two values are not identical, all generated data (i.e., the keystream, plaintext, and tag) is destroyed.

The keystream words generated by these four blocks form the MAC tag.

Attacks and vulnerabilities. 

- Only bruteforce attack is proved to be possible till now.

- Salehani, Ahmadi claimed an attack but later withdrew the claim.

- Wu,Preneel pointed out attacks against senders who do not follow the Phelix specifcation.

pyPhelix (library in python)

A very nice nice library of python of this stream cipher is  pyPhelix, you can found more information, and examples in this site (it is very good, i recomend it): http://www.seanet.com/~bugbee/crypto/phelix/

This is a very simple example of Phelix stream cipher implementation:

I can't run the program cause i had a lot of problems compiling pyPhelix.c file(this file is necessary compile it to import pyPhelix library).
There is no much information about pyPhelix :(



If you have any doubt you can leave it in comments.


miércoles, 17 de octubre de 2012

Report 2


Hi, this is the report number 2, in past week we talked about the block ciphers.
In cryptography, a block cipher is a deterministic algorithm operating on fixed-length groups of bits, called blocks, with an unvarying transformation that is specified by a symmetric key. Block ciphers are important elementary components in the design of many cryptographic protocols, and are widely used to implement encryption of bulk data.

When performing encryption, block cipher unit takes as input a block of plaintext (or light) and produces a block cipher of equal size. The exact transformation is controlled using a second input: the secret key provided by the user.

To perform the reverse process, decryption, entering a ciphertext block and produces original plaintext.

The block cipher encryption differs from the flow (stream ciphers) in that, in the latter, operates in individual digits one by one, and the processing varies during the encryption process.

The type of block that i chose is the Skipjack cypher.


Skiperjack origin

Skipjack was developed in the USA by the NSA (National Security Agency) initially for Clipper and Capstone chips. The design began in 1985 and completed its evaluation in 1990.

The purpose of Skipjack

The main purpose of skipjack is for militar application, Skipjack was used in hardware stuff (microchips).

Skipjack is a symmetric cipher using 64-bit blocks and a 80-bit key. It was used in the Clipper program (draft chip) but he had the key holder (key escrow) built (the keyring was part of the key exchange mechanism and no data encryption).

It is slower than Blowfish and AES any of the proposals, but still and is twice faster than DES 32-bit micros. It's fast when used in smart cards and efficient in hardware.

How Skipjack works (with example)

Ok, first, we are going to talk about the design principles:

-Symmetry in encryption & decryption, protects against choosen plaintext and chosen ciphertext attacks.

- Not too much Symmetry. Symmetry is broken with round counters. protects against symmetry based attacks.

- 80-bit Key. Effective size against differential & linear attacks.

Skipjack works with:

*64-bit block size and 80-bit key

*32 rounds , composed of round functions
*Two round functions RuleA, RuleB and their inverses (decryption)

Ok, let´s to see the Skipjack cipher operations (and decipher too).

W1 is the first quarter of the block, W2 is the second quarter and successively, it means each W has 16 bits,

Skipjack has 32 rounds. These rounds are of two types, A and B. A type A round proceeds as follows:

The first quarter of the block (called W1) is enciphered by the "G permutation", which is actually a four-round Feistel cipher. The result, and the round number (where round numbers go from 1 through 32), are XORed with the fourth quarter of the block (W4). Then each quarter of the block is moved to the next position; W1 to W2, W2 to W3, W3 to W4, and W4 back to W1.

A type B round proceeds as follows:
The second quarter of the block (W2) is XORed with the round number and the first quarter of the block (W1). Then the first quarter of the block is enciphered by the "G permutation". Again, each quarter of the block is moved to the next position; W1 to W2, W2 to W3, W3 to W4, and W4 back to W1.

The rotation of quarters of the block is not omitted after the last round. The 32 rounds of Skipjack consists of eight type A rounds, eight type B rounds, eight type A rounds, and eight type B rounds. Note that by having a type A round first, and a type B round last, the form of the first quarter on the "inside" is XORed with one of the other quarters in the first and last rounds.
Permutation G is a four-round Feistel cipher, involving dividing its 16-bit input into two 8-bit halves. Like DES, the left half of the block is not changed in each round, but acts as input to the f-function, the output of which is XORed to the right half. Unlike DES, the two halves are swapped after the last round (as the algorithm has only four rounds, all four iterations of the f-function can be illustrated, going alternately from right to left, and then from left to right; in that form, no swaps at all are required).

The f-function of the G permutation is as simple as one might expect for an f-function only 8 bits wide: the input is first XORed with the current round's subkey, and then the result is substituted according to a lookup table, called F.
The subkeys for G, each one byte long, are simply four consecutive bytes of the 80-bit key. The first four bytes are used in the first round, the next four bytes in the second, the last two bytes followed by the first two bytes in the third, and so on.

The images of the previous explanation are the following:

Rule A, and B previously commented, and A^-1, B^-1 (it means the inverse, decipher)

Permutations to cipher and decipher (G, and G^-1 )

Decipher (previous images illustrate the decryption too)

For decipherment, each round is replaced by a corresponding deciphering round, and these rounds are, of course, executed in the reverse of the enciphering order.
The deciphering equivalent of a type A round is as follows:
The first quarter, W1, is XORed with W2 and the round number (rounds now counting down from 32 to 1). Then the second quarter, W2, is subjected to the inverse of the G permutation. Then, each quarter is moved to the position of the preceding one; W1 to W4, W2 to W1, W3 to W2, and W4 to W3.
The deciphering equivalent of a type B round is the following:
The second quarter, W2, is subjected to the inverse of the G permutation. The third quarter, W3, is then XORed with the round number and the changed value of W2. Again, each quarter is moved to the position of the preceding one; W1 to W4, W2 to W1, W3 to W2, and W4 to W3.
The deciphering equivalent of the G permutation involves using the four subkeys in reverse order - and reversing the roles of the right and left halves of the 16-bit quarter block.

Attacks and vulnerabilities

Algorithm is a high risk, which means that there was a high risk that was committed. Therefore, it is unlikely that the NSA put in him their most secret designs.
It not takes a lot of time the key prepararación, the size of the key is small (80 bits).

Skipjack was declassified in order to facilitate finding private companies to manufacture devices using that algorithm for use by the U.S. Government. Some people have called attention to the fact that only a short time previously, government spokespersons were saying that the disclosure of that algorithm would harm national security.
However, I have noted that the inconsistency involved may be more apparent than real. Between the statements cited, and the declassification of Skipjack, a paper was published by an academic researcher noting that Feistel ciphers of a particular type, specifically those in which the f-function was itself a series of Feistel rounds, could be proven to be immune to differential cryptanalysis.
SKIPJACK, although not precisely of that type, is closely related: one of the four subblocks undergoes Feistel rounds, but in addition to the result being used, as an f-function output, on another subblock, the subblock is also retained in its modified state.

The book "Top Secret Intranet", reveals that SKIPJACK was considered adequate to safeguard information classified SECRET but not information classified TOP SECRET.


* Less diffusion in B rounds and A-1 rounds

* Bad interactions between the round-types
* A one bit difference in input to the F Table may cause a difference of only one bit in its output
* Eli Biham had shown an attack on 31 round skipjack using impossible differentials
* Less security margin

Some of code in Perl (obtained from this webpage: http://search.cpan.org/~jcduque/Crypt-Skipjack-1.0.2/Skipjack.pm
). It was not made for me, but if you want to study the code you can visit the webpage, it is more explicit in the webpage.


    use diagnostics;
    use strict;
    use warnings;
    use Crypt::Skipjack;

    # key must be 10 bytes long
    my $key = "0123456789";

    my $cipher = new Crypt::Skipjack $key;

    print "blocksize = ", $cipher->blocksize, " bytes \n";
    print "keysize = ", $cipher->keysize, " bytes \n";

    # block must be 8 bytes long
    my $plaintext1 = "abcdef01";

    my $ciphertext = $cipher->encrypt($plaintext1);
    my $plaintext2 = $cipher->decrypt($ciphertext);

    print "Decryption OK\n" if ($plaintext1 eq $plaintext2);