PKZIP. PKZIP Stream Cipher 1

Size: px

Start display at page:

Download "PKZIP. PKZIP Stream Cipher 1"

Joan Jacobs
6 years ago
Views:

1 PKZIP PKZIP Stream Cipher 1

PKZIP Phil Katz s ZIP program Katz invented zip file format o ca 1989 Before that, Katz created PKARC utility o ARC compression was patented by SEA, Inc.

2 PKZIP Phil Katz s ZIP program Katz invented zip file format o ca 1989 Before that, Katz created PKARC utility o ARC compression was patented by SEA, Inc. o SEA successfully sued Katz Katz then invented zip o ZIP was much better than SEA s ARC o He started his own company, PKWare Katz died of alcohol abuse at age 37 in 2000 PKZIP Stream Cipher 2

3 PKZIP PKZIP compresses files using zip Optionally, it encrypts compressed file o Uses a homemade stream cipher o PKZIP cipher due to Roger Schlafly o Schlafly has PhD in math (Berkeley, 1980) PKZIP cipher is susceptible to attack o Attack is nontrivial, has significant work factor, lots of memory required, etc. PKZIP Stream Cipher 3

4 PKZIP Cipher Generates 1 byte of keystream per step 96 bit internal state o State: 32-bit words, which we label X,Y,Z o Initial state derived from a password Of course, password guessing is possible o We do not consider password guessing here Cipher design seems somewhat ad hoc o No clear design principles o Uses shifts, arithmetic operations, CRC, etc. PKZIP Stream Cipher 4

5 PKZIP Encryption Given o Current state: X, Y, Z (32-bit words) o p = byte of plaintext to encrypt o Note: upper case for 32-bit words, lower case bytes Then the algorithm is k = getkeystreambyte(z) c = p k update(x, Y, Z, p) Next, we define getkeystreambyte, update PKZIP Stream Cipher 5

6 PKZIP getkeystreambyte Let be binary OR Define X i j as bits i thru j (inclusive) of X o As usual, bits numbered left-to-right from 0 Shift X by n bits to right: X >> n Then getkeystreambyte(z) t = Z k = (t (t 1)) >> return(k) end getkeystreambyte PKZIP Stream Cipher 6

7 PKZIP update Given current state X, Y, Z and p update(x, Y, Z, p) X = CRC(X, p) Y = (Y + X ) (mod 2 32 ) Z = CRC(Z, Y 0 7 ) end update CRC function defined on next slide PKZIP Stream Cipher 7

8 PKZIP CRC Let X be 32-bit word, b a byte CRC(X, b) X = X b for i = 0 to 7 if X is odd X = (X >> 1) 0xedb88320 else X = (X >> 1) end if next i return(x) end CRC PKZIP Stream Cipher 8

9 CRCTable and CRCinverse For efficiency, define CRCtable so that CRC(X,b) = X 0 23 CRCtable[ X b] Inverse table, CRCinverse, exists in the following sense: If B = A 0 23 CRCtable[ A b] Then A = (B << 8) CRCinverse[ B 0 7 ] b Inverse table is useful in attack PKZIP Stream Cipher 9

10 Lists Let (X i,y i,z i ) be internal state used to generate i th keystream byte Let k i be the i th keystream byte Let p i be i th plaintext byte Define X-list to be X 0,X 1, X n o Note that n+1 elements in this list Similar definition for k-list, p-list, etc. PKZIP Stream Cipher 10

11 Outline of PKZIP Attack Assume k-list and p-list are known o This is a known plaintext attack Want to find state (X i,y i,z i ) for some i o Then all keystream bytes are known Executive summary of the attack 1. Use k-list to find a set of Z-lists 2. For each Z-list, find multiple Y-lists 3. For each Y-list, use p-list to obtain one X-list 4. True X-list is among X-lists in 3. Find X-list using p-list. From X-list, obtain state and keystream Details of steps 1 thru 4 on following slides PKZIP Stream Cipher 11

12 Step 1: Z-lists Assume keystream bytes k 0,k 1,,k n known Keystream byte k i computed as k i = (t (t 1)) >> Where t = Z i Given k n, there are 64 possible t o Due to the 3 This gives 64 putative Z n Similarly, we find 64 putative Z n PKZIP Stream Cipher 12

13 Step 1: Z-lists Have 64 putative Z n and Z n Implies there are 2 22 putative Z n 0 29 By update we have Z n = CRC(Z n 1, Y 0 7 ) By CRC inversion formula Z n 1 = (Z n << 8) CRCinverse[ Z n 0 7 ] Y n 0 7 For each of 2 22 putative Z n 0 29 o Know bits 0 thru 21 on RHS, bits 16 to 29 on LHS o For correct Z n and Z n 1, bits 16 thru 21 must agree o Since 6 bits, 1/64 chance of a random match o Since 64 Z n 1, for each Z n expect 1 matching Z n 1 o Since there are 2 22 Z n 1 we obtain 2 22 Z n 1 PKZIP Stream Cipher 13

14 Step 1: Z-lists Repeat for Z n then Z n etc. Bottom Line o We obtain about 2 22 Z-lists o Each of the form Z i 0 29, for i = 1,2,,n Possible to extend each of these to full Z i o That is, Z i bits 0 thru 31, not just bits 0 thru 29 o We omit details here (see text) We have 2 22 Z-lists, Z i 0 29, for i = 1,2,,n PKZIP Stream Cipher 14

15 Step 1 Refinement Possible to reduce number of Z-lists Requires additional known plaintext Reduces overall work factor For example o 28 more bytes, we can reduce number of Z-lists (and overall work) by a factor of 2 4 o 1000 additional bytes can reduce number of lists to a range by 2 11 to 2 14 We ignore refinement, so 2 22 Z-lists PKZIP Stream Cipher 15

16 Step 2: Y-lists We have about 2 22 putative Z-lists o Each consisting of putative Z 1,Z 2,,Z n We use these to find consistent Y-lists From update, we can write CRC inverse as Y i 0 7 = Z i 1 (Z i << 8) CRCinverse[ Z i 0 7 ] For each Z-list, have Y 2 0 7, Y 3 0 7,, Y n 0 7 How to find remaining 24 bits of each Y i? o This is a bit tricky PKZIP Stream Cipher 16

17 Step 2: Y-lists From update we have Y i = (Y i 1 + X i ) (mod 2 32 ) Rewrite this as (Y i 1) C = Y i 1 + X i Where C = (mod 2 32 ) Then with very high probability (Y i 1) C 0 7 = Y i Letting i = n, we have (Y n 1) C 0 7 = Y n PKZIP Stream Cipher 17

18 Step 2: Y-lists We have (Y n 1) C 0 7 = Y n o Where both Y n 0 7 and Y n known Test all 2 24 choices for Y n 8 31 o For each, compute (Y n 1) C 0 7 o And compare to known Y n o Probability of a match is 1/2 8 Bottom line: Obtain 2 16 Y n per Z-list Since 2 22 Z-lists, we have 2 38 Y n PKZIP Stream Cipher 18

19 We have Step 2: Y-lists (Y n 1) C = Y n 1 + X n Rewrite as Y n 1 = (Y n 1) C X n Let a = X n Then Y n 1 = (Y n 1) C a For some unknown byte a PKZIP Stream Cipher 19

20 Step 2: Y-lists We have Y n 1 = (Y n 1) C a o For some unknown byte a For each Y n, compute Y n 1 for all possible a o Test whether (Y n 1 1) C 0 7 = Y n o Recall that Y n is known o Try all 256 a, each has 1/2 8 probability of match o Expect one Y n 1 for each Y n Can be made efficient using lookup tables o Given Y n lookup consistent Y n PKZIP Stream Cipher 20

21 Step 2: Y-lists Repeat for Y n 2,Y n 3,,Y 3 Bottom line o Expect to obtain 2 38 Y-lists o Each of the form Y 3,Y 4,,Y n Remaining steps in the attack o Find X-lists (step 3) o Find correct X-list from set of X-lists (step 4) o Then some (X i,y i,z i ) known and msg is broken! PKZIP Stream Cipher 21

22 Step 3: X-lists We have about 2 38 putative Y-lists o Each is of the form Y 3,Y 4,,Y n How to find corresponding X-lists? Consider the formula X i = (Y i 1) C Y i 1 Use this to obtain X i for i = 4,5,,n How to find remaining bits of each X i? PKZIP Stream Cipher 22

23 Step 3: X-lists From update function X i = CRC(X i 1, p i ) Using CRC table, X i = X i CRCtable[ X i p i ] Implications? If we know one complete X i and all p j then we can compute all (complete) X j o CRC inverse allows us to find X i-1 from X i So how to find one complete X i? PKZIP Stream Cipher 23

24 Step 3: X-lists We know X i and p i for each i From update: X i = X i CRCtable[ X i p i ] This implies 1. X i 0 23 = X i+1 CRCtable[ X i p i+1 ] 2. X i = X i+2 CRCtable[ X i p i+2 ] 3. X i = X i+3 CRCtable[ X i p i+3 ] From X i , X i and 3, get X i From X i , X i and 2, get X i From X i , X i and 1, get X i = X i 0 31 PKZIP Stream Cipher 24

25 Step 3: X-lists Using X i found on previous slide and X i = X i CRCtable[ X i p i ] We can find the complete X-list Repeat this for each putative Y-list o Gives us about 2 38 putative X-lists Correct X-list will (almost certainly) be among these 2 38 X-lists How to select the winning X-list? PKZIP Stream Cipher 25

26 Step 4: Correct X-lists How to select correct X-list? We can compute X i in two ways: X i = X i CRCtable[ X i p i ] X i = (Y i 1) C Y i 1 These two results must agree! Since testing 1 byte o Probability of random match about 1/2 8 We have about 2 38 putative X-lists, so About 5 such comparisons and we re done! PKZIP Stream Cipher 26

27 Step 4: Recover Keystream Once we have found correct X-list o We know corresponding Y-list, Z-list For some i < n, we know state (X i,y i,z i ) From (X i,y i,z i ) we generate k j for j i We have the keystream and msg is broken Trudy wins again! PKZIP Stream Cipher 27

28 How Much Plaintext? Trudy wants to minimize known plaintext Require plaintext bytes p 0,p 1,,p n o So, how small can n be? Need X i 24 31, X i , X i , X i to determine X i o We can assume i+3 = n, so n,n 1,n 2,n 3 needed And we need five more X i to find true X-list o Can assume we use i = n 4,n 5,n 6,n 7,n 8 Cannot use X i, i=0,1,2,3, for any of the above o Since these are not found by the attack PKZIP Stream Cipher 28

29 How Much Plaintext? Bottom line o Need 13 consecutive known plaintext bytes o Since = 13 (from previous slide) Can reduce the work (step 1 refinement) o Requires more known plaintext o Work determined by number of lists o 28 additional known plaintext bytes reduces number of lists from 2 38 to 2 34 o About 1000 additional plaintext bytes reduces number of lists to a range of 2 27 to 2 24 PKZIP Stream Cipher 29

30 Slightly Simplified Attack If we do not reduce number of lists (i.e., we do not implement step 1 refinement) o Then work is on order of 2 38 In this case, a simpler attack is possible Simpler means easier to program o We do not have to save large number of lists o Instead, we process each lists as generated PKZIP Stream Cipher 30

31 Simplified Attack Suppose we have 13 known plaintexts o That is, p 0,p 1,,p 12 o Then we know keystream bytes k 0,k 1,,k 12 From step 1, we first do the following: for i = 0 to 12 Find all Z i consistent with k i next i Expect 64 Z i for each i Remainder of attack is on the next slide PKZIP Stream Cipher 31

32 for each Z // expect 64 for each Z // 2 16 choices for i = 11,10,,0 Find Z i consistent with Z i Simplified Attack Extend Z i to Z i 0 29 next i Complete to Z-list (solve for bits 30 and 31) Solve for Y i 0 7 Solve for all bits of Y-lists // expect 2 16 lists for each Y-list Solve for X i Solve for X 9 using X , X , X , X Solve for X-list if X i verified for i=8,7,6,5,4, return (X,Y,Z)-list next Y-list next Z next Z PKZIP Stream Cipher 32

33 PKZIP Conclusions PKZIP cipher is somewhat complex and difficult to analyze PKZIP cipher design o Appears to be ad hoc o Violated Kerckhoffs Principle o Mixed-mode arithmetic is interesting The bottom line o PKZIP cipher is insecure o But not trivial to attack o An interesting and unusual cipher! PKZIP Stream Cipher 33

ORYX. ORYX not an acronym, but upper case Designed for use with cell phones. Standard developed by. Cipher design process not open

ORYX. ORYX not an acronym, but upper case Designed for use with cell phones. Standard developed by. Cipher design process not open ORYX ORYX 1 ORYX ORYX not an acronym, but upper case Designed for use with cell phones o To protect confidentiality of voice/data o For data channel, not control channel o Control channel encrypted with