Editing Stream cipher attacks

{{Short description|Methods to break a stream cipher}}
{{Multiple issues|
{{More citations needed|date=February 2008}}
{{More footnotes|date=April 2016}}
}}

[[Stream cipher]]s, where [[plaintext]] bits are combined with a cipher bit stream by an exclusive-or operation ([[xor]]), can be very secure if used properly.{{citation needed|date=July 2019}} However, they are vulnerable to attacks if certain precautions are not followed:

*keys must never be used twice
*valid decryption should never be relied on to indicate authenticity

==Reused key attack==
[[Stream cipher]]s are vulnerable to attack if the same key is used twice (depth of two) or more.

Say we send messages ''A'' and ''B'' of the same length, both encrypted using same key, ''K''.  The stream cipher produces a string of bits ''C(K)'' the same length as the messages.  The encrypted versions of the messages then are:

:''E(A) = A xor C''
:''E(B) = B xor C''

where ''xor'' is performed bit by bit.

Say an adversary has intercepted ''E(A)'' and ''E(B)''.  They can easily compute:

:''E(A) xor E(B)''

However, ''xor'' is [[commutative]] and has the property that ''X xor X = 0''  (self-inverse) so:
:''E(A) xor E(B) = (A xor C) xor (B xor C) = A xor B xor C xor C = A xor B''

If one message is longer than the other, our adversary just truncates the longer message to the size of the shorter and their attack will only reveal that portion of the longer message.  In other words, if anyone intercepts two messages encrypted with the same key, they can recover ''A xor B'', which is a form of [[running key cipher]].  Even if neither message is known, as long as both messages are in a natural language, such a cipher can often be broken by paper-and-pencil methods.  During [[World War II]], British cryptanalyst [[John Tiltman]] accomplished this with the [[Lorenz cipher]] (dubbed "Tunny"). With an average [[personal computer]], such ciphers can usually be broken in a matter of minutes.  If one message is known, the solution is trivial.

Another situation where recovery is trivial is if [[traffic-flow security]] measures have each station sending a continuous stream of cipher bits, with null characters (e.g. ''LTRS'' in [[Baudot code|Baudot]]) being sent when there is no real traffic. This is common in military communications. In that case, and if the transmission channel is not fully loaded, there is a good likelihood that one of the ciphertext streams will be just nulls. The [[NSA]] goes to great lengths to prevent keys from being used twice. 1960s-era encryption systems often included a [[punched card]] reader for loading keys. The mechanism would automatically cut the card in half when the card was removed, preventing its reuse.<ref>[https://www.nsa.gov/about/_files/cryptologic_heritage/publications/misc/tsec_kw26.pdf Securing Record Communications: The TSEC/KW-26] {{Webarchive|url=https://web.archive.org/web/20121010011445/https://www.nsa.gov/about/_files/cryptologic_heritage/publications/misc/tsec_kw26.pdf |date=2012-10-10 }}, Melville Klein, NSA history series</ref>{{rp|p. 6}}

One way to avoid this problem is to use an [[initialization vector]] (IV), sent in the clear, that is combined with a secret master key to create a one-time key for the stream cipher. This is done in several common systems that use the popular stream cipher [[RC4]], including [[Wired Equivalent Privacy]] (WEP), [[Wi-Fi Protected Access]] (WPA) and [[Ciphersaber]]. One of the many problems with WEP was that its IV was too short, 24 bits. This meant that there was a high likelihood that the same IV would be used twice if more than a few thousand packets were sent with the same master key (see [[birthday attack]]), subjecting the packets with duplicated IV to the key reuse attack. This problem was fixed in WPA by changing the "master" key frequently.

==Bit-flipping attack==<!-- This section is linked from [[Man-in-the-middle attack]] -->
{{main|Bit-flipping attack}}
{{see also|Malleability (cryptography)}}
Suppose an adversary knows the exact content of all or part of one of our messages. As a part of a [[man in the middle attack]] or [[replay attack]], they can alter the content of the message without knowing the key, ''K''. Say, for example, they know a portion of the message, say an electronics fund transfer, contains the [[ASCII]] string ''"$1000.00"''. They can change that to ''"$9500.00"'' by XORing that portion of the ciphertext with the string: ''"$1000.00" xor "$9500.00"''.  To see how this works, consider that the cipher text we send is just ''C(K) xor "$1000.00"''. The new message the adversary is creating is:

:''(C(K) xor "$1000.00") xor ("$1000.00" xor "$9500.00") = C(K) xor "$1000.00" xor "$1000.00" xor "$9500.00" =  C(K) xor "$9500.00"''

Recall that a string [[Exclusive or|XORed]] with itself produces all zeros and that a string of zeros XORed with another string leaves that string intact. The result, C(K) xor "$9500.00", is what our ciphertext would have been if $9500 were the correct amount.

Bit-flipping attacks can be prevented by including [[message authentication code]] to increase the likelihood that tampering will be detected.

==Chosen-IV attack==
{{Expand section|date=December 2017}}

Stream ciphers combine a secret key with an agreed initialization vector (IV) to produce a pseudo-random sequence which from time-to-time is re-synchronized.<ref>{{cite book |last1=Englund |first1=Hakan |last2=Johansson |first2=Thomas |last3=Sonmez Turan |first3=Meltem |title=Progress in Cryptology – INDOCRYPT 2007 |chapter=A Framework for Chosen IV Statistical Analysis of Stream Ciphers |series=Lecture Notes in Computer Science |date=2007 |volume=4859 |publisher=Springer |pages=268–281 |doi=10.1007/978-3-540-77026-8_20 |isbn=978-3-540-77025-1 |s2cid=18097959 |edition=INDOCRYPT / volume 4859 of LNCS |url=https://pdfs.semanticscholar.org/cdaf/30e07673a11eb95f62793858951da2feba32.pdf |archive-url=https://web.archive.org/web/20181001182527/https://pdfs.semanticscholar.org/cdaf/30e07673a11eb95f62793858951da2feba32.pdf |url-status=dead |archive-date=2018-10-01 |accessdate=1 October 2018}}</ref>  A "Chosen IV" attack relies on finding particular IV's which taken together probably will reveal information about the secret key.  Typically multiple pairs of IV are chosen and differences in generated key-streams are then analysed statistically for a linear [[Correlation attack|correlation]] and/or an algebraic Boolean relation (see also [[Differential cryptanalysis]]).  If choosing particular values of the initialization vector does expose a non-random pattern in the generated sequence, then this attack computes some bits and thus shortens the effective key length.  A symptom of the attack would be frequent re-synchronisation.  Modern stream ciphers include steps to adequately mix the secret key with an initialization vector, usually by performing many initial rounds.

==References==
{{reflist}}

==External links==
* [http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html Security of the WEP algorithm]
* [https://eprint.iacr.org/2014/677.pdf "Attacks in Stream Ciphers: A Survey"] – a brief 2014 overview of different stream cipher attacks
* [http://www.isical.ac.in/~palash/talks/ASK11-talk.pdf "Attacks on Stream Ciphers: A Perspective"] – talk slides from 2011

{{Cryptography navbox|stream}}

[[Category:Cryptographic attacks]]