Stream cipher attack

Stream ciphers, where plaintext bits are combined with a cipher bit stream by an exclusive-or operation (xor), can be very secure if used properly. However they are vulnerable to attack if certain precautions are not followed:

*keys must never be used twice
*valid encryption should never be relied on to indicate authenticity

Reused key attack

Stream ciphers are vulnerable to attack if the same key is used twice (depth of two) or more.

Say we send messages "A" and "B" of the same length, both encrypted using same key, "K". The stream cipher produces a string of bits "C(K)" the same length as the messages. The encrypted versions of the messages then are:

:"E(A) = A xor C":"E(B) = B xor C"

where "xor" is performed bit by bit.

Say an adversary has intercepted "E(A)" and "E(B)". He can easily compute:

:"E(A) xor E(B)"

However "xor" is commutative and has the property that "X xor X = 0" (self-inverse) so::"E(A) xor E(B) = (A xor C) xor (B xor C) = A xor B xor C xor C = A xor B"

If one message is longer than the other our adversary just truncates the longer message to the size of the shorter and his attack will only reveal that portion of the longer message. In other words, if anyone intercepts two messages encrypted with the same key, they can recover "A xor B", which is a form of running key cipher. Even if neither message is known, as long as both messages are in a natural language, such a cipher can often be broken by paper-and-pencil methods. John Tiltman accomplished this with the Lorenz cipher (TUNNY) in World War II. With an average personal computer, such ciphers can usually be broken in a matter of minutes. If one message is known, the solution is trivial.

Another situation where recovery is trivial is if traffic-flow security measures have each stations sending a continuous stream of cipher bits, with null characters (e.g. "LTRS" in Baudot) being sent when there is no real traffic. This is common in military communications. In that case, and if the transmission channel is not fully loaded, there is a good likelihood that one of the ciphertext streams will be just nulls. The NSA goes to great lengths to prevent keys being used twice. 1960s-era encryption systems often included a punch card reader for loading keys. The mechanism would automatically cut the card in half when the card was removed, preventing its reuse.

One way to avoid this problem is to use an initialization vector (IV), sent in the clear, that is combined with a secret master key to create a one-time key for the stream cipher. This is done in several common systems that use the popular stream cipher RC4, including Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA) and Ciphersaber. One of the many problems with WEP was that its IV was too short, 24 bits. This meant that there was a high likelihood that the same IV would be used twice if more than a few thousand packets were sent with the same master key (see birthday attack), subjecting the packets with duplicated IV to the key reuse attack. This problem was fixed in WPA by changing the "master" key frequently.

ubstitution attack

Suppose an adversary knows the exact content of all or part of one of our messages. As a part of a man in the middle attack, he can alter the content of the message without knowing the key, "K". Say, for example, he knows a portion of the message contains the ASCII string "$1000.00". He can change that to "$9500.00" by xor'ing that portion of the ciphertext with the string: "$1000.00" xor "$9500.00". To see how this works, consider that the cipher text we send is just "C(K) xor "$1000.00". What he is creating is:

: "C(K) xor "$1000.00" xor "$1000.00" xor "$9500.00" = C(K) xor "$9500.00"

which is what our ciphertext would have been if $9500 were the correct amount. "See also: malleability (cryptography)."

Substitution attacks are prevented by including message authentication code to increase the likelihood that tampering will be detected.


Wikimedia Foundation. 2010.

Look at other dictionaries:

  • Stream cipher — The operation of the keystream generator in A5/1, a LFSR based stream cipher used to encrypt mobile phone conversations. In cryptography, a stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher… …   Wikipedia

  • Quick Stream Cipher — (QUISCI) ist ein für Software optimierter symmetrischer Stromchiffrierer, welcher zur Verschlüsselung von Daten geeignet ist. Er wurde 2001 von Stefan Müller (FGAN FHR) entwickelt. Inhaltsverzeichnis 1 Merkmale 2 Kern des Algorithmus 3 Sicherheit …   Deutsch Wikipedia

  • Cipher — For other uses, see Cipher (disambiguation). Edward Larsson s rune cipher resembling that found on the Kensington Runestone. Also includes runically unrelated blackletter writing style and pigpen cipher. In cryptography, a cipher (or cypher) is… …   Wikipedia

  • Cipher security summary — This article summarizes publicly known attacks against ciphers. Note that not all entries may be up to date. Table color key No known successful attacks Theoretical break Attack demonstrated in practice The Best attack column lists the complexity …   Wikipedia

  • Ciphertext-only attack — In cryptography, a ciphertext only attack (COA) or known ciphertext attack is an attack model for cryptanalysis where the attacker is assumed to have access only to a set of ciphertexts. The attack is completely successful if the corresponding… …   Wikipedia

  • Spoofing attack — In the context of network security, a spoofing attack is a situation in which one person or program successfully masquerades as another by falsifying data and thereby gaining an illegitimate advantage. Man in the middle attack and internet… …   Wikipedia

  • Replay attack — A replay attack is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and retransmits it,… …   Wikipedia

  • Correlation attack — In cryptography, correlation attacks are a class of known plaintext attacks for breaking stream ciphers whose keystream is generated by combining the output of several linear feedback shift registers (called LFSRs for the rest of this article)… …   Wikipedia

  • Grain (cipher) — Grain is a stream cipher submitted to eSTREAM in 2004 by Martin Hell, Thomas Johansson and Willi Meier. It has been selected for the final eSTREAM portfolio for Profile 2 by the eSTREAM project. Grain is designed primarily for restricted hardware …   Wikipedia

  • Block cipher modes of operation — This article is about cryptography. For method of operating , see modus operandi. In cryptography, modes of operation is the procedure of enabling the repeated and secure use of a block cipher under a single key.[1][2] A block cipher by itself… …   Wikipedia


Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”

We are using cookies for the best presentation of our site. Continuing to use this site, you agree with this.