Gaspare FERRARO

CybersecNatLab
Matteo ROSSI
Politecnico di Torino

Stream Ciphers

1 https://cybersecnatlab.it
 License & Disclaimer
2

License Information Disclaimer

This presentation is licensed under the ➢ We disclaim any warranties or representations
Creative Commons BY-NC License as to the accuracy or completeness of this
material.
➢ Materials are provided “as is” without
warranty of any kind, either express or
implied, including without limitation,
warranties of merchantability, fitness for a
particular purpose, and non-infringement.
➢ Under no circumstances shall we be liable for
To view a copy of the license, visit: any loss, damage, liability or expense incurred
http://creativecommons.org/licenses/by-nc/3.0/legalcode or suffered which is claimed to have resulted
from use of this material.

© CINI – 2021 Rel. 14.03.2021

 Goal
3

➢ Present some issues of the previously seen block ciphers

➢ Introduce stream ciphers as a way to handle messages of
non-fixed sizes
➢ Present some of the most common modes of operation and
their vulnerabilities
➢ Introduce an example of a native stream cipher and its
possible attacks

© CINI – 2021 Rel. 14.03.2021

 Prerequisites
4

➢ Lecture:
➢ CR_1.3 – Block Ciphers

© CINI – 2021 Rel. 14.03.2021

 Recap
5

➢ Remaining problems from block ciphers:

➢ How can we deal with non-fixed input sizes?
➢ How can we exchange keys?
➢ How can we provide authentication?
➢ In this lecture we address the first of these three
problems

© CINI – 2021 Rel. 14.03.2021

 Outline
6

➢ Introduction
➢ Modes of operation and vulnerabilities
➢ CTR mode and native stream ciphers
➢ Attacks on native stream ciphers

© CINI – 2021 Rel. 14.03.2021

 Outline
7

➢ Introduction
➢ Modes of operation and vulnerabilities
➢ CTR mode and native stream ciphers
➢ Attacks on native stream ciphers

© CINI – 2021 Rel. 14.03.2021

 Introduction
8

➢ A stream cipher is a symmetric-key encryption

algorithm that encrypts a stream of bits of any
(finite) length
➢ Real-world stream ciphers have limits on the
maximum length, but they are normally sufficiently
large not to pose a practical problem

© CINI – 2021 Rel. 14.03.2021

 Outline
9

➢ Introduction
➢ Modes of operation and vulnerabilities
➢ CTR mode and native stream ciphers
➢ Attacks on native stream ciphers

© CINI – 2021 Rel. 14.03.2021

 A first naïve attempt
10

➢ Let’s try to use what we already have:

➢ Suppose that the length 𝑛 of the message to encrypt is a
multiple of 𝑏, for a certain 𝑏
➢ Suppose that we have a block cipher with blocks of size 𝑏
➢ Split the messages in 𝑛/𝑏 parts 𝑝1 , 𝑝2 , … and encrypt every
part with the same key to 𝑐1 , 𝑐2 , …
➢ This is called Electronic Code Book Mode (ECB Mode)

© CINI – 2021 Rel. 14.03.2021

 ECB Mode of Operation - Encryption
11

Electronic Code Book (ECB) mode encryption

Key
𝑃1 𝑃2 𝑃3

Block cipher Block cipher Block cipher

encryption encryption encryption

𝐶1 𝐶2 𝐶3

© CINI – 2021 Rel. 14.03.2021

 ECB Mode of Operation - Decryption
12

Electronic Code Book (ECB) mode decryption

Key
𝐶1 𝐶2 𝐶3

Block cipher Block cipher Block cipher

decryption decryption decryption

𝑃1 𝑃2 𝑃3

© CINI – 2021 Rel. 14.03.2021

 ECB Mode – Issues
13

➢ Issues:
➢ The multiple of 𝑏 assumption is too restrictive (more on
this later)
➢ Equal blocks will give equal ciphertexts
➢ The global structure of the encrypted message is preserved

© CINI – 2021 Rel. 14.03.2021

 ECB Mode – Example
14

Image before ECB Encryption Image after ECB Encryption

Images from https://commons.wikimedia.org/

© CINI – 2021 Rel. 14.03.2021

 Stream Ciphers – Encryption Oracle
15

For the remaining part of this section, we call an

encryption oracle a service that, given a
plaintext message 𝑃, returns the corresponding
ciphertext 𝐶 using always the same key

© CINI – 2021 Rel. 14.03.2021

 ECB Oracle Attack
16

➢ We show that, if misimplemented, ECB can be

completely broken
➢ Scenario: an oracle that returns 𝐶 = 𝐸𝐶𝐵(𝑘𝑒𝑦, 𝑃||𝑆),
where:
➢ 𝑃 is a chosen plaintext
➢ 𝑆 is a secret string
➢ || is the string concatenation operator
➢ In this scenario, we can recover 𝑆 regardless the used
block cipher
© CINI – 2021 Rel. 14.03.2021
 ECB Oracle Attack
17

➢ Strategy:
➢ We send a message that is 1 byte shorter than the block
size and we save the result
➢ We bruteforce the last byte until we find the same
ciphertext
➢ We proceed like this, bruteforcing one byte at a time

© CINI – 2021 Rel. 14.03.2021

 ECB Oracle Attack – step 1
18

𝑏 − 1 bytes 1 byte
𝑝 𝑠0 𝑆

Save this
ciphertext
𝑘𝑒𝑦 𝐸 𝑐𝑖𝑝ℎ𝑒𝑟𝑡𝑒𝑥𝑡

© CINI – 2021 Rel. 14.03.2021

 ECB Oracle Attack – step 2
19

Bruteforce on 𝑥 to
match the saved result
𝑏 − 1 bytes 1 byte
𝑝 𝑥 𝑆

𝑘𝑒𝑦 𝐸 𝑐𝑖𝑝ℎ𝑒𝑟𝑡𝑒𝑥𝑡

© CINI – 2021 Rel. 14.03.2021

 ECB Oracle Attack – step 3
20

𝑏 − 2 bytes 2 bytes
𝑝 𝑠0 𝑠1 𝑆

Save this
ciphertext
𝑘𝑒𝑦 𝐸 𝑐𝑖𝑝ℎ𝑒𝑟𝑡𝑒𝑥𝑡

© CINI – 2021 Rel. 14.03.2021

 ECB Oracle Attack – step 4
21

Bruteforce on 𝑥 to match the

second byte… and so on!
𝑏 − 2 bytes 2 bytes
𝑝 𝑠0 𝑥 𝑆

𝑘𝑒𝑦 𝐸 𝑐𝑖𝑝ℎ𝑒𝑟𝑡𝑒𝑥𝑡

© CINI – 2021 Rel. 14.03.2021

 ECB Oracle Attack – Performance
22

➢ With AES-128 we have that:

➢ Bruteforcing the key takes 2128 = 25616 tries
➢ ECB Oracle takes only 256 ∗ 16 tries!

© CINI – 2021 Rel. 14.03.2021

 Stream Ciphers – Modes of Operation
23

➢ ECB is in general very ineffective, but we can stick with

the idea of using block ciphers, just in a different
configuration.
➢ A configuration to make a system based on a block
cipher behave like a stream cipher is called a mode of
operation
➢ Before introducing a new mode of operation, let’s take a
step back...

© CINI – 2021 Rel. 14.03.2021

 Padding
24

➢ We want to drop the assumption that the plaintext

length is a multiple of the block length
➢ We do this simply by completing our plaintext to
get the desired length. This operation is called
padding

© CINI – 2021 Rel. 14.03.2021

 Padding
25

➢ First idea: add null bytes (0𝑥00) to the end until we

get the correct length
➢ Issue: we can not remove the padding after
decryption!
➢ Better idea: encode the length of the padding in the
padding itself

© CINI – 2021 Rel. 14.03.2021

 Padding – PKCS#5/PKCS#7
26

➢ Clever idea: the value of each added byte is the

number of bytes that are added
➢ This is defined in the PKCS#5 and PKCS#7 standards.
➢ Example: if 3 bytes are missing the padding is
0𝑥03 0𝑥03 0𝑥03
➢ Note: if the plaintext has already the correct length
a whole new block is added

© CINI – 2021 Rel. 14.03.2021

 CBC Mode of Operation
27

➢ We introduce now a better mode of operation: the

Cipher Block Chaining (CBC) mode
➢ The general idea of CBC is to destroy the plaintext
structure using information from the previous
blocks to encrypt

© CINI – 2021 Rel. 14.03.2021

 CBC Mode of Operation
28

➢ The general CBC encryption flow is the following:

➢ Apply padding to the plaintext and split the plaintext 𝑃 into blocks 𝑃1 , 𝑃2 , 𝑃3 , …
➢ Take a key 𝑘 and an additional random string with the same length of the blocks,
called 𝐼𝑉 (Initialization Vector)
➢ For the first block, apply the bitwise XOR operation ⊕ between the 𝐼𝑉 and the
first plaintext block 𝑃1 , then encrypt using the key 𝑘:
𝐶1 = 𝐸 𝑘, 𝐼𝑉 ⊕ 𝑃1
➢ For the next blocks, apply the bitwise XOR operation ⊕ between the 𝑖 𝑡ℎ plaintext
block 𝑃𝑖 and the 𝑖 − 1 𝑡ℎ ciphertext block, then encrypt using the key 𝑘:
𝐶𝑖 = 𝐸 𝑘, 𝐶𝑖−1 ⊕ 𝑃𝑖

© CINI – 2021 Rel. 14.03.2021

 CBC Mode of Operation - Encryption
29

Cipher Block Chaining (CBC) mode encryption

𝑃1 𝑃2 𝑃3

Initialization vector (𝐼𝑉)

Block cipher Block cipher Block cipher

encryption encryption encryption

𝐶1 𝐶2 𝐶3

Key

© CINI – 2021 Rel. 14.03.2021

 CBC Mode of Operation - Decryption
30

Cipher Block Chaining (CBC) mode decryption

Key
𝑐1 𝑐2 𝑐3

Block cipher Block cipher Block cipher

decryption decryption decryption
Initialization vector (𝐼𝑉)

𝑝1 𝑝2 𝑝3

© CINI – 2021 Rel. 14.03.2021

 CBC vs ECB
31

➢ Plaintext structure is no longer maintained

➢ The same plaintext block repeated gives different
encrypted blocks
➢ The ECB Oracle Attack does not work here because
of the 𝐼𝑉

© CINI – 2021 Rel. 14.03.2021

 CBC – Remarks on the IV
32

➢ Randomness in the 𝐼𝑉 is important: an adversary

should not be able to predict an IV before the
encryption
➢ IV is not a key: in practice it is shared in plaintext
with the encrypted message
➢ The IV should be different for every encryption

© CINI – 2021 Rel. 14.03.2021

 CBC Issues
33

➢ In the following slides we show the most common

problems when using CBC mode, in particular we
will show that:
➢ The choice of the 𝐼𝑉 is crucial
➢ A small information leakage can lead to a disaster

© CINI – 2021 Rel. 14.03.2021

 CBC Issues – key as the IV
34

➢ Scenario:
➢ A server implements a CBC scheme by using the key (fixed)
as the 𝐼𝑉 (without revealing it)
➢ You can ask the server to decrypt a message
➢ Can you retrieve the key?

© CINI – 2021 Rel. 14.03.2021

 CBC Issues – key as the IV
35

➢ Strategy:
➢ Send to the server a message with 2 equal blocks 𝐵𝐵
➢ Obtain 𝑃1 = 𝐷 𝑘, 𝐵 ⊕ 𝐼𝑉 and 𝑃2 = 𝐷 𝑘, 𝐵 ⊕ 𝐵
➢ Calculate 𝑃1 ⊕ 𝑃2 ⊕ 𝐵 = 𝐼𝑉 = 𝑘

© CINI – 2021 Rel. 14.03.2021

 CBC Issues – Padding Oracle Attack
36

➢ Scenario:
➢ We have a target ciphertext correctly padded to decrypt
➢ We have a padding oracle: a server that given a ciphertext
simply tells you if the padding is correct (this happens in
real life!)

© CINI – 2021 Rel. 14.03.2021

 CBC Issues – Padding Oracle Attack
37

➢ Outline of the attack (for 1 block ciphertext 𝐶):

➢ Create a random block 𝑅
➢ Append the target block obtaining 𝑅||𝐶
➢ Discover the padding length using the oracle
➢ Decrypt one byte at a time exploiting it

© CINI – 2021 Rel. 14.03.2021

 CBC Issues – Padding Oracle Attack
38

➢ Step 1: look for a "correct padding" message

➢ Try to decrypt 𝑅||𝐶
➢ With high probability, you will get "wrong padding"
➢ Keep changing the last byte of 𝑅 in order to get "correct
padding"
➢ Now you know that the decryption of 𝑅||𝐶 ends in 0𝑥01 or
0𝑥02 0𝑥02 or 0𝑥03 0𝑥03 0𝑥03 or ...

© CINI – 2021 Rel. 14.03.2021

 CBC Issues – Padding Oracle Attack
39

➢ Step 2: find the length of the padding

➢ Let 𝑅 now be the block that gives "correct padding"
➢ Change randomly the first byte of 𝑅: if it still gives correct
padding, the padding length is 𝑏 − 1 or less
➢ Change randomly the second byte of 𝑅: if it still gives
correct padding, the padding length is 𝑏 − 2 or less, and so on
➢ If you reach an "incorrect padding" on the 𝑘th byte, you found
the padding length!

© CINI – 2021 Rel. 14.03.2021

 CBC Issues – Padding Oracle Attack
40

➢ Step 3: decrypt the padding bytes

➢ Now we discovered (at least) one byte of the plaintext
➢ In reality, we discovered n bytes, where n is the padding
length
➢ In order to get them, just XOR the corresponding bytes
of 𝑅 with the padding bytes

© CINI – 2021 Rel. 14.03.2021

 CBC Issues – Padding Oracle Attack
41

➢ Step 4: decrypt subsequent bytes

➢ To get one more byte, we need to "increase the padding"
➢ To do it, XOR the padding bytes with 𝑛 ⊕ (𝑛 + 1) (this just
increase them by 1)
➢ Repeat from step 1 using the first non-padding byte
instead of the last one!

© CINI – 2021 Rel. 14.03.2021

 CBC Issues
42

➢ In addition to implementation problems, CBC has

some native issues:
➢ Data is partially malleable
➢ There is no check on data integrity

© CINI – 2021 Rel. 14.03.2021

 CBC Issues – Bitflipping Attack
43

➢ Scenario:
➢ We have a partially controlled CBC-encrypted message,
with some secret information inside
➢ We show that it is possible to "sacrifice" a piece
of plaintext in order to edit the secret part

© CINI – 2021 Rel. 14.03.2021

 CBC Issues – Bitflipping Attack
44

➢ Attack outline:
➢ We reserve an entire block with our controlled data
➢ We XOR that block with its plaintext value and the value
that we want to put in the secret part
➢ Paying the price of destroying our controlled part, we
control the secret without controlling the key

© CINI – 2021 Rel. 14.03.2021

 CBC Issues – Bitflipping Attack
45

Cipher Block Chaining (CBC) mode decryption

Key
𝑐1 𝑐2 𝑐3

Block cipher Block cipher Block cipher

decryption decryption decryption
Initialization vector (𝐼𝑉)

𝑝1 𝑝2 𝑝3

© CINI – 2021 Rel. 14.03.2021

 Outline
46

➢ Introduction
➢ Modes of operation and vulnerabilities
➢ CTR mode and native stream ciphers
➢ Attacks on native stream ciphers

© CINI – 2021 Rel. 14.03.2021

 Counter Mode & Native Stream Ciphers
47

➢ In this last section, we introduce ciphers that don't

rely on the concept of "blocks"
➢ In these ciphers, the plaintext and the ciphertext
have the same length
➢ The structure of block cipher in general remains, but
it is used differently!

© CINI – 2021 Rel. 14.03.2021

 Counter Mode
48

➢ We present here our last mode of operation for

block ciphers
➢ The idea is very simple: we don’t use the block
cipher as a cipher, but as something that generates a
stream to feed a one-time pad
➢ This is called Counter Mode (CTR)

© CINI – 2021 Rel. 14.03.2021

 Counter Mode
49

➢ In practice:
➢ We generate a random number 𝑁, called the nonce
(number used once)
➢ We encrypt strings formed by the nonce concatenated to a
counter with the block cipher (and a key 𝑘) to generate
some bytes
➢ We use these bytes as a stream for a one-time pad

© CINI – 2021 Rel. 14.03.2021

 Counter Mode – Example
50

➢ Here's a toy example with AES-128:

➢ Take a random number, for example "12345678"
➢ Encrypt 1234567800000000 to generate the first 16 bytes
➢ Encrypt 1234567800000001 to generate 16 more bytes
➢ Encrypt 1234567800000002 and so on, until you reach the desired
number of bytes

© CINI – 2021 Rel. 14.03.2021

 Other Modes of Operation
51

➢ We have seen ECB, CBC and CTR, but there are a lot
of different modes of operation:
➢ Cipher FeedBack (CFB)
➢ Output FeedBack (OFB)
➢ Galois Counter Mode (GCM)
➢ … and many more!

© CINI – 2021 Rel. 14.03.2021

 Native Stream Ciphers
52

➢ Some ciphers are built to natively work as the CTR

mode: we call these ciphers native stream ciphers
➢ Most of them work on an internal state (like AES)
and in practice they generate a block of data, to then
cut it to the desired length

© CINI – 2021 Rel. 14.03.2021

 Example – ChaCha20
53

➢ One of the most used native stream ciphers is

ChaCha20
➢ It is a variant of Salsa20 published in 2008
➢ It has an ARX structure: it uses only (modular)
Additions, Rotations and XORs

© CINI – 2021 Rel. 14.03.2021

 Example – ChaCha20
54

➢ ChaCha20 works on a 4 × 4 state matrix

of 32-bit numbers
➢ The first row is filled with constants, the
second and third one are for the key (up
to 256-bit), and the last one behaves like
a counter
➢ For 20 rounds, the function in the picture
is applied to the 4 columns and diagonals
of the state matrix

© CINI – 2021 Rel. 14.03.2021

 Outline
55

➢ Introduction
➢ Modes of operation and vulnerabilities
➢ CTR mode and native stream ciphers
➢ Attacks on native stream ciphers

© CINI – 2021 Rel. 14.03.2021

 Native Stream Ciphers - Issues
56

➢ Stream ciphers can have some vulnerabilities similar

to block ciphers, like:
➢ On native stream cipher (or CTR mode), bitflipping is easier
(you can do it directly!)
➢ If nonces are reused, the same stream is generated
➢ They don't mask the length of the plaintext (we may leak
some information!)

© CINI – 2021 Rel. 14.03.2021

 Gaspare FERRARO
CybersecNatLab
Matteo ROSSI
Politecnico di Torino

Stream Ciphers

57 https://cybersecnatlab.it