RSA Security 5.2.2 Stream Ciphers, Timing Attacks and Blinding

Chapter 3 Cryptography 95

Security Considerations

Stream Ciphers

A stream cipher (such as the RC4 cipher) will create a stream of pseudo-random bytes

based on the secret key; this is known as the key stream. To encrypt, you XOR the

plaintext with the key stream, byte by byte. The XOR operation has the property that

the ciphertext XORed with the same key stream decrypts, restoring the plaintext. This

also means that an XOR operation between the plaintext and the ciphertext will

reproduce the key stream. Hence, knowing or guessing part of the plaintext allows an

attacker to determine the corresponding part of the key stream. This still will not

enable the attacker to deduce the entire key or any more of the key stream, but this

does pose a threat if the same key is used in two different messages.

The same key always produces the same key stream. Therefore, if two messages use

the same key, knowing part of the key stream in one message means knowing the

same part of the key stream in the second message. An attacker can thus determine

some of the plaintext in the second message. That is why you should never use the

same stream cipher key twice.

Incidentally, this attack does not work on block ciphers. Knowledge of part of the

plaintext does not automatically grant to the attacker knowledge of the key.

Another stream cipher attack involves a dictionary of key streams. Suppose you had

kept the key size to 40 bits. An attacker could create a dictionary of the first eight

bytes of the key stream from every possible 40-bit (5-byte) key. Then, the attacker

“decrypts” the first eight bytes of an intercepted message with each possible key

stream, until one produces a reasonable result. The key that generated the stream that

worked is the right one.

To thwart this attack, you can implement salting. Design the application to use an 80-

bit (10-byte) key, but send 40 bits in the clear. That 40 bits in the clear is known as a

salt. For example, in an email application, encrypt the message using the RC4 cipher

with a 10-byte key. Then encrypt the first five bytes of the key using the recipient’s

RSA public key. Now the RSA digital envelope consists of the public-key-encrypted

five secret bytes, five salt bytes sent in the clear and the RC4-encrypted message. In

this way, the attacker’s dictionary is rendered useless. That dictionary is valid for 40-

bit keys, but the message used an 80-bit key. Still, only 40 bits are kept secret. A

dictionary of 80-bit key streams is not feasible — it would require 280 entries. That is

about 1.2 · 1024, or 1.2 times one trillion times one trillion.

Timing Attacks and Blinding

If the time it takes to execute a cryptographic operation varies based on the input