Abstract
One critical vulnerability of stream ciphers is the reuse of an encryption key. Since most stream ciphers consist of only a key scheduling algorithm and an Exclusive OR (XOR) operation, an adversary may break the cipher by XORing two captured ciphertexts generated under the same key. Various cryptanalysis techniques based on this property have been introduced in order to recover plaintexts or encryption keys; in contrast, this research reinterprets the vulnerability as a method of detecting stream ciphers from the ciphertexts it generates. Patterns found in the values (characters) expressed across the bytes of a ciphertext make the ciphertext distinguishable from random and are unique to each combination of ciphers and encryption keys. We propose a scheme that uses these patterns as a fingerprint, which is capable of detecting all ciphertexts of a given length generated by an encryption pair. The scheme can be utilized to detect a specific type of malware that exploits a stream cipher with a stored key such as the DarkComet Remote Access Trojan (RAT). We show that our scheme achieves 100% accuracy for messages longer than 13 bytes in about 17 μsec, providing a fast and highly accurate tool to aid in encrypted malware detection.
Highlights
Key generation and use are the most significant factors in the security of a stream cipher; they are the source of many vulnerabilities for the cryptosystem [2]
We discovered that the RC4 stream cipher generates unique patterns of ciphertexts under the following conditions: encryptions are computed under a fixed key and that the plaintext message and key both be derived from the same set of literary characters [1]
EXPERIMENTAL RESULTS WITH DarkComet We have studied and presented a statistical weakness found in the ciphertexts generated by stream ciphers and proposed techniques that may be used to detect them in different scenarios
Summary
Key generation and use are the most significant factors in the security of a stream cipher; they are the source of many vulnerabilities for the cryptosystem [2]. The same combination reveals patterns in the distributions of values represented at each byte of the generated ciphertexts Utilizing these patterns and the principles of perfect secrecy [6], this paper proposes a ciphertext discrimination function: a machine learning algorithm with the capability to classify a ciphertext as either likely to have been generated by a stream cipher and key pair or not. Stone et al.: Rethinking the Weakness of Stream Ciphers and Its Application to Encrypted Malware Detection hide its malicious intentions from a method of detection such as traditional network monitoring Since it cannot decrypt ciphertexts for inspection, an encrypted malware packet will appear as normal, benign communication to an unintelligent monitor [7].
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
