ciphersaber2
Copyright © 2015 Bart Massey
This package provides a Haskell library and driver program implementing CipherSaber-2(CS2) stream encryption based on the RC4 stream encryption algorithm. This implementation has been tested against and is compatible with existing CipherSaber implementations.
CS2
The documentation for CS2 is a bit out-of-date and scattered.
History
CS2 is based on the RC4 stream cipher. Wikipedia has a nice history of RC4 as well as current reports on its cryptanalysis.
In 1999, Arnold Reinhold suggested using RC4 as the basis for citizens to learn to build their own encryption software, along the lines of Jedi Light Sabers. Reinhold proposed a stream protocol for RC4 ciphertext that he called CipherSaber (Note that the CipherSaber website is mostly abandoned and in some state of disrepair.)
In 2003, after cryptographic attacks were found against RC4 as used in CipherSaber, Reinhold modified the CipherSaber protocol to produce a new parameterized family of protocols known as CS2: the original CipherSaber is a special case of CS2, and is often referred to as CipherSaber-1.
Algorithm
Pseudocode for CS2 is available from a variety of places. The pseudocode given here attempts to be clear and normative.
CS2 encryption and decryption both require an RC4 implementation that has been modified to iterate the key schedule a given number of times.
-- Produce an RC4 keystream of length n with
-- r rounds of key scheduling given key k
rc4(n, r, k):
l ← length k
-- Initialize the array.
S ← zero-based array of 256 bytes
for i in 0..255
S[i] ← i
-- Do key scheduling.
j ← 0
repeat r times
for i in 0..255
j ← (j + S[i] + k[i mod l]) mod 256
S[i] <-> S[j]
-- Finally, produce the stream.
keystream ← zero-based array of n bytes
j ← 0
for i in 0..n-1
i' ← i + 1 mod 256
j ← (j + S[i']) mod 256
S[i'] <-> S[j]
keystream[i] ← S[(S[i'] + S[j]) mod 256]
return keystream
CS2 encryption requires a plaintext message (treated as a bytestream), a key with a recommended maximum size of 53 bytes and a required maximum size of 256 bytes, and an "initial value" (IV) of 10 bytes. The IV is a nonce that must be different for each message sent: it should be chosen randomly if possible, but may be chosen pseudo-randomly or even just counted if necessary.
-- Ciphersaber-2 encrypt message m with key k and
-- r rounds of key scheduling
encrypt(m, r, k):
n ← length m
iv ← appropriately-chosen 10-byte IV
k' ← prepend k to iv
keystream ← rc4(n, r, k')
ciphertext ← zero-based array of n + 10 bytes
for i in 0..9
ciphertext[i] ← iv[i]
for i in 0..n
ciphertext[i + 10] ← m[i] xor keystream[i]
return ciphertext
CS2 decryption requires ciphertext and the encryption key used to produce the ciphertext.
-- Ciphersaber-2 decrypt ciphertext m with key k and
-- r rounds of key scheduling
decrypt(m, r, k):
n ← length m
iv ← m[0..9]
delete the first 10 characters of m
k' ← prepend k to iv
keystream ← rc4(n - 10, r, k')
plaintext ← zero-based array of n - 10 bytes
for i in 0..n-10
plaintext[i] ← m[i] xor keystream[i]
return plaintext
Library
The CipherSaber2
library provides a relatively straightforward
ByteString
interface. See the haddock
documentation
for details.
Driver
The program cs2
uses the CipherSaber2
library to encrypt
or decrypt stdin
to stdout
. Say "cs2 --help
" for usage
information.
License
This work is licensed under the "MIT License". Please see the file LICENSE in the source distribution of this software for license terms.