CipherSaber: Difference between revisions

CipherSaber is a symmetric encryption system based on RC4 that is simple enough that novice programmers can memorize the algorithm and implement it from scratch, yet supposedly strong. In CipherSaber each encrypted message begins with a random ten byte initialization vector (IV). This IV is appended to the CipherSaber key to form the input to the RC4 key setup algorithm. The IV is needed because RC4 is a stream cipher. The message, XORed with the RC4 keystream, immediately follows.

The Fluhrer-Mantin-Shamir attack on RC4 has rendered the original CipherSaber system vulnerable if a large number (>1000) messages are sent with the same CipherSaber key. To address this, the CipherSaber designer has invented his own variant on RC4 in which the RC4 key setup loop is repeated multiple times (20 is recommended). In addition to agreeing a secret key, parties communicating with Ciphersaber-2 must agree on how many times to repeat this loop.

CipherSaber was invented by Arnold Reinhold to keep strong cryptography in the hands of the public. Many governments have implemented legal restrictions on who can use cryptography, and many more have proposed them. By publicizing details on a secure yet easy-to-program encryption algorithm, Reinhold hopes to keep encryption technology accessible to everyone.

While CipherSaber protects against unsophisticated attacker, its security from both theoretical and practical point of view is not satisfactory.

CipherSaber is supposed to be used as a complete cryptographic protocol, as otherwise there would be little point in implementing the cipher on your own. That means no message authentication of any kind - MACs, hashes or any other means.

• As the algorithm is strictly symmetric, each pair of people need to exchange keys and protect them. Logistically, this is much more difficult than the public and private keys of public key cryptography.
• As CipherSaber is a stream cipher without any message authentication, an attacker can easily replace any known bytes with any other values. For example if the message is known to contain "ls -ld /" (Unix command for listing directory contents), attacker can replace it with "rm -rf /" (Unix command for removing a directory) by xoring with (30, 30, 0, 0, 30, 2, 0, 0)

RC4 is not the strongest cipher: in 2005 it has many known weaknesses. Apart from weaknesses in RC4 itself, CipherSaber does not use it optimally, in particular:

• Since key data is ASCII-only, only positions 32-127 in the permutation will be mixed. Since keys will commonly be a passphrase, it may be possible to use a dictionary attack and brute force to guess the key.
• CipherSabre relies on a decent random number generator for IV, but most programming environments provide only very weak PRNGs. Using a system's typically weak PRNG or imperfectly implementing one's own PRNG may seriously reduce security.

• CipherSaber home page
• CipherSaber implementation list