# ciphersaber2 Copyright © 2015 Bart Massey This package provides a Haskell library and driver program implementing [CipherSaber-2](http://ciphersaber.gurus.org/)(CS2) stream encryption based on the [RC4](http://en.wikipedia.org/wiki/RC4) stream encryption algorithm. This implementation has been tested against and is compatible with existing CipherSaber implementations. ## CS2 The documentation for CS2 is a bit out-of-date and scattered. ### History CS2 is based on the RC4 stream cipher. Wikipedia has a nice [history](http://en.wikipedia.org/wiki/RC4#History) of RC4 as well as current reports on its [cryptanalysis](http://en.wikipedia.org/wiki/RC4#Security). In 1999, Arnold Reinhold suggested using RC4 as the basis for citizens to learn to build their own encryption software, along the lines of Jedi Light Sabers. Reinhold proposed a stream protocol for RC4 ciphertext that he called [CipherSaber](http://ciphersaber.gurs.org) (Note that the CipherSaber website is mostly abandoned and in some state of disrepair.) In 2003, after cryptographic attacks were found against RC4 as used in CipherSaber, Reinhold modified the CipherSaber protocol to produce a new parameterized family of protocols known as CS2: the original CipherSaber is a special case of CS2, and is often referred to as CipherSaber-1. ### Algorithm Pseudocode for CS2 is available from a variety of places. The pseudocode given here attempts to be clear and normative. CS2 encryption and decryption both require an RC4 implementation that has been modified to iterate the key schedule a given number of times. > > -- Produce an RC4 keystream of length *n* with > -- *r* rounds of key scheduling given key *k* > *rc4*(*n*, *r*, *k*): >     *l* ← **length** *k* >     -- Initialize the array. >     *S* ← zero-based array of 256 bytes >     **for** *i* **in** 0..255 >         *S*[*i*] ← *i* >     -- Do key scheduling. >     *j* ← 0 >     **repeat** *r* **times** >         **for** *i* **in** 0..255 >             *j* ← (*j* + *S*[*i*] + *k*[*i* **mod** *l*]) **mod** 256 >             *S*[*i*] ↔ *S*[*j*] >     -- Finally, produce the stream. >     *keystream* ← zero-based array of *n* bytes >     *j* ← 0 >     **for** *i* **in** 0..n-1 >         i' ← (*i* + 1) **mod** 256 >         *j* ← (*j* + *S*[i']) **mod** 256 >         *S*[i'] ↔ *S*[*j*] >         *keystream*[*i*] ← *S*[(*S*[i'] + *S*[*j*]) **mod** 256] >     **return** *keystream* CS2 encryption requires a plaintext message (treated as a bytestream), a key, and an "initial value" ([IV](http://en.wikipedia.org/wiki/Initialization_vector)) of 10 bytes. The key *should* be no more than 53 bytes, to ensure good mixing during key scheduling. The IV is a [nonce](http://en.wikipedia.org/wiki/Cryptographic_nonce) that must be different for each message sent: it should be chosen randomly if possible, but may be chosen pseudo-randomly or even just counted if necessary. CS2 appends the IV to the CS2 key to produce an RC4 key. RC4 uses only the first 256 RC4 key bytes. Thus, the CS2 key *must* be no more than 246 bytes: a longer CS2 key would cause some or all of the IV to not be used by RC4. > > -- Ciphersaber-2 encrypt message *m* with key *k* and > -- *r* rounds of key scheduling > *encrypt*(*m*, *r*, *k*): >      *n* ← **length** *m* >      *iv* ← appropriately-chosen 10-byte IV >      k' ← prepend *k* **to** *iv* >      *keystream* ← *rc4*(*n*, *r*, k') >      ciphertext ← zero-based array of *n* + 10 bytes >      **for** *i* **in** 0..9 >          ciphertext[*i*] ← *iv*[*i*] >      **for** *i* **in** 0..*n* >          ciphertext[*i* + 10] ← *m*[*i*] **xor** *keystream*[*i*] >      **return** ciphertext CS2 decryption requires ciphertext and the encryption key used to produce the ciphertext. > > -- Ciphersaber-2 decrypt ciphertext *m* with key *k* and > -- *r* rounds of key scheduling > *decrypt*(*m*, *r*, *k*): >      *n* ← **length** *m* >      *iv* ← *m*[0..9] >      delete the first 10 characters of *m* >      k' ← prepend *k* **to** *iv* >      *keystream* ← *rc4*(*n* - 10, *r*, k') >      plaintext ← zero-based array of *n* - 10 bytes >      **for** *i* **in** 0..n-10 >          plaintext[*i*] ← *m*[*i*] **xor** *keystream*[*i*] >      **return** plaintext ## Library The `CipherSaber2` library provides a relatively straightforward `ByteString` interface. See the `haddock` documentation for details. ## Driver The program `cs2` uses the `CipherSaber2` library to encrypt or decrypt `stdin` to `stdout`. `cs2` is written in Haskell, so you will need a Haskell installation to run it. It depends on the package `[parseargs](http://hackage.haskell.org/package/parseargs)` from [Hackage](http://hackage.haskell.org), as well as the `bytestring` package that should probably have come with your distribution but may need to be installed. Say "`cabal install parseargs`" and "`cabal install bytestring`" to get things set up. (This in turn may require a `cabal-install` package from your Linux distribution or thereabouts.) Say "`runghc cs2.hs --help`" for usage information. Say "`runghc cs2.hs -e whee g.cs2`" to encrypt the file `f.txt` with key `whee`. An IV will be automatically chosen. Say "`runghc cs2.hs -d whee ff.txt`" to decrypt the file `g.cs2` with key `whee`. ## Test Instances The `test` directory include a bunch of plaintext/ciphertext pairs taken from the original CS2 materials. Please see `README.md` in that directory for more information. ## License This work is licensed under the "MIT License". Please see the file LICENSE in the source distribution of this software for license terms.