Whenever your browser establishes a “secure” connection to a web site, it encrypts the data. The encryption often takes place byte-by-byte, since the software can’t always predict how much data will be sent. This encryption style requires a stream cipher.
Stream ciphers use a deceptively simple mechanism: you combine the plaintext data, bit by bit, with “key” bits, using the exclusive or operation. This is often abbreviated xor, and denoted by ⊕ – a circle with a cross.
A “pure” stream cipher consists of three parts:
- a shared secret,
- a process for generating a random-looking bit stream, and
- the xor operation.
Originally, all web sites used Rivest Cipher #4 (RC4) to encrypt their secure connections. RC4 can use 128 bits of shared, secret data to generate a random-looking bit stream. This bit stream is then combined, bit by bit, with the message being sent.
[Note that RC4 is no longer safe to use - we use it here purely as an example]
When Alice sends a message to Bob, encryption happens as follows. Ahead of time, Alice and Bob share their secret. When Alice has a message to send to Bob, she uses the shared secret and the RC4 cipher to encrypt it. Upon receipt of the encrypted message, Bob uses the shared secret and the RC4 cipher to decrypt it. This is much more convenient that a one-time pad, which requires a separate shared secret equal to the size of every message sent.
The process for generating the bit stream is the heart of the technique, and usually referred to as the cryptographic algorithm. Even if an eavesdropper (call him Peeping Tom) happens to see part of this bit stream, he should not be able to predict other parts of the bit stream. Ideally, Tom would need a copy of the shared secret in order to recover the message. There should be no way to recover the message that’s easier than trying to guess the 128-bit secret through trial and error.
This make things much simpler for Alice and Bob. Before sending a message, they share a 128-bit secret. When Alice sends her message, she starts up the RC4 algorithm, feeds it her key, and encrypts her message, bit by bit, using xor. Upon receipt, Bob runs RC4, enters his copy of the shared secret, and gets back the same bit stream. He decrypts the message by applying xor to the message and the bit stream.
The security of a stream cipher depends on the quality of the algorithm, but it also depends on proper use. In particular, neither Alice nor Bob should intentionally use that shared secret ever again to send a message. In fact, if Bob replies to Alice’s message, he must use a different shared secret. If he uses the same shared secret, he will encrypt his message with the same bit stream that Alice used. Then Peeping Tom can retrieve both messages scrambled together, as shown here.