What is a stream cipher?

A stream cipher is a symmetric encryption method that usually operates at the character or bit level, with the plaintext being combined (normally by an operation such as XOR) with a generated keystream to produce the ciphertext.

Although seemingly simple, its security stems from the fact that, if the generated keystream is not distinguishable from a random sequence and used only once to encrypt a message, it has the same security as a one time pad. Particular requirements for a good stream cipher are a long period and high linear complexity, but not all ciphers with these requirements are necessarily secure.

They are often built using counters, linear feedback shift registers, nonlinear feedback shift registers, nonlinear filters and/or S-boxes, cryptographic sponges, T-functions or even more complicated things.

Regardless of their internal components, stream ciphers can be generally seen as finite state machines: they take some input (internal state, key and optionally, as in the case of self-synchronizing stream ciphers past ciphertext), perform some operations and output the next internal state. A part (or even a nonlinear function of parts) of the internal state are also output at each step as the keystream.

This implies that a stream cipher can never really attain the security level of a one time pad, as sequences generated by a finite state machine are always periodic and, therefore, non-random (it might just have a period that exceeds the remaining time until the heat death of the Universe, but it's still finite).

One very obvious "problem" with a stream cipher is that if you re-use a key (or a key+IV pair), the generated keystream will be the same, compromising the security of the plaintexts encrypted with such keystream (but, hey... that's not a bug, it's a feature! otherwise, the other party wouldn't be able to replicate the correct keystream and therefore decrypt your message).

Why not just use a block cipher?

A block cipher, unlike a stream cipher, operates at the level of blocks, providing a (key-dependent) permutation family which should resemble, as much as possible, a group of pseudo-random permutations (PRP). This implies that thorough diffusion (mixing) and confusion (nonlinear layers) are required for a certain level of robustness against cryptanalysis.

On the other hand, a stream cipher usually only exposes part (or even a nonlinear combination of parts) of its internal state at each step, which implies that it can probably afford less mixing and nonlinearity than a full block cipher between each step (with LFSR being an extreme example, with very slow mixing of its internal state between each step). They are also often more efficient in hardware than block ciphers, being therefore a very valid choice for symmetric encryption in embedded systems and low-power requirements situations (e.g. smartcards).

Nonetheless, it is true that the design and attack of block ciphers is much better understood in academia, which generally grants block ciphers a higher sense of security (due to heightened scrutiny regarding their designs). Also, it's trivial to build a secure stream cipher using a secure block cipher in counter mode and/or using a block cipher to mix some internal state.

Examples of stream ciphers