block cipher modes of operation - courses.knox.edu
TRANSCRIPT
CS 330 More Block Ciphers 1
Block Cipher Modes of Operation
(Slide from John Dooley with thanks to Drs. Lawrie Brown & William Stallings)
CS 330 More Block Ciphers 2
Current Block Cipher Design Principles
• basic principles still like Feistel in 1970’s
• number of rounds– more is better, exhaustive search best attack
• function f:– provides “confusion”, is nonlinear, avalanche
• key schedule– complex subkey creation, key avalanche
CS 330 More Block Ciphers
But.....
• There are things to consider when you implement a block cipher algorithm...
3
CS 330 More Block Ciphers 4
Modes of Operation
• block ciphers encrypt fixed size blocks
• depending on how you implement the algorithm, you can open yourself up to guessing the plaintext or the key
• four Modes of Operation were defined for the DES in ANSI standard ANSI X3.106-1983 Modes of Use
CS 330 More Block Ciphers 5
Electronic Codebook (ECB)
• message is broken into independent blocks which are encrypted
• each block is a value which is substituted, like a codebook, hence the name
• each block is encoded independently of the other blocks Ci = EK1(Pi)
• this mode is typically only used when a very small number of blocks of information need to be sent.
CS 330 More Block Ciphers 6
Electronic Codebook Book (ECB)
CS 330 More Block Ciphers 7
Advantages and Limitations of ECB
• repetitions in the message may show in ciphertext – if aligned with message block – particularly with data such as graphics – or with messages that change very little, which
become a code-book analysis problem
• weakness due to encrypted message blocks being independent
• but, ECB is useful because the blocks can be encrypted and sent independently without affecting decryption.
CS 330 More Block Ciphers 8
Cipher Block Chaining (CBC)
• want a way to overcome the block independence of ECB
• the message is broken into blocks, and
• each previous cipher block is chained with the current plaintext block
• uses an Initial Vector (IV) to start the process Ci = EKi(Pi XOR Ci-1)C-1 = IV
CS 330 More Block Ciphers 9
Cipher Block Chaining (CBC)
CS 330 More Block Ciphers 10
Advantages and Limitations of CBC
• each ciphertext block depends on all the previous message blocks
• thus a change in the message affects all ciphertext blocks after the change as well as the original block
• chaining provides an avalanche effect
CS 330 More Block Ciphers 11
More CBC
• need Initial Value (IV) known to sender & receiver in addition to the key
• at end of message, handle possible last short block
CS 330 More Block Ciphers 12
Cipher FeedBack (CFB) Mode
• the message is treated as a stream of bits that is added to the output of the block cipher
• the result is feedback for the next stage (hence the name)
• standard allows any number of bits (1,8 or 64 or whatever) to be fed back – denoted CFB-1, CFB-8, CFB-64 etc
• it is most efficient to use all 64 bits (CFB-64)Ci = Pi XOR EK1(Ci-1)C-1 = IV
CS 330 More Block Ciphers 13
Cipher FeedBack (CFB)
CS 330 More Block Ciphers 14
Advantages and Limitations of CFB
• appropriate when data arrives in bits/bytes
• it is the most common stream mode
• limitation is the need to stall while you do block encryption after every n-bits
• note that the block cipher is used in encryption mode at both ends
• errors propagate for several blocks after the error
CS 330 More Block Ciphers 15
Output FeedBack (OFB) Mode
• the message is treated as a stream of bits– the output of the cipher is added to the message – the output is then fed back– the feedback is independent of the message – the output can be computed in advance
Ci = Pi XOR Oi
Oi = EK1(Oi-1)O-1 = IV
CS 330 More Block Ciphers16
Output FeedBack (OFB)
CS 330 More Block Ciphers 17
Advantages and Limitations of OFB
• used when error feedback is a problem or where we need to do encryptions before the entire message is available
• superficially similar to CFB – but the feedback is from the output of the cipher and is
independent of the message
• a variation of a Vernam cipher – hence must never reuse the same sequence (key+IV)
CS 330 More Block Ciphers 18
Advantages and Limitations of OFB
• the sender and receiver must remain in sync, and some recovery method is needed to ensure this occurs
• originally specified with m-bit feedback in the standards
• subsequent research has shown that only OFB-64 should ever be used
CS 330 More Block Ciphers 19
Counter (CTR)
• similar to OFB but encrypts a counter value rather than any feedback value
• must have a different key & counter value for every plaintext block (never reused)Ci = Pi XOR Oi
Oi = EK1(i)
• Wireless Encryption Protocol (for 802.11b) uses a form of this method - not terribly secure if you re-use the IV values.
CS 330 More Block Ciphers 20
Counter (CTR)
CS 330 More Block Ciphers 21
Advantages and Limitations of CTR
• efficiency– one can do parallel encryptions– in advance of need– good for bursty high speed links
• random access to encrypted data blocks
• provable security (good as other modes)
• but must ensure never to reuse key/counter values
CS 330 More Block Ciphers 22
Summary of modes
Electronic Code Book (ECB)(simplest - parallel)
Ci = EK1(Pi)
Cipher Block Chaining (CBC) (block mode)
Ci = EK1(Pi XOR Ci-1)C-1 = IV
Cipher Feedback (CFB)(stream mode)
Ci = Pi XOR EK1(Ci-1)C-1 = IV
Output Feedback (OFB) Ci = Pi XOR Oi
Oi = EK1(Oi-1)O-1 = IV
Counter (CTR)(simple - parallel; faster than CBC)
Ci = Pi XOR Oi
Oi = EK1(i)