0% found this document useful (0 votes)
119 views34 pages

Block Cipher Modes

The document discusses various modes of operation for block ciphers. It describes the Electronic Codebook (ECB) mode, where each plaintext block is encrypted independently. It notes security issues with ECB. It then covers the Cipher Block Chaining (CBC) mode, which XORs each plaintext block with the previous ciphertext block before encryption to avoid identical blocks being encrypted to identical ciphertexts. It also discusses the Cipher Feedback (CFB) and Output Feedback (OFB) modes, which treat the plaintext as a bitstream and encrypt portions of the plaintext using feedback from previous cipher outputs.

Uploaded by

Sudha Patel
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
119 views34 pages

Block Cipher Modes

The document discusses various modes of operation for block ciphers. It describes the Electronic Codebook (ECB) mode, where each plaintext block is encrypted independently. It notes security issues with ECB. It then covers the Cipher Block Chaining (CBC) mode, which XORs each plaintext block with the previous ciphertext block before encryption to avoid identical blocks being encrypted to identical ciphertexts. It also discusses the Cipher Feedback (CFB) and Output Feedback (OFB) modes, which treat the plaintext as a bitstream and encrypt portions of the plaintext using feedback from previous cipher outputs.

Uploaded by

Sudha Patel
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 34

of Operation

Block Cipher Modes

Reema Patel, M.Tech-I, ICS-2013 16/09/2013


1
Objective
• Electronic codebook mode (ECB)
• Cipher block chaining mode (CBC) – most popular

16/09/2013
• Output feedback mode (OFB)
• Cipher feedback mode (CFB)

Reema Patel, M.Tech-I, ICS-2013


• Counter mode (CTR)

2
Introduction
• A block cipher (is a function which maps) n-bit plaintext
blocks to n-bit cipher-text blocks; n is called the block

16/09/2013
length.
• E: {0,1}n × {0,1}k → {0,1}n

Reema Patel, M.Tech-I, ICS-2013


• Modes of operation is the procedure of enabling the
repeated and secure use of a block cipher under a single key

• Block cipher encrypt fixed size blocks (e.g. DES – 64bit)

• Needs some way to encrypt/decrypt arbitrary large amounts 3


of data in practise
Need for Modes of Block Cipher
• NIST SP 800-38A defines 5 modes

16/09/2013
• Block cipher deal with blocks of data

Reema Patel, M.Tech-I, ICS-2013


• In real life there are two important issues:
• Plaintext much larger than a typical block length of 128 bits
• Plaintext not a multiple of block length

• Obvious solution is the first mode, called Electronic Code


Block
4
Electronic Code Book (ECB)
• Message is broken into independent blocks

16/09/2013
• Each plaintext block gets encrypted by the key to a different
cipher-text

Reema Patel, M.Tech-I, ICS-2013


• Ci = EK(Pi)

• Weakness : Same plaintext block gets converted to the same


cipher-text

5
Schematic Diagram

Reema Patel, M.Tech-I, ICS-2013 16/09/2013


6
Properties
• Chaining dependencies:
• Blocks are enciphered independently of other blocks.

16/09/2013
• Reordering cipher-text blocks results in correspondingly re-
ordered plaintext blocks.

Reema Patel, M.Tech-I, ICS-2013


• Error propagation:
• One or more bit errors in a single cipher-text block affect
decipherment of that block only.
• Other blocks are not affected

7
Security Issues
• Identical blocks of plaintext will be encrypted as identical
blocks of cipher text

16/09/2013
• Consider if the plaintext has only two possibilities : all 64 bits
(block length) 0 or all 64 bits 1
• ECB leaks all secret

Reema Patel, M.Tech-I, ICS-2013


• if aligned with plain text block
• particularly with data such as graphics
• or with messages that change very little, which become a
code-book analysis problem
• Weakness is due to the encrypted message blocks being
independent
• If attacker re-orders blocks it will not be detected by 8
receiver
Limitations of ECB

16/09/2013
Reema Patel, M.Tech-I, ICS-2013
Original Encrypted with ECB Encrypted with other
than ECB
9
From wiki
Cipher Block Chaining (CBC)
• Used to solve the problem of identical plain text blocks
being encrypted to identical cipher-text blocks

16/09/2013
• Idea is to use chaining

Reema Patel, M.Tech-I, ICS-2013


• Message is broken into blocks

• Each plain text block is XOR with previous cipher text


block before being encrypted, hence name CBC

• Use Initial Vector (IV) to start process 10


• Ci = EK(Pi XOR Ci-1)
• C0 = IV (IV is not a secret like key)
Schematic Diagram

Reema Patel, M.Tech-I, ICS-2013 16/09/2013


11
IV based attack
• Keeping IV secret is not necessary
• But integrity of IV should be maintained

16/09/2013
• Note that : C1 : EK(IV XOR P1)

Reema Patel, M.Tech-I, ICS-2013


• Thus, P1 = DK(C1) XOR IV
• If attacker flips certain bits of IV, the corresponding bits of
the recovered plain text also changes
• Can lead to problems in some applications (in which
integrity is required)

12
• if IV is sent in clear, attacker can change bits of first block,
and change IV to Compensate
Properties
• Chaining dependencies
• chaining causes cipher-text cj to depend on all preceding

16/09/2013
plaintext

Reema Patel, M.Tech-I, ICS-2013


• Error propagation
• a single bit error in cj affects decipherment of blocks cj and
cj+1
• reordering the cipher-text blocks affects decryption
• Error recovery
• self-synchronizing: if an error occurs in cj (but not cj+1, cj+2),
then cj+2 is correctly decrypted to xj+2. 13
• can be used as a MAC: x1, x2, . . . , xn, cn (for Authentication)
Example – Error Propagation in CBC

Reema Patel, M.Tech-I, ICS-2013 16/09/2013


14
Message Padding
• What if the message is not an multiple of block length ?

16/09/2013
• at the end, message may have a possible last short block not
as large as the block size of the cipher

Reema Patel, M.Tech-I, ICS-2013


• pad either with known non-data value (eg nulls)
• or pad last block along with count of pad size
• eg. [ b1 b2 b3 0 0 0 0 5]
• means have 3 data bytes, then 5 bytes pad+count
• this may require an extra entire block over those in message
15
Cipher Feedback Mode (CFB)
• CBC processes plaintext n-bits at a time with an n-bit block
cipher

16/09/2013
• Can encryption begin until a complete block of data received?

Reema Patel, M.Tech-I, ICS-2013


• Sometimes, only r bits of n blocks (r = 1 OR r = 8) are
required to be transmitted without delay

• CFB employed when data is to be encrypted in units


smaller than the block size.

16
Cipher Feedback Mode (CFB)
• The plaintext message
• is treated as a stream of bits

16/09/2013
• is added to the output of the block cipher
• the result is then feed back for next stage (hence the name)

Reema Patel, M.Tech-I, ICS-2013


• standard allows any number of bit (1,8, 64 or 128 etc) to be
feed back
• denoted CFB-1, CFB-8, CFB-64, CFB-128 etc
• most efficient to use all bits in block (64 or 128)
• Ci = Pi XOR DESK1(Ci-1)
• C-1 = IV
17
• uses: stream data encryption, authentication
Cipher Feedback Mode (CFB)
• Input
• k-bit key K;

16/09/2013
• n-bit IV;
• r-bit plaintext blocks x1…, xu (1≤ r≤n)

Reema Patel, M.Tech-I, ICS-2013


• Output
• produce r-bit ciphertext blocks c1,…,cu

18
Cipher Feedback Mode (CFB)

Reema Patel, M.Tech-I, ICS-2013 16/09/2013


19
Reema Patel, M.Tech-I, ICS-2013 16/09/2013
20
Cipher Feedback Mode (CFB)

Reema Patel, M.Tech-I, ICS-2013 16/09/2013


21
Advantages and Limitations of CFB
• Appropriate when data arrives in bits/bytes

16/09/2013
• Most common stream mode

Reema Patel, M.Tech-I, ICS-2013


• Limitation is need to stall while do block encryption after
every n-bits

• Note that the block cipher is used in encryption mode at


both ends

22
• Errors propagate for several blocks after the error
Output Feedback Mode (OFB)
• message is treated as a stream of bits
• output of cipher is added to message

16/09/2013
• output is then feed back (hence name OFB)
• feedback is independent of message

Reema Patel, M.Tech-I, ICS-2013


• can be computed in advance
• Oi = EK(Oi-1)
• Ci = Pi XOR Oi
• O-1 = IV

23
Output Feedback Mode (OFB)

Reema Patel, M.Tech-I, ICS-2013 16/09/2013


24
Output Feedback Mode (OFB)

Reema Patel, M.Tech-I, ICS-2013 16/09/2013


25
Output Feedback Mode (OFB)
• INPUT
• k-bit key K; n-bit IV; r-bit plaintext blocks x1,…, xu (1≤r≤n)

16/09/2013
• OUTPUT
• produce r-bit cipher-text blocks c1,…, cu

Reema Patel, M.Tech-I, ICS-2013


• Encryption
• I1←IV. For 1≤ j≤u, given plaintext block xj:
• Oj ← Ek(Ij). (Compute the block cipher output)
• tj ←the r leftmost bits of Oj - assume the leftmost is
identified as bit 1
• cj ←xj ⊕tj - transmit the r-bit ciphertext block cj
• Ij+1 ← Oj - update the block cipher input for the next block 26
• Ij+1 ← 2r ㆍIj + tj mod 2n” - shift output tj into right end of
shift register
Output Feedback Mode (OFB)
• Decryption

16/09/2013
• I1 ←IV.
• For 1≤j≤u, upon receiving cj: xj ← cj ⊕tj, where tj, Oj and

Reema Patel, M.Tech-I, ICS-2013


Ij are computed as above

27
Reema Patel, M.Tech-I, ICS-2013 16/09/2013
28
Advantages and Limitations of OFB
• needs an IV which is unique for each use
• if ever reuse attacker can recover outputs

16/09/2013
• bit errors do not propagate
• more vulnerable to message stream modification

Reema Patel, M.Tech-I, ICS-2013


• sender & receiver must remain in sync
• only use with full block feedback
• subsequent research has shown that only full block feedback
(ie CFB-64 or CFB-128) should ever be used

29
Counter (CTR)
• a “new” mode, though proposed early on

16/09/2013
• similar to OFB
• but encrypts counter value rather than any feedback value

Reema Patel, M.Tech-I, ICS-2013


• must have a different key & counter value for every
plaintext block (never reused)
• Oi = EK(i)
• Ci = Pi XOR Oi

30
• uses: high-speed network encryptions
Counter (CTR)

Reema Patel, M.Tech-I, ICS-2013 16/09/2013


31
Advantages and Limitations of CTR
• Efficiency
• can do parallel encryptions in h/w or s/w

16/09/2013
• can preprocess in advance of need
• good for bursty high speed links

Reema Patel, M.Tech-I, ICS-2013


• random access to encrypted data blocks
• provable security (good as other modes)
• but must ensure never reuse key/counter values, otherwise
could break

32
Choosing a Cipher mode
• ECB
• easiest, fastest, weakest

16/09/2013
• should not be used for message encryption
• good for encrypting random data such as key, IV

Reema Patel, M.Tech-I, ICS-2013


• CBC
• best for encrypting files
• speed is the same as the block cipher
• encryption is not parallelizable, but decryption is
• most suitable for software based systems
33
Choosing a Cipher mode
• CFB
• used for encrypting streams of information …8-bit CFB for

16/09/2013
character encryption

Reema Patel, M.Tech-I, ICS-2013


• OFB
• used for high speed synchronous systems
• used if preprocessing is required.

34

You might also like