Block Cipher

Operation

Raj Jain
Washington University in Saint Louis
Saint Louis, MO 63130
[email protected]
Audio/Video recordings of this lecture are available at:
http://www.cse.wustl.edu/~jain/cse571-17/
Washington University in St. Louis http://www.cse.wustl.edu/~jain/cse571-17/ ©2017 Raj Jain
6-1
 Overview
1. Double DES, Triple DES, DES-X
2. Encryption Modes for long messages:
1. Electronic Code Book (ECB)
2. Cipher Block Chaining (CBC)
3. Cipher Feedback (CFB)
4. Output Feedback (OFB)
5. Counter (CTR) Mode
6. XTS-AES Mode for Block-oriented Storage Devices
These slides are based partly on Lawrie Brown’s slides supplied with William Stallings's
book “Cryptography and Network Security: Principles and Practice,” 7th Ed, 2017.
Washington University in St. Louis http://www.cse.wustl.edu/~jain/cse571-17/ ©2017 Raj Jain
6-2
 Double-DES
 C = EK2(EK1(P))
 Meet-in-the-middle attack
 Developed by Diffie and Hellman in 1977
 Can be used to attack any composition of
Ek1(P) Dk2(C)
2 functions
X = EK1(P) = DK2(C)
 Attack by encrypting P with all 256 keys
and storing
 Then decrypt C with keys and match X
value
 Verify with one more pair
 Takes max of O(256) steps ⇒ Total 257
operations
 Only twice as secure as single DES
Washington University in St. Louis http://www.cse.wustl.edu/~jain/cse571-17/ ©2017 Raj Jain
6-3
 Triple-DES
 Use DES 3 times: C = EK3(DK2(EK1(P)))
 E-D-E provides the same level of security as E-E-E
 E-D-E sequence is used for compatibility with legacy
 K1=K2=K3 ⇒ DES

 PGP and S/MIME use this 3 key version

 Provides 112 bits of security
 Two keys with E-D-E sequence
 C = EK1(DK2(EK1(P)))

 Standardized in ANSI X9.17 & ISO8732

 No current known practical attacks

 Several proposed impractical attacks might become basis of

future attacks http://www.cse.wustl.edu/~jain/cse571-17/
Washington University in St. Louis ©2017 Raj Jain
6-4
 Electronic Codebook (ECB) Mode

 How to encode multiple blocks of a long message?

 Each block is encoded independently of the others
Ci = EK(Pi)
 Each block is substituted like a codebook, hence name.

Ref: http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation
Washington University in St. Louis http://www.cse.wustl.edu/~jain/cse571-17/ ©2017 Raj Jain
6-5
 ECB Limitations
 Using the same key on multiple blocks makes it easier to break
 Identical Plaintext Identical Ciphertext
Does not change pattern:

Original ECB Better

 NIST SP 800-38A defines 5 modes that can be used with any
block cipher
Ref: http://en.wikipedia.org/wiki/Modes_of_operation
Washington University in St. Louis http://www.cse.wustl.edu/~jain/cse571-17/ ©2017 Raj Jain
6-6
 Cipher Block Chaining (CBC)
 Add random numbers before encrypting
 Previous cipher blocks is chained with current plaintext block
 Use an Initial Vector (IV) to start process
Ci = EK(Pi XOR Ci-1)
C-1 = IV

Washington University in St. Louis http://www.cse.wustl.edu/~jain/cse571-17/ ©2017 Raj Jain

6-7
 Advantages and Limitations of CBC
 Any change to a block affects all following ciphertext blocks
 Need Initialization Vector (IV)
 Must be known to sender & receiver

 If sent in clear, attacker can change bits of first block, and

change IV to compensate
 Hence IV must either be a fixed value, e.g., in Electronic
Funds Transfers at Point of Sale (EFTPOS)
 Or must be sent encrypted in ECB mode before rest of
message
 Sequential implementation. Cannot be parallelized.

Washington University in St. Louis http://www.cse.wustl.edu/~jain/cse571-17/ ©2017 Raj Jain

6-8
 Message Padding
 Last block may be shorter than others ⇒ Pad
 Pad with count of pad size [ANSI X.923]
1. E.g., [ b1 b2 b3 0 0 0 0 5] = 3 data, 5 pad w 1 count byte
1. A 1 bit followed by 0 bits [ISO/IEC 9797-1]
2. Any known byte value followed by zeros, e.g., 80-00…
3. Random data followed by count [ISO 10126]
1. E.g., [b1 b2 b3 84 67 87 56 05]
4. Each byte indicates the number of padded bytes [PKCS]
1. E.g., [b1 b2 b3 05 05 05 05 05]
5. Self-Describing Padding [RFC1570]
 Each pad octet contains its index starting with 1
 E.g., [b1 b2 b3 1 2 3 4 5]
Ref: http://en.wikipedia.org/wiki/Padding_%28cryptography%29
Washington University in St. Louis http://www.cse.wustl.edu/~jain/cse571-17/ ©2017 Raj Jain
6-9
 Cipher Text Stealing (CTS)
 Alternative to padding which adds extra bytes.
 Last 2 blocks are specially coded
 Tail bits of (n-1)st encoded block are added to nth block and
order of transmission of the two blocks is interchanged.
⇒ Size of ciphertext is same as plane text. No extra bytes.

Washington University in St. Louis http://www.cse.wustl.edu/~jain/cse571-17/ ©2017 Raj Jain

6-10
 Stream Modes of Operation
 Use block cipher as some form of pseudo-random number
generator
 The random number bits are then XOR’ed with the message
(as in stream cipher)
 Convert block cipher into stream cipher
1. Cipher feedback (CFB) mode
2. Output feedback (OFB) mode
3. Counter (CTR) mode

Washington University in St. Louis http://www.cse.wustl.edu/~jain/cse571-17/ ©2017 Raj Jain

6-11
 Cipher Feedback (CFB)
 Message is added to the output of the block cipher
 Result is feed back for next stage (hence name)
 Standard allows any number of bit (1, 8, 64 or 128 etc) to be
feed back, denoted CFB-1, CFB-8, CFB-64, CFB-128 etc
 Most efficient to use all bits in block (64 or 128)
Ci = Pi XOR EK(Ci-1)
C-1 = IV
 Errors propagate for several blocks after the error

Washington University in St. Louis http://www.cse.wustl.edu/~jain/cse571-17/ ©2017 Raj Jain

6-12
 Output Feedback (OFB)
 Output of the cipher is feed back (hence name)
 Feedback is independent of message
 Can be computed in advance
Oi = EK(Oi-1)
Ci = Pi XOR Oi
O-1 = IV

Washington University in St. Louis http://www.cse.wustl.edu/~jain/cse571-17/ ©2017 Raj Jain

6-13
 Advantages and Limitations of OFB
 Needs an IV which is unique for each use
 if ever reuse attacker can recover outputs

 Bit errors do not propagate

 More vulnerable to message stream modification
 Sender & receiver must remain in sync
 Only use with full block feedback
 Subsequent research has shown that only full block
feedback (i.e., CFB-64 or CFB-128) should ever be used

Washington University in St. Louis http://www.cse.wustl.edu/~jain/cse571-17/ ©2017 Raj Jain

6-14
 Counter (CTR)
 Encrypt counter value rather than any feedback value
 Different key & counter value for every plaintext block (never
reused)
Oi = EK(i)
Ci = Pi XOR Oi

Washington University in St. Louis http://www.cse.wustl.edu/~jain/cse571-17/ ©2017 Raj Jain

6-15
 Advantages and Limitations of CTR

 Efficiency
 Can do parallel encryptions in h/w or s/w

 Can preprocess in advance of need

 Good for bursty high speed links

 Random access to encrypted data blocks

 Provable security (good as other modes)
 But must never reuse key/counter values, otherwise could
break

Washington University in St. Louis http://www.cse.wustl.edu/~jain/cse571-17/ ©2017 Raj Jain

6-16
 Storage Encryption
 File encryption:
 Different keys for different files
 May not protect metadata, e.g., filename, creation date,
 Individual files can be backed up
 Encrypting File System (EFS) in NTFS provides this svc
 Disk encryption:
 Single key for whole disk or separate keys for each partition
 Master boot record (MBR) may or may not be encrypted
 Boot partition may or may not be encrypted.
 Operating system stores the key in the memory
Can be read by an attacker by cold boot
 Trusted Platform Module (TPM): A secure coprocessor chip on
the motherboard that can authenticate a device
⇒ Disk can be read only on that system.
Recovery is possiblehttp://www.cse.wustl.edu/~jain/cse571-17/
Washington University in St. Louis
with a decryption password or token
©2017 Raj Jain
6-17
 Storage Encryption (Cont)
 If IV is predictable, CBC is not usable in storage because the
plain text is chosen by the writer
 Ciphertext is easily available to other users of the same disk
 Two messages with the first blocks=b⊕IV1 and b ⊕ IV2 will
both encrypt to the same ciphertext
 Need to be able to read/write blocks without reading/writing
other blocks

CBC

Washington University in St. Louis http://www.cse.wustl.edu/~jain/cse571-17/ ©2017 Raj Jain

6-18
 XTS-AES Mode
 XTS = XEX-based Tweaked Codebook mode with Ciphertext
Stealing (XEX = Xor-Encrypt-xor)
 Creates a unique IV for each block using AES and 2 keys
Tj = EK2(i)⊗αj Size of K2 = size of block
Cj = EK1(Pj⊕Tj)⊕Tj K1 256 bit for AES-256
where i is logical sector # & j is block # (sector = n blocks)
α = primitive element in GF(2128) defined by polynomial x

Washington University in St. Louis http://www.cse.wustl.edu/~jain/cse571-17/ ©2017 Raj Jain

6-19
 Advantages and Limitations of XTS-AES

 Multiplication is modulo x128+x7+x2+x+1 in GF(2128)

 Efficiency
 Can do parallel encryptions in h/w or s/w

 Random access to encrypted data blocks

 Has both nonce & counter

 Defined in IEEE Std 1619-2007 for block oriented storage use
 Implemented in numerous packages and operating systems
including TrueCrypt, FreeBSD, and OpenBSD softraid disk
encryption software (also native in Mac OSX Lion’s
FileVault), in hardware-based media encryption devices by the
SPYRUS Hydra PC Digital Attaché and the Kingston
DataTraveler 5000.
Ref: http://en.wikipedia.org/wiki/Disk_encryption_theory
Washington University in St. Louis http://www.cse.wustl.edu/~jain/cse571-17/ ©2017 Raj Jain
6-20
 Summary
 3DES generally uses E-D-E with 2 keys ⇒112b protection
 ECB: Same ciphertext for the same plaintext ⇒ Easier to break

(e) XTS-AES

Washington University in St. Louis http://www.cse.wustl.edu/~jain/cse571-17/ ©2017 Raj Jain

6-21
 Homework 6
For each of the modes ECB, CBC and CTR:
a. Identify whether decrypted plaintext block P3 will be
corrupted if there is an error in block C1 of the transmitted
cipher text.
b. Assuming that the ciphertext contains N blocks, and that there
was a bit error in the source version of P1, identify through
how many ciphertext blocks this error is propagated.

Washington University in St. Louis http://www.cse.wustl.edu/~jain/cse571-17/ ©2017 Raj Jain

6-22
 Lab 6
 This homework requires two computers with SSH and telnet client and
servers installed.
 You can download the following open source SSH and telnet clients:
 http://www.freesshd.com/
 http://www.chiark.greenend.org.uk/~sgtatham/putty/
 These utilities are installed on CSE571XPC and CSE571XPS in our lab.
 Start wireshark on the client machine (CSE571XPS).
 telnet (Putty) to the server (CSE571XPC) and login with your username and
password. Logout.
 Use “follow the TCP stream option” (right click on the packet) to see your
username and password on the screen. Capture the screen and circle your
password.
 ssh (Putty) to the server (CSE571XPC) and login with your username and
password. Logout.
 Stop wireshark and read the trace. Capture the screen. Circle the password
characters. Note the difference in the two logins?

Washington University in St. Louis http://www.cse.wustl.edu/~jain/cse571-17/ ©2017 Raj Jain

6-23
 Acronyms
 3DES Triple DES
 AES Advanced Encryption Standard
 ANS American National Standard
 ANSI American National Standards Institute
 ATM Asynchronous Transfer Mode
 CBC Cipher Block Chaining
 CFB Cipher feedback
 CTR Counter mode
 CTS Cyphertext Stealing
 DES Data Encryption Standard
 ECB Electronic Code Book
 EFS Encrypting File System
 EFTPOS Encrypted File Transfers at Point of Sale
 FreeBSD Free Berkeley System Distribution
 FTP File Transfer Protocol
 GF Galois Field
Washington University in St. Louis http://www.cse.wustl.edu/~jain/cse571-17/ ©2017 Raj Jain
6-24
 Acronyms (Cont)
 IEC International Electrotechnical Commission
 IEEE Institution of Electrical and Electronics Engineers
 IP Internet Protocol
 ISO International Standards Organization
 MBR Master boot record
 MIME Multipurpose Internet Mail Extensions
 NIST National Institute of Science and Technology
 NTFS New Technology File System
 OFB Output feedback mode
 OSX Apple's MAC Operating System
 PC Personal Computer
 PGP Pretty Good Privacy
 PKCS Public Key Cryptography Standards
 S/MIME Secure MIME
 SP Special Publication
 SSH Secure Shell
Washington University in St. Louis http://www.cse.wustl.edu/~jain/cse571-17/ ©2017 Raj Jain
6-25
 Acronyms (Cont)
 TCP Transmission Control Protocol
 TPM Trusted Platform Module
 TV Television
 XEX Xor Encrypt Xor
 XOR Exclusive Or
 XTS XEX-based tweaked-codebook mode with ciphertext stealing

Washington University in St. Louis http://www.cse.wustl.edu/~jain/cse571-17/ ©2017 Raj Jain

6-26
Scan This to Download These Slides

Raj Jain
http://rajjain.com

Washington University in St. Louis http://www.cse.wustl.edu/~jain/cse571-17/ ©2017 Raj Jain

6-27
 Related Modules
CSE571S: Network Security (Spring 2017),
http://www.cse.wustl.edu/~jain/cse571-17/index.html

CSE473S: Introduction to Computer Networks (Fall 2016),

http://www.cse.wustl.edu/~jain/cse473-16/index.html
Wireless and Mobile Networking (Spring 2016),
http://www.cse.wustl.edu/~jain/cse574-16/index.html
CSE571S: Network Security (Fall 2014),
http://www.cse.wustl.edu/~jain/cse571-14/index.html
Audio/Video Recordings and Podcasts of
Professor Raj Jain's Lectures,
https://www.youtube.com/channel/UCN4-5wzNP9-ruOzQMs-8NUw
Washington University in St. Louis http://www.cse.wustl.edu/~jain/cse571-17/ ©2017 Raj Jain
6-28