Week 6 Modes
Week 6 Modes
SENS-4533
Week 7
Block Cipher Modes
Dr Nauman Mazhar
Faculty of Information Technology
University of Central Punjab (UCP)
Outline
◦ Counter (CTR)
2
Modes of Operation
Block ciphers encrypt fixed size blocks
◦ DES 64 bit block, AES 128 bit block
3
Block Cipher Modes of Operation
4
Block Modes
5
Electronic Codebook Book (ECB)
Message broken into ’b’ bit blocks
All blocks encrypted with same key
Ci = E(K, Pi)
Pi = D(K, Ci)
6
Electronic
Codebook
Book
(ECB)
7
Limitations
If b bit plaintext block appears more than once in message,
always produces same ciphertext
ECB not secure for lengthy & highly structured messages...
◦ if message has repeating elements (at multiple of b bits)
cryptanalysis is easier
modification attack – attacker can substitute/rearrange blocks
replay attack possible
◦ if message has predefined fields
known plaintext ciphertext pairs become available
Weakness due to...
message blocks being encrypted independently
8
Cipher Block Chaining (CBC)
A technique that produces different ciphertext blocks
for repeated plaintext blocks, using same key
CBC Mode:
◦ current plaintext block XORed with previous ciphertext block,
& then encrypted
(previous cipher block chained with current plaintext block)
10
Cipher Block Chaining (CBC)
Initialization Vector (IV) known to sender & receiver
◦ should be unpredictable
To generate IV…
◦ generate random data block using random number generator
◦ apply encryption to a Nonce
Nonce (NIST SP-800-90)
A time-varying value, with a negligible
chance of repeating
may be a counter, timestamp, or message number,
unique to each execution of encryption operation
CBC Use: bulk data encryption
11
Advantages/Limitations of CBC
Each ciphertext block depends on all earlier message blocks
◦ memory-based chaining
◦ identical plaintext Pi = Pk do not result in same output
◦ prevents Replay Attacks
IV needs to be protected...
◦ attacker can change IV bits to change corresponding bits of
received plaintext P1
IV bit “1” → P bit value inverted
IV bit “0” → P bit value same
12
Message Padding
Padding is needed, when message size less than cipher block
size
◦ possible short block, at the end of message
13
Stream Modes
14
Stream Modes of Operation
Block modes encrypt entire block
Block cipher may be used as Stream cipher
o operate on smaller units (e.g, bytes, for real time data)
o no need of padding
15
Cipher FeedBack (CFB)
CFB regards unit of encryption as ‘s’ bits
◦ most common value of ‘s’ is 8
16
s-bit
Cipher
Feedback
(CFB-s)
17
CFB
Input to encryption function is b bit shift register
◦ initially set to some IV
19
Output FeedBack (OFB)
OFB mode similar in structure to CFB, except...
◦ output of encryption function fed back to shift register
◦ feedback independent of message
OFB operates on full blocks (not ‘s’ bits)
Ci = Pi XOR Oi
Oi = E(K,Oi-1)
O0 = IV = Nonce
If block size is ‘b’ and last block is ‘u’ bits (u<b)
◦ most significant ‘u’ bits of last output block ON used for XOR
Typical stream cipher structure
◦ bitstream generated using IV/key – independent of plaintext
20
OFB
21
Advantages/Limitations of OFB
Output values can be pre-computed
Tx bit errors do not propagate
◦ Use: stream encryption over noisy channels
22
Counter (CTR)
Similar to OFB but encrypts counter value rather than any
feedback value
◦ counter value T equal to plaintext block size ‘b’
◦ value different for each plaintext block
◦ usually, counter initialized, then incremented for each block
23
CTR
24
Counter (CTR)
If block size is ‘b’ and last plaintext block is ‘u’ bits (u<b)
o most significant ‘u’ bits of last encrypted counter value used
for XOR
o remaining ‘b-u’ bits discarded
No need to pad plaintext
◦ unlike ECB, CBC
As with OFB, initial counter value must be a Nonce
◦ T1 must be different for all messages encrypted with same key
◦ If plaintext block known, corresponding to a Counter value, then
output of encryption function can be determined from associated
ciphertext
◦ allows to determine other plaintext blocks
(for same Counter value)
25
Advantages/Limitations of CTR
Pre-Processing
◦ output of encryption function can be pre-processed in advance
◦ provided sufficient memory & security
Efficiency
◦ no chaining – can do parallel encryptions (h/w or s/w)
◦ good for bursty high speed links
Random Access
◦ blocks of plaintext/ciphertext can be processed in random
sequence; e.g, to decrypt just one block
Simplicity
◦ requires only encryption
26
Summary
Modes of Operation
◦ ECB, CBC, CFB, OFB, CTR
27