INFORMATION SECURITY

SENS-4533

Week 7
Block Cipher Modes

Dr Nauman Mazhar
Faculty of Information Technology
University of Central Punjab (UCP)
Outline

 Block cipher modes of operation

◦ Electronic Codebook (ECB)

◦ Cipher Block Chaining (CBC)

◦ Cipher Feedback (CFB)

◦ Output Feedback (OFB)

◦ Counter (CTR)

2
Modes of Operation
 Block ciphers encrypt fixed size blocks
◦ DES 64 bit block, AES 128 bit block

 If plaintext larger than block size

◦ break into smaller blocks

 When multiple blocks encrypted with same key, security

issues arise... !!
 Block Cipher Modes…
“modes are defined to adapt encryption algo for an application,
to enhance effectiveness of algo”
 5 modes defined for block ciphers; cover a range of appl

3
Block Cipher Modes of Operation

 Electronic Codebook (ECB)

Block Modes
 Cipher Block Chaining (CBC)

 Cipher Feedback (CFB)

 Output Feedback (OFB) Stream Modes
 Counter (CTR)

4
Block Modes

5
Electronic Codebook Book (ECB)
 Message broken into ’b’ bit blocks
 All blocks encrypted with same key
Ci = E(K, Pi)
Pi = D(K, Ci)

each block encrypted independent of others

 Cipher regarded as gigantic ‘Codebook’...

for one key → a unique Ci block exists for every Pi block
(one entry for every plaintext block & its ciphertext)

 Use: secure Tx of single, short values; e.g encryption keys

6
Electronic
Codebook
Book
(ECB)

7
Limitations
 If b bit plaintext block appears more than once in message,
always produces same ciphertext
 ECB not secure for lengthy & highly structured messages...
◦ if message has repeating elements (at multiple of b bits)
 cryptanalysis is easier
 modification attack – attacker can substitute/rearrange blocks
 replay attack possible
◦ if message has predefined fields
 known plaintext ciphertext pairs become available
 Weakness due to...
message blocks being encrypted independently

8
Cipher Block Chaining (CBC)
 A technique that produces different ciphertext blocks
for repeated plaintext blocks, using same key
 CBC Mode:
◦ current plaintext block XORed with previous ciphertext block,
& then encrypted
(previous cipher block chained with current plaintext block)

Ci = E(K,[Pi XOR Ci-1])

 Use Initialization Vector (IV) at the start...

C0 = IV
 Prevents same P from making same C
9
CBC

10
Cipher Block Chaining (CBC)
 Initialization Vector (IV) known to sender & receiver
◦ should be unpredictable
 To generate IV…
◦ generate random data block using random number generator
◦ apply encryption to a Nonce
Nonce (NIST SP-800-90)
A time-varying value, with a negligible
chance of repeating
may be a counter, timestamp, or message number,
unique to each execution of encryption operation
 CBC Use: bulk data encryption
11
Advantages/Limitations of CBC
 Each ciphertext block depends on all earlier message blocks
◦ memory-based chaining
◦ identical plaintext Pi = Pk do not result in same output
◦ prevents Replay Attacks

 IV needs to be protected...
◦ attacker can change IV bits to change corresponding bits of
received plaintext P1
IV bit “1” → P bit value inverted
IV bit “0” → P bit value same

 IV may be sent encrypted in ECB mode

12
Message Padding
 Padding is needed, when message size less than cipher block
size
◦ possible short block, at the end of message

 How to pad data...

◦ pad with known Non-data value
e.g, NULLs

◦ pad last block along with count of pad size

e.g, [ b1 b2 b3 0 0 0 0 5]
means, 3 data bytes, then 5 padded bytes (padding+count)

13
Stream Modes

14
Stream Modes of Operation
 Block modes encrypt entire block
 Block cipher may be used as Stream cipher
o operate on smaller units (e.g, bytes, for real time data)
o no need of padding

 Block cipher used as Pseudo Random Number generator

◦ generates key stream

 Following modes used…

o Cipher Feedback (CFB) mode
o Output Feedback (OFB) mode
o Counter (CTR) mode

15
Cipher FeedBack (CFB)
 CFB regards unit of encryption as ‘s’ bits
◦ most common value of ‘s’ is 8

 Message ‘P’ treated as plaintext stream of ‘s’ bits

◦ encryption function is used to generate key stream
◦ to encrypt/drcrypt, message XORed with output of encryption
function
◦ resulting cipherext fed back for next stage
(hence named)

 Units of plaintext chained together

◦ ciphertext is function of all preceding plaintext

16
s-bit
Cipher
Feedback
(CFB-s)

17
CFB
 Input to encryption function is b bit shift register
◦ initially set to some IV

 Leftmost ‘s’ bits of encryption output, XORed with s bit

plaintext, to produce s bit ciphertext C1
 For next operation, shift register contents shifted s bit left,
and C1 placed in rightmost ‘s’ bits
Ci = Pi XOR MSBs[Oi]
Oi = E(K,Ii)
Ii = LSBb-s[Ii-1] || Ci-1
I0 = IV
 Uses: stream data encryption
18
Advantages/Limitations of CFB
 Block cipher used in encryption mode at both ends
 Viewed as stream cipher, but structure not exactly same
Stream Cipher:
◦ IV & key used to generate a random bitstream (keystream)
◦ keystream then XORed with plaintext
CFB:
◦ bitstream XORed with plaintext, also depends on plaintext

 Error propagates, after a Tx bit error

◦ ciphertext (at receiver) effects next block too
◦ not good for noisy links

19
Output FeedBack (OFB)
 OFB mode similar in structure to CFB, except...
◦ output of encryption function fed back to shift register
◦ feedback independent of message
 OFB operates on full blocks (not ‘s’ bits)
Ci = Pi XOR Oi
Oi = E(K,Oi-1)
O0 = IV = Nonce
 If block size is ‘b’ and last block is ‘u’ bits (u<b)
◦ most significant ‘u’ bits of last output block ON used for XOR
 Typical stream cipher structure
◦ bitstream generated using IV/key – independent of plaintext

20
OFB

21
Advantages/Limitations of OFB
 Output values can be pre-computed
 Tx bit errors do not propagate
◦ Use: stream encryption over noisy channels

 Needs an IV (nonce), unique for each use

◦ for a given key/IV, sequence of output blocks Oi is same
◦ if two messages have identical plaintext blocks at same position,
result in same ciphertext blocks

 Vulnerable to message stream modification...

• inverting a ciphertext bit, inverts relevant plaintext bit
• controlled changes to recovered plaintext possible
• but attacker also needs to change message checksum

22
Counter (CTR)
 Similar to OFB but encrypts counter value rather than any
feedback value
◦ counter value T equal to plaintext block size ‘b’
◦ value different for each plaintext block
◦ usually, counter initialized, then incremented for each block

 Counter value encrypted; then XORed with plaintext

Ci = Pi XOR E(K,Ti)

 Need to share initial value of T with destination

 Uses: high-speed network encryptions

23
CTR

24
Counter (CTR)
 If block size is ‘b’ and last plaintext block is ‘u’ bits (u<b)
o most significant ‘u’ bits of last encrypted counter value used
for XOR
o remaining ‘b-u’ bits discarded
 No need to pad plaintext
◦ unlike ECB, CBC
 As with OFB, initial counter value must be a Nonce
◦ T1 must be different for all messages encrypted with same key
◦ If plaintext block known, corresponding to a Counter value, then
output of encryption function can be determined from associated
ciphertext
◦ allows to determine other plaintext blocks
(for same Counter value)
25
Advantages/Limitations of CTR
 Pre-Processing
◦ output of encryption function can be pre-processed in advance
◦ provided sufficient memory & security
 Efficiency
◦ no chaining – can do parallel encryptions (h/w or s/w)
◦ good for bursty high speed links
 Random Access
◦ blocks of plaintext/ciphertext can be processed in random
sequence; e.g, to decrypt just one block
 Simplicity
◦ requires only encryption

26
Summary
 Modes of Operation
◦ ECB, CBC, CFB, OFB, CTR

27