Outline

▪ Multiple encryption and triple DES

▪ Electronic Code Book Mode
▪ Cipher Block Chaining Mode
▪ Cipher Feedback Mode
▪ Output Feedback Mode
▪ Counter Mode
Block Cipher Modes of Operations
▪ To apply a block cipher in a variety of applications, five "modes of
operation" have been defined.
1. Electronic Code Book (ECB)
2. Cipher Block Chaining (CBC)
3. Cipher Feedback (CFB)
4. Output Feedback (OFB)
5. Counter (CTR)
▪ The five modes are intended to cover a wide variety of
applications of encryption for which a block cipher could be used.
▪ These modes are intended for use with any symmetric block
cipher, including triple DES and AES.
Block Cipher Modes of Operations
▪ Block cipher: operates on fixed length b-bit input to produce b-bit
ciphertext.
▪ What about encrypting plaintext longer than b bits?
▪ Break plaintext into b-bit blocks (padding if necessary) and apply
cipher on each block.
1. ECB Encryption & Decryption
P1 P2 PN
64-bit 64-bit 64-bit
K K K
Encrypt Encrypt … Encrypt

64-bit 64-bit 64-bit

C1 C2 CN

C1 C2 CN
64-bit 64-bit 64-bit
K K K
Decrypt Decrypt … Decrypt

64-bit 64-bit 64-bit

P1 P2 PN
Electronic Code Book (ECB) (cont…)
▪ In ECB Mode Plaintext handled one block at a time and each block
of plaintext is encrypted using the same key.
▪ The term codebook is used because, for a given key, there is a
unique ciphertext for every b-bit block of plaintext.
Electronic Code Book (ECB) (cont…)
▪ ECB Advantages:
• No block synchronization between sender and receiver is
required.
OK if some blocks are lost in transit.
• Bit errors caused by noisy channels only affect the
corresponding block but not succeeding blocks.
• Block cipher operating can be parallelized.
Electronic Code Book (ECB) (cont…)
▪ ECB Disadvantages:
• Identical plaintexts result in identical ciphertexts.
• An attacker recognizes if the same message has been sent
twice simply by looking at the ciphertext.
• Plaintext blocks are encrypted independently of previous
blocks.
An attacker may reorder ciphertext blocks which results in
valid plaintext.
Substitution Attack on ECB
▪ Consider an electronic bank transfer
1 2 3 4 5
Sending Sending Receiving Receiving Amount
Bank A Account # Bank B Account # $

▪ The attacker sends $1.00 transfers from his account at bank A to

his account at bank B repeatedly.
▪ He can check for ciphertext blocks that repeat, and he stores
blocks 1,3 and 4 of these transfers.
▪ He now simply replaces block 4 of other transfers with the block 4
that he stored before.
▪ All transfers from some account of bank A to some account of
bank B are redirected to go into the attacker’s B account.
Electronic Code Book (cont…)
▪ Strength: it’s simple.
▪ Weakness:
• Problem: with long message, repetition in plaintext may cause
repetition in ciphertext.
▪ Typical application:
• Secure transmission of short pieces of information (e.g. a
temporary encryption key).
2. CBC - Encryption & Decryption
P1 P2 PN
IV CN-1
K K K
Encrypt Encrypt … Encrypt

C1 C2 CN

C1 C2 CN
K K K
Decrypt Decrypt … Decrypt
IV CN-1

P1 P2 PN
Cipher Block Chaining (CBC) (cont…)
Cipher Block Chaining (CBC) (cont…)
▪ CBC is a technique in which the same plaintext block, if repeated,
produces different ciphertext blocks.
▪ In this scheme, the input to the encryption algorithm is the XOR of
the current plaintext block and the preceding ciphertext block and
the same key is used for each block.
▪ To produce the first block of ciphertext, an initialization vector (IV)
is XORed with the first block of plaintext.
Cipher Block Chaining (CBC) (cont…)
▪ Initialisation Vector (IV) must be known by sender/receiver, but it
should be kept secret from attacker.
▪ On decryption, the IV is XORed with the output of the decryption
algorithm to recover the first block of plaintext.
Substitution Attack on CBC
▪ Consider the last example (electronic bank transfer).
▪ If the IV is properly chosen for every wire transfer, the attack will
not work at all.
▪ If the IV is kept the same for several transfers, the attacker would
recognize the transfers from his account at bank A to back B.
Cipher Block Chaining (CBC) (cont…)
▪ Strength: because of the chaining mechanism of CBC, it is an
appropriate mode for encrypting messages of length greater than
b bits.
▪ Typical application:
• General-purpose block oriented transmission
• Authentication
3. Cipher Feedback Mode (CFB)
▪ For AES, DES, or any block cipher, encryption is performed on a
block of b bits. In DES, b = 64 and in AES, b = 128.
▪ However, it is possible to convert a block cipher into a stream
cipher, using cipher feedback (CFB) mode, output feedback (OFB)
mode, and counter (CTR) mode.
▪ A stream cipher eliminates the need to pad a message to be an
integral number of blocks.
 CFB Encryption
CN-1
Shift register Shift register
IV b-s bits | s bits b-s bits | s bits
K K K
Encrypt Encrypt Encrypt

Select Discard
s bits b-s bits
Select Discard
s bits b-s bits
… Select Discard
s bits b-s bits
S bits S bits S bits
P1 P2 PN

C1 C2 CN
S bits S bits S bits
CFB Encryption (cont…)
CFB Decryption
CN-1
Shift register Shift register
IV b-s bits | s bits b-s bits | s bits
K K K
Encrypt Encrypt Encrypt

Select Discard
s bits b-s bits
Select Discard
s bits b-s bits
… Select Discard
s bits b-s bits

C1 C2 CN
S bits S bits S bits

P1 P2 PN
S bits S bits S bits
CFB Decryption (Cont…)
Cipher Feedback Mode (CFB) (cont…)
▪ The input to the encryption function is a b-bit shift register that is
initially set to some initialization vector (IV).
▪ The leftmost (most significant) s bits of the output of the
encryption function are XORed with the first segment of plaintext
P1 to produce the first unit of ciphertext C1 , which is then
transmitted.
▪ In addition, the contents of the shift register are shifted left by s
bits, and C1 is placed in the rightmost (least significant) s bits of
the shift register.
▪ For decryption, the same scheme is used, except that the received
ciphertext unit is XORed with the output of the encryption
function to produce the plaintext unit.
4. OFB Encryption
Nonce
K K K
Encrypt Encrypt … Encrypt

P1 P2 PN

C1 C2 CN
OFB Decryption
Nonce
K K K
Encrypt Encrypt … Encrypt

C1 C2 CN

P1 P2 PN
Output Feedback Mode(OFB) (cont..)
▪ The output feedback (OFB) mode is similar in structure to that of
CFB.
▪ For OFB, the output of the encryption function is fed back to
become the input for encrypting the next block of plaintext.
▪ In CFB, the output of the XOR unit is fed back to become input for
encrypting the next block.
▪ The other difference is that the OFB mode operates on full blocks
of plaintext and ciphertext, whereas CFB operates on an s-bit
subset.
OFB Mode (cont..)
▪ Nonce: A time-varying value that has at most a negligible chance
of repeating, for example, a random value that is generated anew
for each use, a timestamp, a sequence number, or some
combination of these.
▪ Each bit in the ciphertext is independent of the previous bit or
bits.
▪ This avoids error propagation.
▪ Pre-compute of forward cipher is possible.
5. CTR Encryption
Counter 1 Counter 2 Counter N
K K K
Encrypt Encrypt … Encrypt

P1 P2 PN

C1 C2 CN
CTR Decryption
Counter 1 Counter 2 Counter N
K K K
Encrypt Encrypt … Encrypt

C1 C2 CN

P1 P2 PN
Counter Mode (CTR) (cont…)
▪ Counter (CTR) mode has increased recently with applications to
ATM (asynchronous transfer mode) network security and IP sec
(IP security).
▪ A counter equal to the plaintext block size is used.
▪ The counter value must be different for each plaintext block that
is encrypted.
▪ Typically, the counter is initialized to some value and then
incremented by 1 for each subsequent block.
Advantages of the CTR Mode
▪ Strengths:
• Needs only the encryption algorithm.
• Random access to encrypted data blocks.
• blocks can be processed (encrypted or decrypted) in parallel.
• Simple and fast encryption/decryption.
▪ Counter must be
• Must be unknown and unpredictable.
• pseudo-randomness in the key stream is a goal.
Summary of all modes
Operation Description Type of
Mode Result
ECB Each n-bit block is encrypted Block Cipher
independently with same key.
CBC Same as ECB, but each block is XORed Block Cipher
with previous cipher text.
CFB Each s-bit block is XORed with s-bit key Stream Cipher
which is part of previous cipher text.
OFB Same as CFB, but input to the encryption Stream Cipher
is preceding encryption output.
CTR Same as OFB, but a counter is used Stream Cipher
instead of nonce.
Multiple Encryption
▪ Given the potential vulnerability of DES to a brute-force attack,
there has been considerable interest in finding an alternative.
▪ For DES requires 256 operations for brute force attack.
▪ One approach is to design a completely new algorithm, of which
AES is a prime example.
▪ Another alternative, which would preserve the existing
investment in software and equipment, is to use multiple
encryption with DES and multiple keys.
 Double DES
Key K1 Key K2

Plaintext Encryption Encryption Ciphertext

Encryption

Key K2 Key K1

Ciphertext Decryption Decryption Plaintext

Decryption
Double DES

C=E(K2,E(K1, P))

X = E(K1, P) = D(K2, C)

P=D(K1,D(K2, C))
Double DES
▪ For double DES, 2 × 56-bit keys, meaning 112-bit key length.
▪ Requires 2112 operations for brute force attack.
▪ Meet-in-the-middle attack makes it easier.
Meet in the Middle Attack
▪ This attack involves encryption from one end, decryption from the
other and matching the results in the middle.
▪ Suppose cryptanalyst knows Pi and corresponding Ci.
▪ Now, the aim is to obtain the values of K1 and K2.
All Possible keys All Possible keys
K1 = 256 K2 = 256

Known Known
Plaintext Middle Ciphertext
Encryption Decryption
Text

▪ No. of Encryptions and Decryptions: 256 + 256 = 257

▪ For Double DES requires 257 operations for brute force attack.
Meet in the Middle Attack Step-1
▪ For all possible values (256) of key K1, the cryptanalyst would
encrypt the known plaintext by performing E(K1,P).
▪ The cryptanalyst would store output in a table.

Possible Keys P Table of

(Key = K1) Cipher Text
00 010
01 110
10 Encrypt 101
11 000

Cryptanalyst encryption
operation
Meet in the Middle Attack Step-2
▪ Cryptanalyst decrypt the known ciphertext with all possible values of
K2.
▪ In each case cryptanalyst will compare the resulting value with the all
values in the table of ciphertext.

Possible Keys C Table of

(Key = K1) Cipher Text
00 111 For each
01 110 result do a
10 Decrypt 001 table look
11 011 up

Cryptanalyst decryption
operation
Triple DES

C=E(K1,D(K2, E(K1,P)))

P=D(K1,E(K2, D(K1,C)))
Meet in the Middle Attack

Possible Possible
Keys P Table of Table of C Keys
(Key = K1) Cipher Text Cipher Text (Key = K1)
00 010 111 00
Find equal
01 110 match and store 011 01
10
E 101 corresponding 001
D 10
K1 and K2.
11 000 110 11

Values of K1=01 and K2=11

Triple DES
Key K1 Key K2 Key K1

A B
Plaintext E D E Ciphertext

Key K1 Key K2 Key K1

B A
Ciphertext D E D Plaintext