LECT 4

MODES OF OPERATIONS
MODES OF OPERATIONS
 MODES OF OPERATION
• block ciphers encrypt fixed size blocks
• eg. DES encrypts 64-bit blocks with 56-bit key

• need some way to en/decrypt arbitrary amounts of data in practice

• NIST SP 800-38A defines 5 modes
• have block and stream modes
• to cover a wide variety of applications
• can be used with any block cipher
 ELECTRONIC CODEBOOK
BOOK (ECB)
• message is broken into independent blocks which are encrypted
• each block is a value which is substituted, like a codebook, hence name
• each block is encoded independently of the other blocks
Ci = EK(Pi)

• uses: secure transmission of single values

ELECTRO
NIC
CODEBO
OK BOOK
(ECB)
ADVANTAGES AND LIMITATIONS OF ECB

➢ message repetitions may show in ciphertext

⚫ if aligned with message block
⚫ particularly with data such as graphics
⚫ or with messages that change very little, which become a code-book analysis problem
➢ weakness is due to the encrypted message blocks being independent
➢ main use is sending a few blocks of data
 CIPHER BLOCK CHAINING (CBC)
• message is broken into blocks
• linked together in encryption operation
• each previous cipher blocks is chained with current plaintext block, hence
name
• use Initial Vector (IV) to start process
Ci = EK(Pi XOR Ci-1)
C-1 = IV

• uses: bulk data encryption, authentication

CIPHER
BLOCK
CHAINING
(CBC)
 ALICE HATES ECB MODE
Part 1 ⎯ Cryptography
10

• Alice’s uncompressed image, and ECB encrypted (TEA)

❑ Why does this happen?

❑ Same plaintext yields same ciphertext!
 ALICE LIKES CBC MODE
Part 1 ⎯ Cryptography
11

• Alice’s uncompressed image, Alice CBC encrypted (TEA)

❑ Why does this happen?

❑ Same plaintext yields different ciphertext!
 MESSAGE PADDING
➢ at end of message must handle a possible last short block
⚫ which is not as large as blocksize of cipher
⚫ pad either with known non-data value (eg nulls)
⚫ or pad last block along with count of pad size
• eg. [ b1 b2 b3 0 0 0 0 5]
• means have 3 data bytes, then 5 bytes pad + count
⚫ this may require an extra entire block over those in message
➢ there are other, more esoteric modes, which avoid the need for an extra
block
ADVANTAGES AND LIMITATIONS OF
CBC
➢ a ciphertext block depends on all blocks before it
➢ any change to a block affects all following ciphertext blocks
➢ need Initialization Vector (IV)
⚫which must be known to sender & receiver
⚫if sent in clear, attacker can change bits of first block, and
change IV to compensate
⚫hence IV must either be a fixed value (as in EFTPOS)
⚫or must be sent encrypted in ECB mode before rest of
message
 STREAM MODES OF OPERATION
• block modes encrypt entire block
• may need to operate on smaller units
• real time data

• convert block cipher into stream cipher

• cipher feedback (CFB) mode
• output feedback (OFB) mode
• counter (CTR) mode

• use block cipher as some form of pseudo-random number generator

CIPHER FEEDBACK (CFB)

• message is treated as a stream of bits

• added to the output of the block cipher
• result is feed back for next stage (hence name)
• standard allows any number of bit (1,8, 64 or 128
etc) to be feed back
• denoted CFB-1, CFB-8, CFB-64, CFB-128 etc
• most efficient to use all bits in block (64 or 128)
Ci = Pi XOR EK(Ci-1)
C-1 = IV
• uses: stream data encryption, authentication
S-BIT
CIPHER
FEEDBACK
(CFB-S)
ADVANTAGES AND
LIMITATIONS OF CFB
➢ appropriate when data arrives in bits/bytes
➢ most common stream mode
➢ limitation is: need to stall while do block encryption after
every n-bits
➢ note that the block cipher is used in encryption mode at
both ends
➢ errors propagate for several blocks after the error
 OUTPUT FEEDBACK (OFB)
• message is treated as a stream of bits
• output of cipher is added to message
• output is then feed back (hence name)
• feedback is independent of message
• can be computed in advance
Oi = EK(Oi-1)
Ci = Pi XOR Oi
O-1 = IV
• uses: stream encryption on noisy channels
OUTPUT
FEEDBACK
(OFB)
ADVANTAGES AND
LIMITATIONS OF OFB
➢needs an IV which is unique for each use
⚫ if ever reuse attacker can recover outputs
➢bit errors do not propagate
➢more vulnerable to message stream
modification
➢sender & receiver must remain in sync
➢only use with full block feedback
⚫subsequent research has shown that only full
block feedback (ie CFB-64 or CFB-128) should
ever be used
COUNTER (CTR)

• a “new” mode, though proposed early on

• similar to OFB but encrypts counter value rather than any
feedback value
• must have a different key & counter value for every
plaintext block (never reused)
Oi = EK(i)
Ci = Pi XOR Oi

• uses: high-speed network encryptions

COUNTER
(CTR)
ADVANTAGES AND
LIMITATIONS OF CTR
• efficiency
• can do parallel encryptions in h/w or s/w
• can preprocess in advance of need
• good for bursty high speed links

• random access to encrypted data blocks

• provable security (good as other modes)
• but must ensure never reuse key/counter values, otherwise
could break (cf OFB)
24 REMARKS ON ECB

• Strength: it’s simple.

• Weakness:
• Repetitive information contained in the plaintext may show in the
ciphertext, if aligned with blocks.
• If the same message (e.g., an SSN) is encrypted (with the same key)
and sent twice, their ciphertexts are the same.

• Typical application: secure transmission of

short pieces of information (e.g. a
temporary encryption key)
25 REMARKS ON CBC

• The encryption of a block depends on the current and

all blocks before it.

• So, repeated plaintext blocks are encrypted differently.

• Initialization Vector (IV)

• Must be known to both the sender & receiver
• Typically, IV is either a fixed value or is sent encrypted in
ECB mode before the rest of ciphertext.
26
• Without knowing the key k , for any data block x,
Ek ( x ) is unknown to the adversary.

• To encrypt P1 , P2 , P3 ,..., we may use Ek to generate

a key stream (a sequence of "masks")
K1 , K 2 , K 3 ,..., and encrypt Pi as Ci = Pi  Ki .

• Three different ways to generate K1 , K 2 , K 3 ,...

 27 REMARK ON CFB

• The block cipher is used as a stream cipher.

• Appropriate when data arrives in bits/bytes.
• s can be any value; a common value is s = 8.
• A ciphertext segment depends on the current and all
preceding plaintext segments.
• A corrupted ciphertext segment during transmission
will affect the current and next several plaintext
segments.
 28 REMARK ON OFB

• The block cipher is used as a stream cipher.

• Appropriate when data arrives in bits/bytes.
• Advantage:
• more resistant to transmission errors; a bit error in a ciphertext
segment affects only the decryption of that segment.
• Disadvantage:
• Cannot recover from lost ciphertext segments; if a ciphertext segment
is lost, all following segments will be decrypted incorrectly (if the
receiver is not aware of the segment loss).
• IV should be generated randomly each time and sent with the
ciphertext.
 29 REMARK ON CTR

• Strengthes:
• Needs only the encryption algorithm
• Fast encryption/decryption; blocks can be processed
(encrypted or decrypted) in parallel; good for high speed
links
• Random access to encrypted data blocks

• IV should not be reused.

QUESTION
IN THE ELECTRONIC CODEBOOK (ECB)
MODE OF OPERATION, HOW ARE
BLOCKS OF PLAINTEXT ENCRYPTED?

• A. Independently, with the same key

B. Chained, where the output of one block
affects the next
C. Combined with a nonce
D. Using a hash function
ANSWER

• A. Independently, with the same key

WHAT IS ONE LIMITATION OF THE ECB MODE?

• A. Requires a large key size

B. Sequential processing only
C. Repeats ciphertext for identical plaintext
D. Cannot work with short messages
ANSWER

• C. Repeats ciphertext for identical plaintext

WHICH MODE OF OPERATION INTRODUCES A RANDOM
INITIALIZATION VECTOR (IV) TO ENSURE IDENTICAL PLAINTEXT
BLOCKS RESULT IN DIFFERENT CIPHERTEXT BLOCKS?

• A. ECB
B. CTR
C. CBC
ANSWER

• C. CBC (Cipher Block Chaining)

WHICH MODE REQUIRES AN INITIALIZATION VECTOR
(IV) FOR ADDED SECURITY?

• A. ECB
B. CBC
C. RSA
D. SHA
ANSWER

• B. CBC (Cipher Block Chaining)

WHAT IS A PRIMARY ADVANTAGE OF THE CBC
MODE?

• A. It allows block parallelism.

B. Identical plaintext blocks produce different ciphertext
blocks.
C. It does not require an initialization vector.
D. It is faster than ECB mode.
ANSWER

• B. Identical plaintext blocks produce different ciphertext

blocks.
IN CFB MODE, WHAT IS FED
BACK INTO THE ENCRYPTION
PROCESS?
• A. The plaintext block
B. The ciphertext block
C. The key schedule
D. The IV
ANSWER

• B. The ciphertext block

WHY IS AN IV REQUIRED IN CBC
AND OTHER SIMILAR MODES?

• A. To reduce memory usage

B. To prevent reuse of the same ciphertext for identical
plaintext
C. To eliminate the need for a key
D. To simplify the encryption algorithm
ANSWER

• B. To prevent reuse of the same ciphertext for identical

plaintext
WHAT HAPPENS IN ECB MODE IF A SINGLE
CIPHERTEXT BLOCK IS CORRUPTED?

• A. The entire plaintext is corrupted.

B. Only the corresponding plaintext block is corrupted.
C. All subsequent blocks are corrupted.
D. Decryption becomes impossible.
ANSWER

• B. Only the corresponding plaintext block is corrupted.