Matt Boehnke

Computer Science
Assistant Professor, Cyber Security

Phone: 509-542-4697
Email: [email protected]
Office hours: 12:30-1:30pm M-Th
CSIA 410-Cryptography

Part 2 – Message Security

Chapter 4 – Block Cipher Modes
• “Individual science fiction stories may
seem as trivial as ever to the blinder critics
and philosophers of today - but the core of
science fiction, its essence has become
crucial to our salvation if we are to be
saved at all.”
--Isaac Asimov
 Chapter 4:
Block Cipher Modes
• Padding – About Our Math
• ECB (Electronic Code Book) • Summary
• CBC (Cipher Block Chaining) • Questions
– Fixed IV
– Counter IV
– Random IV
– Nonce-Generated IV
• OFB (Output FeedBack)
• CTR (Counter)
• Combined Encryption and
Authentication
• Which Mode Should I use?
• Information Leakage
– Changes of a Collision
– How to Deal with Leakage
 Chapter 4:
Block Cipher Modes
• NIST Special Publication 800-38A, Recommendation for
Block Cipher Modes of Operation, Methods and
Techniques
• http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf

• Defines five confidentiality modes of operation for use with an underlying

symmetric key block cipher algorithm:
– Electronic Codebook (ECB),
– Cipher Block Chaining (CBC),
– Cipher Feedback (CFB),
– Output Feedback (OFB), and
– Counter (CTR).
– Used with an underlying block cipher algorithm that is approved in a Federal Information
Processing Standard (FIPS), these modes can provide cryptographic protection for
sensitive, but unclassified, computer data.

• Block Cipher Encryption Intro

 Chapter 4:
Block Cipher Modes
• Intro
– How is it used? If you want to encrypt something that
isn’t exactly one block long.
– Why? To prevent an eavesdropper from reading the
traffic.
– It does NOT provide any authentication, so attacker
can still change the message.
– Therefore, you should ALWAYS combine encryption
with authentication!!
– Modes discussed will be combined with separate
authentication functions, in chapter 6.
 Chapter 4:
Block Cipher Modes
• Padding (refers to a number of distinct practices)
– Block cipher encrypts plaintext P to a ciphertext C,
where the plaintext and ciphertext are of an arbitrary
length.
– Requires length of plaintext to be an exact multiple of
block size.
– Therefore we need Padding.
– So How do we PAD?
 Chapter 4:
Block Cipher Modes
• Padding (refers to a number of distinct practices)
– 1: Sometimes simple, appending zeros until length is
suitable (not advised; not reversible)
– 2: Determine the number of padding bytes required.
– Some messages can be lengthened by any reversible
padding scheme
– In practice, ALL padding rules add a minimum of one
byte to the length of the plaintext.
– No Cryptographic ramifications to padding.
 Chapter 4:
Block Cipher Modes
• ECB (Electronic Code Book)
– Simplest method to encrypt a longer plaintext
– Encrypt each block of the message separately.
– Do NOT use ECB for anything, Serious weaknesses
– 2 plaintexts are the same, then corresponding
ciphertext blocks will be identical, and is visible to
attacker. Can leak a lot to an attacker.
 Chapter 4:
Block Cipher Modes
• CBC (Cipher Block Chaining)
– One of the most widely used
– Problems:
– Solved by:
• XORing each plaintext block with previous ciphertext block.
• “randomizing” the plaintext using the previous ciphertext
block
• Equal plaintext blocks will encrypt to different ciphertext
blocks, significantly reducing the information available to an
attacker.
– Left: which value to use for C0
– Initialization Vector (IV)
 Chapter 4:
Block Cipher Modes
• CBC (Cipher Block Chaining)
– Initialization Vector (IV)
• or starting variable (SV)[1] is a fixed-size input to a cryptographic primitive
that is typically required to be random or pseudorandom.
• Randomization is crucial for encryption schemes to achieve semantic
security, a property whereby repeated usage of the scheme under the same
key does NOT allow an attacker to infer relationships between segments of
the encrypted message.
• For block ciphers, the use of an IV is described by so-called modes of
operation. Randomization is also required for other primitives, such as
universal has functions and message authentication codes based thereof.
– Fixed IV
• Should NOT use
• Introduces ECB problem for the first block of each message
• Real life, starts with similar or identical blocks; don’t want an attacker to
detect this
 Chapter 4:
Block Cipher Modes
• CBC (Cipher Block Chaining)
– Counter IV
• Alternative
• Use IV = 0, IV = 1, etc
• Not a good idea
• Could cancel XORing and create identical ones again
• Easy for an attacker to draw conclusion about the differences
between the two messages, should not allow this
 Chapter 4:
Block Cipher Modes
• CBC (Cipher Block Chaining)
– Random IV
• Random is good, but….
• Procedures:
• 1. Choose random IV and send it as a first block before the rest of the
encrypted message.
 Chapter 4:
Block Cipher Modes
• CBC (Cipher Block Chaining)
– Random IV
• Decryption:

• Principal Disadvantage: the cipher text is one block longer than the plaintext.
• Short messages, results in a significant message expansion, which is
always undesirable.
 Chapter 4:
Block Cipher Modes
• CBC (Cipher Block Chaining)
– Nonce-Generated IV
• The term nonce is most often used to refer to a “random”
number in a challenge-response protocol, but the required
randomness properties vary.

• A nonce is a value used no more than once for the same

purpose. It typically serves to prevent (undetectable) replay.

• However, in certain settings stronger requirements are put on

the nonces; like for instance in the CBC-mode of operation
for block ciphers the IV (nonce) needs to be unpredictable (a
requirement, when not followed, actually have led to real-life
problems in the SSL/TLS-protocol
 Chapter 4:
Block Cipher Modes
• CBC (Cipher Block Chaining)
– Nonce-Generated IV
• IV necessary for CBC encryption is generated by encrypting
the nonce.
• Sender numbers the messages consecutively and includes
the message number in each transmission
– 1. Assign a message number
– 2. Use the message number to construct a unique nonce (Nonce
should be as large as a single block of the block cipher
– 3. Encrypt the nonce with the block cipher to generate the IV
– 4. Encrypt the message in CBC mode using this IV
– 5. Add enough information to the ciphertext to ensure that the receiver
can reconstruct the nonce. (Adding message numbers just in front of
the cipher text; making the message number implicit)
 Chapter 4:
Block Cipher Modes
• OFB (Output FeedBack)
– Is different from the rest
– The message itself is never used as an input to the
block cipher. Instead, the block cipher is used to
generate a pseudorandom stream of bytes (Key
Stream)
– In turn is XORed with the plaintext to generate the
ciphertext
– Encryption scheme that generates such a random key
stream is Stream Cipher
– SC – good; extremely useful but do NOT reuse nonce
• Cipher Feedback Mode (Encrypt and Decrypt)
• OFB Cipher Block
 Chapter 4:
Block Cipher Modes
• OFB (Output FeedBack)
– Advantages
• Decryption is exactly the same operation as encryption;
saves on implementation effort.
• Don’t need any padding; reduces overhead

– Disadvantages
• If use Stream Cipher and use same IV for two different
messages, they will be encrypted with the same key stream
– Allows attacker to compute difference b/w two plaintexts
• Unlucky and repeat a key block value, repeating seq blocks
– IV may be the same as a key block halfway through the 2d message
– Collision attack (but 264 blocks of data before you expect this)
 Chapter 4:
Block Cipher Modes
• CTR (Counter)
– Makes block ciphers' way of working similar to stream ciphers' way of
working.
– As in the OFB mode, keystream bits are created regardless of content
of encrypted data blocks.
– In this mode, subsequent values of an increasing counter are added to
a nonce value and the results are encrypted as usual. The nonce plays
the same role as initialization vectors in the previous modes.

• Encryption in CTR mode

• Decryption in CTR mode
• It is one of the most popular block ciphers modes of operation. Both
encryption and decryption can be performed using many threads at the
same time.
• If one bit of a plaintext or ciphertext message is damaged, only one
corresponding output bit is damaged as well. Thus, it is possible to use
 Chapter 4:
Block Cipher Modes
• CTR (Counter)
– Encryption in CTR mode
 Chapter 4:
Block Cipher Modes
• CTR (Counter)
– Decryption in CTR mode

• It is one of the most popular block ciphers modes of operation. Both

encryption and decryption can be performed using many threads at the
same time.
• If one bit of a plaintext or ciphertext message is damaged, only one
corresponding output bit is damaged as well. Thus, it is possible to use
various correction algorithms to restore the previous value of damaged parts
of received messages.
 Chapter 4:
Block Cipher Modes
• Combined Encryption and Authentication
– All modes discussed so far date back to 1970s.
– NIST recently chosen to standardize two:
• CCM & GCM
• NIST 800-38D, Recommendation for Block Cipher
Modes of Operation: Galois/Counter Mode (GCM)
and GMAC
 Chapter 4:
Block Cipher Modes
• Combined Encryption and Authentication
– CCM
• CCM – (Counter with CBC-MAC) is an
authenticated encryption algorithm designed to
provide both authentication and confidentiality.
• CCM Mode is only defined for Block Ciphers with a
block length of 128 bits. RFC 3610, it is defined
for use with AES.
• CCM IV must be chose to never be used more
than once for a given key. This is due to a
derivation of CTR mode and the latter is effectively
a stream cipher.
 Chapter 4:
Block Cipher Modes
• Combined Encryption and Authentication
– GCM
• Mode of operation for symmetric key block cipher
• Widely adopted due to its efficiency and
performance
• Throughput rates for state of the art, high speed
communications channels can be achieved with
reasonable hardware resources.
• Authenticated encryption algorithm designed to
provide both data authenticity (integrity) and
confidentiality
• Block size of 128 bits
 Chapter 4:
Block Cipher Modes
• Which Mode Should I use?
– Only two to use: CBC and CTR
– Recommend CBC with random IV
– Too many application that are insecure because they
do NOT generate the nonce correctly
– CTR: good if app can guarantee the nonce is unique
– CBC with random IV has disadvantages
• Ciphertext is larger
• Plaintext needs padding
• System needs a random number generator
• But robust and stands up to abuse!
 Chapter 4:
Block Cipher Modes
• Which Mode Should I use?
– Always remember, encryption mode only provides
confidentiality against eavesdroppers
– Attacker can still change the data and find Traffic
Analysis:
• That you are communicating
• When you are communicating
• Whom you are communicating with
 Chapter 4:
Block Cipher Modes
• Information Leakage
– Dark secret; all leak data
– Due to equalities and inequalities of ciphertext and
plaintext blocks
– ECB: dismissed due to this; non random equal
plaintext blocks occur far more frequently than
random and cipher text blocks reveal this structure
– CBC mode: contains enough information to recover
both plaintext blocks
– CTR: similar; no collisions though
– OFB is worse than CBC or CTR; disaster
 Chapter 4:
Block Cipher Modes
• Information Leakage
– Chances of a Collision
• What are the chances of Two ciphertext blocks are
equal?
• All that counts is the total number of blocks
• When you encrypt about 2n/2 blocks, you can
expect to get two ciphertext blocks that are equal
• Birthday attack: block size of n = 128 bits, expect
first duplicate at 264 blocks of data.
 Chapter 4:
Block Cipher Modes
• Information Leakage
– How to Deal with Leakage
• Get close to our design security level and limit the
damage
• CTR: leaks very little data
• CBC mode: be more restrictive (leaks 128 bits)
• Limits are on total amount of information encrypted
using a single key
• Use CTR or CBC and Limit the amount of data you
process with ANY one key (Key negotiation
protocol)
 Chapter 4:
Block Cipher Modes
• Information Leakage
– About Our Math
• Cryptographic values typically behave very
randomly
• Go to great lengths to absolutely destroy all
patterns, as patterns lead to attacks
• Approximations are preferred
 Chapter 4:
Summary
• Padding – About Our Math
• ECB (Electronic Code Book)
• CBC (Cipher Block Chaining)
– Fixed IV
– Counter IV
– Random IV
– Nonce-Generated IV
• OFB (Output FeedBack)
• CTR (Counter)
• Combined Encryption and
Authentication
• Which Mode Should I use?
• Information Leakage
– Changes of a Collision
– How to Deal with Leakage
Questions