Upload
manoj-naik
View
220
Download
0
Embed Size (px)
Citation preview
7/31/2019 Block Cipher Algorithm Modes
1/9
Bock Cipher Algorithm Modes
In cryptography, modes of operation are the procedure of enabling the repeated and
secure use of a block cipher under a single key. A block cipher by itself allows encryptiononly of
a single data block of the cipher's block length. When targeting a variable-length message, thedata must first be partitioned into separate cipher blocks. Typically, the last block must also be
extended to match the cipher's block length using a suitable padding scheme. A mode of
operation describes the process of encrypting each of these blocks, and generally
uses randomization based on an additional input value, often called an initialization vector, to
allow doing so safely.
Modes of operation have primarily been defined for encryption
and authentication. Historically, encryption modes have been studied extensively in regard to
their error propagation properties under various scenarios of data modification. Later
development regarded integrity protection as an entirely separate cryptographic goal fromencryption. Some modern modes of operation combine encryption and authentication in an
efficient way, and are known as authenticated encryption modes.
While modes of operation are commonly associated with symmetric encryption, they may
also be applied to public-key encryption primitives such as RSA in principle (though in practice
public-key encryption of longer messages is generally realized using hybrid encryption).
Initialization vector (IV)
An initialization vector (IV) is a block of bits that is used by several modes to randomize
the encryption and hence to produce distinct ciphertexts even if the same plaintext is encryptedmultiple times, without the need for a slower re-keying process.
An initialization vector has different security requirements than a key, so the IV usually
does not need to be secret. However, in most cases, it is important that an initialization vector is
never reused under the same key. For CBC and CFB, reusing an IV leaks some information
about the first block of plaintext, and about any common prefix shared by the two messages. For
OFB and CTR, reusing an IV completely destroys security. In CBC mode, the IV must, in
addition, be unpredictable at encryption time; in particular, the (previously) common practice of
re-using the last ciphertext block of a message as the IV for the next message is insecure (for
example, this method was used by SSL 2.0). If an attacker knows the IV (or the previous blockof ciphertext) before he specifies the next plaintext, he can check his guess about plaintext of
some block that was encrypted with the same key before (this is known as the TLS CBC IV
attack).
As a special case, if the plaintexts are always small enough to fit into a single block (with
no padding), then with some modes (ECB, CBC, PCBC), re-using an IV will leakonlywhether
7/31/2019 Block Cipher Algorithm Modes
2/9
two plaintexts are equal. This can be useful in cases where one wishes to be able to test for
equality without decrypting or separately storing a hash.
Padding
A block cipher works on units of a fixed size (known as a block size), but messages come
in a variety of lengths. So some modes (namely ECB and CBC) require that the final block be
padded before encryption. Several padding schemes exist. The simplest is to add null bytes to
the plaintext to bring its length up to a multiple of the block size, but care must be taken that the
original length of the plaintext can be recovered; this is so, for example, if the plaintext is
a C style string which contains no null bytes except at the end. Slightly more complex is the
original DES method, which is to add a single one bit, followed by enough zero bits to fill out
the block; if the message ends on a block boundary, a whole padding block will be added. Most
sophisticated are CBC-specific schemes such as ciphertext stealing or residual block termination,which do not cause any extra ciphertext, at the expense of some additional
complexity. Schneier and Ferguson suggest two possibilities, both simple: append a byte with
value 128 (hex 80), followed by as many zero bytes as needed to fill the last block, or pad the
last block with n bytes all with value n.
CFB, OFB and CTR modes do not require any special measures to handle messages
whose lengths are not multiples of the block size, since the modes work by XORing the plaintext
with the output of the block cipher. The last partial block of plaintext is XORed with the first few
bytes of the last keystream block, producing a final ciphertext block that is the same size as the
final partial plaintext block. This characteristic of stream ciphers makes them suitable forapplications that require the encrypted ciphertext data to be the same size as the original plaintext
data, and for applications that transmit data in streaming from where it is inconvenient to add
padding bytes.
Electronic codebook (ECB)
The simplest of the encryption modes is the electronic codebook (ECB) mode. The message is
divided into blocks and each block is encrypted separately.
7/31/2019 Block Cipher Algorithm Modes
3/9
If the first block has index 1, the
While the mathematical for
CBC has been the most com
encryption is sequential (i.e., it c
multiple of the cipher block size
as ciphertext stealing. Note tha
ciphertext blocks.
Decrypting with the incorrect I
plaintext blocks will be correct.
adjacent blocks of ciphertext. A
bit change to the ciphertext cau
and inverts the corresponding b
remain intact.
mathematical formula for CBC encryption is
ula for CBC decryption is
only used mode of operation. Its main dra
annot be parallelized), and that the message mu
. One way to handle this last issue is through t
t a one-bit change in a plaintext or IV affe
causes the first block of plaintext to be corru
This is because a plaintext block can be rec
a consequence, decryption can be parallelized.
es complete corruption of the corresponding b
it in the following block of plaintext, but the r
wbacks are that
st be padded to a
e method known
ts all following
t but subsequent
vered from two
Note that a one-
lock of plaintext,
est of the blocks
7/31/2019 Block Cipher Algorithm Modes
4/9
Propagating cipher-bloc
The propagating cipher-block ch
cause small changes in the ciphe
encrypting.
Encryptio
PCBC is used in Kerberos v4 a
message encrypted in PCBC mo
affect the decryption of subsequ
chaining (PCBC)
aining or plaintext cipher-block chainingmode
rtext to propagate indefinitely when decrypting
and decryption algorithms are as follows:
d WASTE, most notably, but otherwise is no
e, if two adjacent ciphertext blocks are exchan
nt blocks. For this reason, PCBC is not used in
was designed to
, as well as when
t common. On a
ed, this does not
Kerberos v5.
7/31/2019 Block Cipher Algorithm Modes
5/9
Cipher feedback (CFB)
The cipher feedback(CFB) mo
synchronizing stream cipher. O
identical to CBC encryption perf
This simplest way of using CFB
cipher modes like CBC. If a
synchronize, but losing only a s
able to synchronize after the l
e, a close relative of CBC, makes a block ci
eration is very similar; in particular, CFB dec
ormed in reverse:
described above is not any more self-synchro
hole blocksize of ciphertext is lost both CB
ingle byte or bit will permanently throw off d
ss of only a single byte or bit, a single byt
pher into a self-
ryption is almost
nizing than other
and CFB will
ecryption. To be
or bit must be
7/31/2019 Block Cipher Algorithm Modes
6/9
encrypted at a time. CFB can be
for the block cipher.
To use CFB to make a self-sync
x bits lost, start by initializing
vector. This is encrypted with twith x bits of the plaintext to pr
the shift register, and the proces
start with the initialization vecto
ciphertext to produce x bits of
register. This way of proceedin
shifting).
In notation, where Si is the ith st
the x highest bits of a and n is nu
If x bits are lost from the ciph
register once again equals a s
resynchronized. This will result i
Like CBC mode, changes in th
cannot be parallelized. Also like
bit change in the ciphertext affe
plaintext block, and complete c
are decrypted normally.
CFB shares two advantages ove
block cipher is only ever used i
padded to a multiple of the ciphe
padding unnecessary).
Output feedback (OFB)
The output feedback(OFB) mo
generates keystream blocks, wh
ciphertext. Just as with other stre
used this way when combined with a shift re
ronizing stream cipher that will synchronize f
shift register the size of the block size with
e block cipher, and the highest x bits of the rduce x bits of ciphertext. These x bits of outp
s repeats with the next x bits of plaintext. Decr
r, encrypt, and XOR the high bits of the result
plaintext. Then shift the x bits of the ciphert
g is known as CFB-8 or CFB-1 (according t
ate of the shift register, a
7/31/2019 Block Cipher Algorithm Modes
7/9
in the plaintext at the same l
function normally even when ap
Because of the symmetry of the
Each output feedback block cip
performed in parallel. However
ocation. This property allows many error co
lied before encryption.
OR operation, encryption and decryption are e
her operation depends on all previous ones,
, because the plaintext or ciphertext is only u
recting codes to
xactly the same:
nd so cannot be
sed for the final
7/31/2019 Block Cipher Algorithm Modes
8/9
XOR, the block cipher operatio
performed in parallel once the pl
It is possible to obtain an OFB
zeroes as input. This can be usef
of CBC mode for OFB mode en
Using OFB mode with a partia
length by a factor of or mo
substantiated by experimental
length near to the obtainable m
feedback was removed from the
Counter (CTR)
Like OFB, counter mode tu
next keystream block by encryp
function which produces a sequ
an actual increment-by-one cou
deterministic input function use
cryptosystem to a known syste
is widely accepted, and problem
of the underlying block cipher
attacks like a Hardware Fault A
input.
CTR mode has similar characte
decryption. CTR mode is well
can be encrypted in parallel. Fu
can affect OFB.
Note that the nonce in this grap
graphs. The IV/nonce and the
(concatenation, addition, or XO
ns may be performed in advance, allowing th
aintext or ciphertext is available.
mode keystream by using CBC mode with a
ul, because it allows the usage of fast hardware
ryption.
l block as feedback like CFB mode reduces t
re. A mathematical model proposed by Davie
esults showed that only with full feedback
ximum can be achieved. For this reason, sup
specification of OFB.
rns a block cipher into a stream cipher. I
ting successive values of a "counter". The co
nce which is guaranteed not to repeat for a lo
nter is the simplest and most popular. The u
to be controversial; critics argued that "delibe
atic input represents an unnecessary risk." By
s resulting from the input function are recogniz
instead of the CTR mode. Nevertheless, ther
ttack that is based on the usage of a simple co
istics to OFB, but also allows a random acces
uited to operation on a multi-processor machi
rthermore, it does not suffer from the short-c
h is the same thing as the initialization vector
ounter can be combined together using any l
) to produce the actual unique counter block fo
final step to be
onstant string of
implementations
e average cycle
and Parkin and
n average cycle
ort for truncated
t generates the
nter can be any
g time, although
age of a simple
rately exposing a
now, CTR mode
ed as a weakness
are specialized
unter function as
property during
ne where blocks
cle problem that
(IV) in the other
ssless operation
r encryption.
7/31/2019 Block Cipher Algorithm Modes
9/9