Block Cipher Modes of Block Cipher Modes of Operation
Alberto Grand
Politecnico di TorinoComputer Systems Security – prof. Antonio Lioy
What are modes of operation?
� Block ciphers only allow to encrypt entire blocks.� Block ciphers only allow to encrypt entire blocks.
� What if our message is longer/shorter than the block size?
We use modes of operation!
� Algorithms that exploit a block cipher to provide a service (e.g. confidentiality, authentication)
5 NIST-recommended modes providing confidentiality: � 5 NIST-recommended modes providing confidentiality: ECB, CBC, CFB, OFB, CTR
� CMAC may be considered a block cipher mode of operation providing authentication.
2
Electronic Codebook (ECB)
� Associates each possible plaintext block to a ciphertext block, like a codebook.ciphertext block, like a codebook.
Hello world! aY1\:?§h24(r
� Requires padding
� Encryption/decryption of multiple blocks in parallel
� A 1-bit error in a ciphertext block garbles the corresponding decrypted block.
3
Deficiencies of ECB
� Problems when the original message contains regular � Problems when the original message contains regular data patterns, because always encrypted in the same way.
� Only suitable for 1-block-sized data (e.g. a key)
� “The securest thing you can do with ECB is not use it!”
4
Cipher Block Chaining (CBC)
� Allows the same plaintext blocks to be encrypted to � Allows the same plaintext blocks to be encrypted to different ciphertext blocks.
� Encrypted blocks are “chained” through XORing.
� Requires an initialisation vector (IV)
Hello
IV
world q%1aX l’3z1$
IV
CIPHER
q%1aX
CIPHER
l’3z1$
CIPHER-1 CIPHER-1
IV
Hello world5
Features of CBC
� No parallel encrypting , while parallel decrypting is � No parallel encrypting , while parallel decrypting is possible.
� A 1-bit error affects two blocks:
� the corresponding block is garbled
� the corresponding bit is flipped in the next block
� Problem with the IV: 1-bit error only flips 1 bit in the 1st block, no garbled block. Hard to detect!the 1st block, no garbled block. Hard to detect!
� Solutions:
� encipher the IV
� don’t transmit the IV, but compute it from a known value
� use authentication!
6
Propagating CBC (PCBC)
� It’s a variation of CBC designed to propagate errors.� It’s a variation of CBC designed to propagate errors.
� It also involves the previous plaintext block in the XOR operation.
� Is error propagation desirable? It depends!
� NO if transmission errors
� YES if intentional, malicious changes
Used in Kerberos v.4, but abandoned starting from � Used in Kerberos v.4, but abandoned starting from v.5 because inversion of two adjacent blocks does not affect subsequent blocks.
7
Cipher Feedback (CFB)
� Turns a block cipher into a stream cipher, message � Turns a block cipher into a stream cipher, message size need not be multiple of block size.
� Very similar to CBC (ciphering and XORing are swapped).
IV
CIPHER CIPHER CIPHER
IV
CIPHER
Hello
CIPHER
q%1aX
world
CIPHER
l’3z1$
q%1aX l’3z1$
Hello world
CIPHERCIPHER
8
Features of CFB
� No parallel encrypting of multiple blocks – although � No parallel encrypting of multiple blocks – although some form of pipelining is possible.
� Parallel decryption is possible
� Only the forward function is used.
� A 1-bit error :
� flips corresponding bit in current segment
may garble the next ⌈b/s⌉ segments� may garble the next ⌈b/s⌉ segments
� This is highly noticeable, so CFB is less exposed to the risk of deliberate bit changes.
9
OpenPGP with CFB
� Widespread standard for exchanging encrypted e-� Widespread standard for exchanging encrypted e-mail messages.
� A variant of CFB is used for symmetric cryptography:
� a random block R is enciphered and used as an IV
� the first 2 bytes of R are replicated in the 2nd block for integrity checksintegrity checks
� Leak of information! About 215 set-up attempts + about 215 attempts per block enable an attacker to discover the first 2 bytes of any block.
� PGP stands for “Pretty Good Privacy”!
10
Output Feedback (OFB)
� Turns a block cipher into a stream cipher.� Turns a block cipher into a stream cipher.
� It features the iteration of the forward cipher on an IV.
IV
CIPHER CIPHER CIPHER
IV
CIPHER
Hello
CIPHER
q%1aX
world
CIPHER
l’3z1$
q%1aX l’3z1$
Hello world
CIPHERCIPHER
11
Features of OFB (i)
� Neither encryption nor decryption can be performed in parallel due to block chaining.
� If IV available prior to ciphertext, keystream blocks can be pre-computed.
� IV needs to be a nonce, otherwise know-plaintext attack is possible (under same key):attack is possible (under same key):
� an attacker who knows the ith plaintext block can easily reconstruct the ith keystream block
� he can then understand the ith block of every message
12
Features of OFB (ii)
� A 1-bit error in a ciphertext block only produces a bit-specific error in the corresponding block:
� good for error correcting codes, which work even when applied before encryption
� bad because it’s hardly noticeable!
� A 1-bit error in the IV causes all blocks to be � A 1-bit error in the IV causes all blocks to be garbled.
13
Counter (CTR)
� Turns a block cipher into a stream cipher.� Turns a block cipher into a stream cipher.
� Keystreams blocks are generated by encrypting a set of counter blocks.
CTR block #1
CIPHER CIPHER CIPHERCIPHER
CTR block #2 CTR block #1 CTR block #2
Hello
CIPHER
q%1aX
world
CIPHER
l’3z1$
q%1aX l’3z1$
Hello world
CIPHERCIPHER
14
Features of CTR (i)
� Both encryption and decryption can be performed � Both encryption and decryption can be performed fully in parallel on multiple blocks.
� Provides true random access to ciphertext blocks.
� If the initial counter block is available, keystream blocks may be computed prior to receiving the ciphertext .
It’s simple!� It’s simple!
� No inverse cipher function is required for decryption.
� It is becoming increasingly used.
15
Features of CTR (ii)
� Assurance is required that:� Assurance is required that:
� counters do not repeat within a single message
� counters do not repeat across all messages under a given key
� Done through an incrementing function.
� Usually, first b-m bits are a message nonce, following m bits are incremented (message length < following m bits are incremented (message length < 2m blocks).
� Alternatively, counters are concatenated (total length of all messages < 2m blocks)
16
Padding: pros and cons
� Increases amount of data to be sent with no � Increases amount of data to be sent with no increase of transmitted information.
� With regular data pattern, padding with random values makes cryptanalysis more difficult.
� When padding scheme in known, it may expose exchange of messages to timing attacks.
OpenSSL prior to v.0.9.6c with CBC-MAC� OpenSSL prior to v.0.9.6c with CBC-MAC
� MAC is located at the end, padding is needed
� Message only evaluated if padding is correct
� Attacker may systematically find out bits starting from second-to-last block.
17
Ciphertext Stealing (CTS)
� Sometimes padding is unacceptable� Sometimes padding is unacceptable
� limited bandwidth
� exchange of many messages that would require padding
� We want to avoid extra data, but cipher blocks need entire blocks!
� Solution: use CTS!
by accomplishing some extra operations, enables to � by accomplishing some extra operations, enables to produce as many output data as given in input
� we pay in terms of complexity and execution time
� we still cannot encyrpt very short messages (< 1 block).
� Usually not worth it!
18
Related-mode attacks (i)
� Attacks against a given block cipher mode of operation:
� we must know which mode is being used
� we need an oracle of another mode, but with the same underlying cipherunderlying cipher
19
Related-mode attacks (ii)
Using ECB against CTR
� MU intercepted Ci and C0
� He chooses P’i = C0 + i
� C’i = CIPHk(P’i)
� Since Ci = CIPHk(C0 + i) ⊕ Pi he can compute Pi = ⊕
� Since Ci = CIPHk(C0 + i) ⊕ Pi he can compute Pi = Ci ⊕ C’i.
� Only one chosen plaintext query is required.
20
The CMAC Mode for The CMAC Mode for Authentication
What is CMAC?
� The 5 modes of operation provide confidentiality, � The 5 modes of operation provide confidentiality, but we need authentication and integrity.
� We must use a mode for authentication!
� it implies integrity
� A MAC algorithm provides stronger assurance of data integrity than a checksum.
CMAC exploits the CBC mode of operation to chain � CMAC exploits the CBC mode of operation to chain cipherblocks and obtain a value which depends on all previous blocks.
22
Once upon time…
� …there was an insecure mode for authentication � …there was an insecure mode for authentication named CBC-MAC:
� only provided security for messages whose length was a multiple of the block size
� attacker could change the whole message (except last block) without notice when CBC was used for encryption with the same key.
Black & Rogaway made it secure for arbitrary-length � Black & Rogaway made it secure for arbitrary-length messages using 2 extra keys (XCBC).
� Iwata & Kurosawa derived the extra keys from the shared secret (OMAC, OMAC1 = CMAC).
23
Subkey generation
� 2 subkeys K1, K2 are generated from the key� 2 subkeys K1, K2 are generated from the key
� Can be computed once and stored (must be secret!)
� Rb is a value related to the block size
� Rb = 012010000111 when b = 128
� Rb = 05911011 when b = 64
L CIPHk (0b)
if MSB (L) = 0 then K L << 1
⊕
� Finite-field mathematics are involved!
24
if MSB1(L) = 0 then K1 L << 1
else K1 (L << 1) ⊕ Rbif MSB1(K1) = 0 then K2 K1 << 1
else K2 (K1 << 1) ⊕ Rb
CMAC generation
if Mlen = 0 then n 1
⌈ ⌉
⊕
if Mlen = 0 then n 1
else n ⌈Mlen / b⌉
if M*n complete then Mn M*n ⊕ K1 else Mn (M*n ‖10
j) ⊕ K1C0 0b
for i 1 to n do
Ci CIPHk (Ci-1 ⊕ Mi)
T MSBTlen(Cn)
� Formatting of the message does not need to complete before starting CBC encryption.
25
CMAC verification
� Receiver may decrypt data with the appropriate � Receiver may decrypt data with the appropriate algorithm.
� He then applies CMAC generation process to the data.
� He compares the generated MAC with the one he received:
if identical, message is authentic� if identical, message is authentic
� if not, in-transit errors or attack!
26
Length of the MAC (i)
� When verification fails, we are sure the message is � When verification fails, we are sure the message is inauthentic.
� But when it succeeds, we are not 100% sure it is authentic!
� MU may have simply guessed the right MAC for a message
� His chances of succeeding are 1/2Tlen
� Longer MACs provide higher assurance, but use � Longer MACs provide higher assurance, but use more bandwidth/storage space.
� If attacker can make more than one attempt his chances increase!
27
Length of the MAC (ii)
� For most applications, 64 bits are enough.� For most applications, 64 bits are enough.
� NIST provides guidance. Two parameters:
� MaxInvalids : maximum number of attempts before system halts
� Risk : highest acceptable probability that an inauthentic message is mistakenly trusted.
� Tlen ≥ log2 (MaxInvalids / Risk)Tlen ≥ log2 (MaxInvalids / Risk)
� e.g. MaxInvalids = 1
Risk = 0.25
⇒ Tlen = 2 bits
28
Message span of the key (i)
� It’s the total number of messages to which CMAC is � It’s the total number of messages to which CMAC is applied with the same key.
� Affects security against attacks based on detecting 2 distinct messages that lead to the same MAC.
� We call this event a collision.
� This happens because possible messages are much more than possible MACs.than possible MACs.
� It should not occur during the lifetime of a key.
� Message span should be limited!
29
Message span of the key (ii)
� Probability says that a collision is expected among a � Probability says that a collision is expected among a set of 2b/2 messages.
� For general purpose applications:
� no more than 248 messages when b = 128
� no more than 221 messages when b = 64
� For higher level of security:
no more than 248 message blocks when b = 128 (222 GB)� no more than 248 message blocks when b = 128 (222 GB)
� no more than 221 message blocks when b = 64 (16 MB)
� Sometimes message span is time-limited.
30
Protection vs. replay attacks
� No protection against replay attacks is ensured by � No protection against replay attacks is ensured by CMAC:
� Malicious user may intercept a message with its correct MAC and send it at a later time.
� It’s perfectly valid!
� Such protection must be provided by protocol or application that uses CMAC for authentication:application that uses CMAC for authentication:
� sequential number
� timestamp
� message nonce
� etc.
31
Any questions?
32