Block Cipher Modes of Operation
(Slide from John Dooley with thanks to Drs. Lawrie Brown & William Stallings)
CS 330 More Block Ciphers 1 Current Block Cipher Design Principles
• basic principles still like Feistel in 1970’s
• number of rounds – more is better, exhaustive search best attack
• function f: – provides “confusion”, is nonlinear, avalanche
• key schedule – complex subkey creation, key avalanche
CS 330 More Block Ciphers 2 But.....
• There are things to consider when you implement a block cipher algorithm...
CS 330 More Block Ciphers 3 Modes of Operation
• block ciphers encrypt fixed size blocks
• depending on how you implement the algorithm, you can open yourself up to guessing the plaintext or the key
• four Modes of Operation were defined for the DES in ANSI standard ANSI X3.106-1983 Modes of Use
CS 330 More Block Ciphers 4 Electronic Codebook (ECB)
• message is broken into independent blocks which are encrypted
• each block is a value which is substituted, like a codebook, hence the name
• each block is encoded independently of the other blocks
Ci = EK1(Pi)
• this mode is typically only used when a very small number of blocks of information need to be sent.
CS 330 More Block Ciphers 5 Electronic Codebook Book (ECB)
CS 330 More Block Ciphers 6 Advantages and Limitations of ECB
• repetitions in the message may show in ciphertext – if aligned with message block – particularly with data such as graphics – or with messages that change very little, which become a code-book analysis problem
• weakness due to encrypted message blocks being independent
• but, ECB is useful because the blocks can be encrypted and sent independently without affecting decryption.
CS 330 More Block Ciphers 7 Cipher Block Chaining (CBC)
• want a way to overcome the block independence of ECB
• the message is broken into blocks, and
• each previous cipher block is chained with the current plaintext block
• uses an Initial Vector (IV) to start the process
Ci = EKi(Pi XOR Ci-1) C-1 = IV
CS 330 More Block Ciphers 8 Cipher Block Chaining (CBC)
CS 330 More Block Ciphers 9 Advantages and Limitations of CBC
• each ciphertext block depends on all the previous message blocks
• thus a change in the message affects all ciphertext blocks after the change as well as the original block
• chaining provides an avalanche effect
CS 330 More Block Ciphers 10 More CBC
• need Initial Value (IV) known to sender & receiver in addition to the key
• at end of message, handle possible last short block
CS 330 More Block Ciphers 11 Cipher FeedBack (CFB) Mode
• the message is treated as a stream of bits that is added to the output of the block cipher
• the result is feedback for the next stage (hence the name)
• standard allows any number of bits (1,8 or 64 or whatever) to be fed back – denoted CFB-1, CFB-8, CFB-64 etc
• it is most efficient to use all 64 bits (CFB-64)
Ci = Pi XOR EK1(Ci-1)
C-1 = IV
CS 330 More Block Ciphers 12 Cipher FeedBack (CFB)
CS 330 More Block Ciphers 13 Advantages and Limitations of CFB
• appropriate when data arrives in bits/bytes
• it is the most common stream mode
• limitation is the need to stall while you do block encryption after every n-bits
• note that the block cipher is used in encryption mode at both ends
• errors propagate for several blocks after the error
14 CS 330 More Block Ciphers Output FeedBack (OFB) Mode
• the message is treated as a stream of bits – the output of the cipher is added to the message – the output is then fed back – the feedback is independent of the message – the output can be computed in advance
Ci = Pi XOR Oi
Oi = EK1(Oi-1)
O-1 = IV
CS 330 More Block Ciphers 15 Output FeedBack (OFB)
16 CS 330 More Block Ciphers Advantages and Limitations of OFB
• used when error feedback is a problem or where we need to do encryptions before the entire message is available • superficially similar to CFB – but the feedback is from the output of the cipher and is independent of the message • a variation of a Vernam cipher – hence must never reuse the same sequence (key+IV)
CS 330 More Block Ciphers 17 Advantages and Limitations of OFB
• the sender and receiver must remain in sync, and some recovery method is needed to ensure this occurs • originally specified with m-bit feedback in the standards • subsequent research has shown that only OFB-64 should ever be used
CS 330 More Block Ciphers 18 Counter (CTR)
• similar to OFB but encrypts a counter value rather than any feedback value
• must have a different key & counter value for every plaintext block (never reused)
Ci = Pi XOR Oi
Oi = EK1(i) • Wireless Encryption Protocol (for 802.11b) uses a form of this method - not terribly secure if you re-use the IV values.
CS 330 More Block Ciphers 19 Counter (CTR)
CS 330 More Block Ciphers 20 Advantages and Limitations of CTR
• efficiency – one can do parallel encryptions – in advance of need – good for bursty high speed links
• random access to encrypted data blocks
• provable security (good as other modes)
• but must ensure never to reuse key/counter values
CS 330 More Block Ciphers 21 Summary of modes
Electronic Code Book (ECB) Ci = EK1(Pi) (simplest - parallel)
Cipher Block Chaining (CBC) Ci = EK1(Pi XOR Ci-1) (block mode) C-1 = IV
Cipher Feedback (CFB) Ci = Pi XOR EK1(Ci-1)
(stream mode) C-1 = IV
Output Feedback (OFB) Ci = Pi XOR Oi
Oi = EK1(Oi-1)
O-1 = IV
Counter (CTR) Ci = Pi XOR Oi (simple - parallel; faster than Oi = EK1(i) CBC) CS 330 More Block Ciphers 22