Block Cipher Modes of Operation

Home , Block cipher

(Slide from John Dooley with thanks to Drs. Lawrie Brown & William Stallings)

CS 330 More Block Ciphers 1 Current Block Cipher Design Principles

• basic principles still like Feistel in 1970’s

• number of rounds – more is better, exhaustive search best attack

• function f: – provides “confusion”, is nonlinear, avalanche

• key schedule – complex subkey creation, key avalanche

CS 330 More Block Ciphers 2 But.....

• There are things to consider when you implement a block cipher algorithm...

CS 330 More Block Ciphers 3 Modes of Operation

• block ciphers encrypt fixed size blocks

• depending on how you implement the algorithm, you can open yourself up to guessing the plaintext or the key

• four Modes of Operation were defined for the DES in ANSI standard ANSI X3.106-1983 Modes of Use

CS 330 More Block Ciphers 4 Electronic Codebook (ECB)

• message is broken into independent blocks which are encrypted

• each block is a value which is substituted, like a codebook, hence the name

• each block is encoded independently of the other blocks

Ci = EK1(Pi)

• this mode is typically only used when a very small number of blocks of information need to be sent.

CS 330 More Block Ciphers 5 Electronic Codebook Book (ECB)

CS 330 More Block Ciphers 6 Advantages and Limitations of ECB

• repetitions in the message may show in ciphertext – if aligned with message block – particularly with data such as graphics – or with messages that change very little, which become a code-book analysis problem

• weakness due to encrypted message blocks being independent

• but, ECB is useful because the blocks can be encrypted and sent independently without affecting decryption.

CS 330 More Block Ciphers 7 Cipher Block Chaining (CBC)

• want a way to overcome the block independence of ECB

• the message is broken into blocks, and

• each previous cipher block is chained with the current plaintext block

• uses an Initial Vector (IV) to start the process

Ci = EKi(Pi XOR Ci-1) C-1 = IV

CS 330 More Block Ciphers 8 Cipher Block Chaining (CBC)

CS 330 More Block Ciphers 9 Advantages and Limitations of CBC

• each ciphertext block depends on all the previous message blocks

• thus a change in the message affects all ciphertext blocks after the change as well as the original block

• chaining provides an avalanche effect

CS 330 More Block Ciphers 10 More CBC

• need Initial Value (IV) known to sender & receiver in addition to the key

• at end of message, handle possible last short block

CS 330 More Block Ciphers 11 Cipher FeedBack (CFB) Mode

• the message is treated as a stream of bits that is added to the output of the block cipher

• the result is feedback for the next stage (hence the name)

• standard allows any number of bits (1,8 or 64 or whatever) to be fed back – denoted CFB-1, CFB-8, CFB-64 etc

• it is most efficient to use all 64 bits (CFB-64)

Ci = Pi XOR EK1(Ci-1)

C-1 = IV

CS 330 More Block Ciphers 12 Cipher FeedBack (CFB)

CS 330 More Block Ciphers 13 Advantages and Limitations of CFB

• appropriate when data arrives in bits/bytes

• it is the most common stream mode

• limitation is the need to stall while you do block encryption after every n-bits

• note that the block cipher is used in encryption mode at both ends

• errors propagate for several blocks after the error

14 CS 330 More Block Ciphers Output FeedBack (OFB) Mode

• the message is treated as a stream of bits – the output of the cipher is added to the message – the output is then fed back – the feedback is independent of the message – the output can be computed in advance

Ci = Pi XOR Oi

Oi = EK1(Oi-1)

O-1 = IV

CS 330 More Block Ciphers 15 Output FeedBack (OFB)

16 CS 330 More Block Ciphers Advantages and Limitations of OFB

• used when error feedback is a problem or where we need to do encryptions before the entire message is available • superficially similar to CFB – but the feedback is from the output of the cipher and is independent of the message • a variation of a Vernam cipher – hence must never reuse the same sequence (key+IV)

CS 330 More Block Ciphers 17 Advantages and Limitations of OFB

• the sender and receiver must remain in sync, and some recovery method is needed to ensure this occurs • originally specified with m-bit feedback in the standards • subsequent research has shown that only OFB-64 should ever be used

CS 330 More Block Ciphers 18 Counter (CTR)

• similar to OFB but encrypts a counter value rather than any feedback value

• must have a different key & counter value for every plaintext block (never reused)

Ci = Pi XOR Oi

Oi = EK1(i) • Wireless Encryption Protocol (for 802.11b) uses a form of this method - not terribly secure if you re-use the IV values.

CS 330 More Block Ciphers 19 Counter (CTR)

CS 330 More Block Ciphers 20 Advantages and Limitations of CTR

• efficiency – one can do parallel encryptions – in advance of need – good for bursty high speed links

• random access to encrypted data blocks

• provable security (good as other modes)

• but must ensure never to reuse key/counter values

CS 330 More Block Ciphers 21 Summary of modes

Electronic Code Book (ECB) Ci = EK1(Pi) (simplest - parallel)

Cipher Block Chaining (CBC) Ci = EK1(Pi XOR Ci-1) (block mode) C-1 = IV

Cipher Feedback (CFB) Ci = Pi XOR EK1(Ci-1)

(stream mode) C-1 = IV

Output Feedback (OFB) Ci = Pi XOR Oi

Oi = EK1(Oi-1)

O-1 = IV

Counter (CTR) Ci = Pi XOR Oi (simple - parallel; faster than Oi = EK1(i) CBC) CS 330 More Block Ciphers 22