Block Cipher Operation

BLOCK CIPHER OPERATION

1 ABHILASH SREERAMANENI Department Of Computer Science Seoul National University Of Science And Technology 2013-2014

CONTENTS

Multiple Encryption and Triple DES Electronic Code Book (ECB)  Cipher Block Chaining Mode(CBC)  Cipher Feedback Mode (CFB)  Output Feedback Mode (OFB)  Counter Mode(CTR)  XTS-AES Mode

2 MULTIPLE ENCRYPTION AND TRIPLE DES

Double DES Triple DES with Two Keys Triple DES with Three Keys

3 MULTIPLE ENCRYPTION AND TRIPLE DES

Double DES

 The simplest form of multiple encryption has two encryption stages and

two keys . Given a plaintext P and two encryption keys K1 and K2, ciphertext C is generated as

 C = E(K2, E(K1, P))

 Decryption requires that the keys be applied in reverse order:

 P = D(K1, D(K2, C))

 For DES, this scheme apparently involves a key length of 56 * 2 = 112 bits, resulting in a dramatic increase in cryptographic strength.

MULTIPLE ENCRYPTION AND TRIPLE DES

DOUBLE ENCYPTION

K1 Encryption K2

P E X E C

K2 Decryption K1

C X P D D

5 MULTIPLE ENCRYPTION AND TRIPLE DES

 Encryption and decryption with DES

6 MULTIPLE ENCRYPTION AND TRIPLE DES

 REDUCTION TO A SINGLE STAGE

 For DES, for all 56-bit key values, that given any two keys K1 and K2, it would be possible to find a key K3.

 E(K2, E(K1, P)) = E(K3, P)

Number of stages of multiple encryption with DES, would be useless because the result would be equivalent to a single encryption with a single 56-bit key.

 DES is a mapping of 64-bit blocks to 64-bit blocks. If we consider all 264 possible input blocks, DES encryption with a specific key will map each block into a unique 64-bit block . The value is easily seen to be 20  (264)! = 10347380000000000000000 > (1010 )

DES defines one mapping for each different key, for a total number of mappings:

 256 < 1017

 DES is used twice with different keys, it will produce one of the many mappings that are not defined by a single application of DES. 7

MULTIPLE ENCRYPTION AND TRIPLE DES

MEET-IN-THE-MIDDLE ATTACK

 Double DES results in a mapping that is not equivalent to a single DES encryption

 C = E(K2, E(K1, P))

 X = E(K1, P) = D(K2, C) 56  First, encrypt P for all 2 possible values of K1. Decrypt C 56 using all 2 possible values of K2.  As each decryption is produced, If a match occurs, then test the two resulting keys against a new known plaintext– ciphertext pair. If the two keys produce the correct ciphertext, accept them as the correct keys.  Double DES uses, in effect as 112-bit key,so that there are 2112 8 possible keys. MULTIPLE ENCRYPTION AND TRIPLE DES

 A given plaintext P, the number of different 112-bit keys that will produce a given ciphertext C is 2112/264 = 248.

 64 bits of known plaintext and ciphertext, the false alarm rate is reduced to 248 - 64 = 2- 16.

 Meet-in-the-middle attack is performed on two blocks of known plaintext–ciphertext, the probability that the correct keys are determined is 1-2-16.

 Plaintext attack will succeed against double DES, which has a key size of 112 bits, with an effort on the order of 256.

9 MULTIPLE ENCRYPTION AND TRIPLE DES

 Double DES Multiple Encryption

P E (P) K1 EK2[EK1(P)] Intermediate Plaintext Ciphertext Ciphertext Encryption Encryption X

K1 K2 meet-in-the-middle attack 10 MULTIPLE ENCRYPTION AND TRIPLE DES

Triple DES With Two Keys

 An obvious counter to the meet-in-the-middle attack is to use three stages of encryption with three different keys. This raises the cost of the meet-in-the-middle attack to 2112.

 It has the drawback of requiring a key length of 56 * 3 = 168 bits.

 Tuchman proposed a triple encryption method that uses only two keys. Function follows an Encrypt-Decrypt-Encrypt (EDE)

 C = E(K1, D(K2, E(K1, P)))

11  P = D(K1, E(K2, D(K1, C)))

MULTIPLE ENCRYPTION AND TRIPLE DES

 It allows users of 3DES to decrypt data encrypted by users of the older single DES

 C = E(K1, D(K1, E(K1, P))) = E(K1, P)

 P = D(K1, E(K1, D(K1, C))) = D(K1, C)

 DES and has been adopted for use in the key management standards ANS X9.17 and ISO 8732.1

 Coppersmith [COPP94] notes that the cost of a brute-force key search on 3DES is on the order of 2112 ≈ (5 *1033) , compared to single DES, exceeding 1052.

 several proposed attacks on 3DES that, although not practical .

 The first serious proposal came from Merkle and Hellman [MERK81]. Their plan involves finding plaintext values that produce a first intermediate value of A = 0and then using the meet-in-the- middle attack to determine the two keys.

12 MULTIPLE ENCRYPTION AND TRIPLE DES

 Triple Encryption K1 K2 K1 P A B C E D E

Encryption K1 K2 K1 C B A P D E D

Decryption 13 MULTIPLE ENCRYPTION AND TRIPLE DES

 The attack is based on the observation that if we know A and C .

 Attacker does not know A, even if P and C are known, as long as the two keys are unknown.

 However, attacker can choose a potential value of A and then try to find a known (P, C) pair that produces A.

1.Obtain n (P, C) pairs. This is the known plaintext. sorted on the values of P.

56 2.Pick an arbitrary value a for A.For each of the 2 possible keys K1 = i, calculate the plaintext value Pi that produces a:

 Pi = D(i, a)

 For each Pi that matches the K1 value and the value of B that is produced for the (P, C) pair , assuming that value of K1: 14  B = D(i, C)

MULTIPLE ENCRYPTION AND TRIPLE DES

56 For each of the 2 possible keys K2 = j, the second intermediate value for our chosen value of a:

 Bj = D(j, a) 

 If there is a match, then the corresponding key i plus this value of j are candidate values for the unknown

keys (K1, K2).

 Pair of keys produces the desired ciphertext, the task is complete.

 Probability of selecting the unique value of a that leads to success is 1/264. Probability of success for a single selected value of a is n/264.

 From probability theory is that the expected number of draws required to draw one red ball out of a bin containing n red balls and N - n green balls is (N + 1)/(n + 1) if the balls are not replaced.



 Thus, the expected running time of the attack is on the order of 15

MULTIPLE ENCRYPTION AND TRIPLE DES

 Two-key triple encryption with candidate pair of keys i j i

a Bj

 Pi E D E Ci

16 MULTIPLE ENCRYPTION AND TRIPLE DES

 Triple DES with Three Keys

 Although the attacks just described appear impractical, anyone using two-key 3DES may feel some concern.

 Researchers now feel that three-key 3DES is the preferred alternative.

 Three-key 3DES has an effective key length of 168 bits and is defined as

 C=E(K3 ,D(K2,E(K1,P))) 17 ELECTRONIC CODE BOOK  The electronic codebook (ECB) mode, in which plaintext is handled one block at a time and each block of plaintext is encrypted using the same key.

 Codebook is used because, for a given key there is a unique ciphertext for every b-bit block of plaintext.

 The procedure is simply to break the message into b-bit blocks, padding the last block.

 Decryption is performed one block at a time, always using the same key. 18

ELECTRONIC CODE BOOK

 ENCRYPTION

P1 P2 PN

K ENCRYPT K ENCRYPT …… K ENCRYPT

C1 C2 CN

19 ELECTRONIC CODE BOOK

 DECRYPTION

C1 C2 CN

K K ……. K DECRYPT DECRYPT DECRYPT

N P1 P2 P

20 ELECTRONIC CODE BOOK

 plaintext consists of a sequence of b-bit blocks, P1, P2, ……. , PN.

 corresponding sequence of ciphertext blocks C1,C2,……,CN .

ECB C j=E(K,P j) j=1,…………,N P j=E(K,Cj) j=1,..,N

 The ECB method is ideal for a short amount of data, such as an encryption key.  Lengthy messages, the ECB mode may not be secure.  If the message has repetitive elements with a period of repetition a multiple of bits,then these elements can be identified by the analyst. 21

LIMITATIONS OF ECB

 Message repetitions may show in ciphertext

 Weakness is due to the encrypted message blocks being independent.

 Vulnerable to cut-and-paste attacks.

 Main use is sending a few blocks of data.

CIPHER BLOCK CHAINING MODE

 Input to the encryption algorithm is the XOR of the current plaintext block and the preceding ciphertext block the same key is used for each block.  Chained together the processing of the sequence of plaintext blocks.  No fixed relationship to the plaintext block.  As with the ECB mode, the CBC mode requires that the last block be padded to a full b-bits if it is a partial block.  Result is XORed with the preceding ciphertext block to produce the plaintext block.

23 CIPHER BLOCK CHAINING MODE

 Cj = E(K, [Cj-1 ⊕ Pj])  ENCRYPTION

 IV CN-1 P1 P2 PN K K K

ENCRYPT ENCRYPT ENCRYPT

C1 C2 CN

24 CIPHER BLOCK CHAINING MODE

 DECRYPTION

 C 1 C 2 CN-1 CN

K K K IV DECRYPT DECRYPT DECRYPT

P1 P2 PN

25 CIPHER BLOCK CHAINING MODE

 Then  D(K, Cj) = D(K, E(K, [Cj-1 ⊕ Pj]))  D(K, Cj) = Cj-1 ⊕ Pj  Cj-1 ⊕ D(K, Cj) = Cj-1 ⊕ Cj-1 ⊕ Pj = Pj  To produce the first block of ciphertext, an Initialization vector (IV) is XORed with the first block of plaintext.  On decryption, the IV is XORed with the output of the decryption algorithm to recover the first block of plaintext.  IV is a data block that is same size as the cipher block. 26 CIPHER BLOCK CHAINING MODE

 CBC MODE

CBC C1 = E(K, [P1 ⊕ IV]) P1 = D(K, C1) ⊕ IV Cj = E(K, [Pj ⊕ Cj-1]) j = 2,..,N Pj = D(K, Cj) ⊕ Cj-1 j = 2,...,N

 IV must be known to both the sender and receiver but be unpredictable by a third party.  Impossible to predict the IV, it will be associated to the plaintext in advance of the generation of IV. 27

CIPHER BLOCK CHAINING MODE

 Maximum security, the IV should be protected against unauthorized changes.

 One reason for protecting the IV . If an opponent is able to fool the receiver into using a different value for IV, then the opponent is able to invert selected bits in the first block of plaintext.

 C1 = E(K, [IV ⊕ P1])

 P1= IV ⊕ D(K,C1) 28

CIPHER BLOCK CHAINING MODE

 X[i] denotes the ith bit of the b-bit quantity X.  P1[i] = IV[i] ⊕ D(K, C1)[i]  Using the properties of XOR  P1[i]`= IV[i] `⊕ D(K, C1)[i]  If an opponent can predictably change bits in IV, the corresponding bits of the received value of P1 can be changed.  Possible attacks based on prior knowledge of IV  Long as it is unpredictable, the specific choice of IV is unimportant. 29

CIPHER BLOCK CHAINING MODE

 The first method is to apply the encryption function, under the same key that is used for the encryption of the plaintext,to a nonce2.  The second method is to generate a random data block using a random number generator.  chaining mechanism of CBC, it is an appropriate mode for encrypting messages of length greater than b-bits.  Addition to its use to achieve confidentiality, the CBC mode can be used for authentication.

ADVANTAGES AND LIMITATIONS OF CBC

● A ciphertext block depends on all blocks. ● Any change to a block affects all following ciphertext blocks. ● Need Initialization Vector (IV)  Which must be known to sender & receiver .  If sent in clear, attacker can change bits of first block, by changing corresponding bits of IV .  Hence IV must either be a fixed value.  Derived in way hard to manipulate.

31 CIPHER FEEDBACK MODE

 AES, DES, or any block cipher, encryption is performed on a block of b-bits.  stream cipher eliminates the need to pad a message to be an integral number of blocks, It also can operate in real time.  A character stream is being transmitted, each character can be encrypted and transmitted immediately using a character-oriented stream cipher.  One desirable property of a stream cipher is that the ciphertext be of the same length as the plaintext.

 More OUT PUTS are produced, transmission 32 capacity is wasted.

CIPHER FEEDBACK MODE

 Input to the encryption function is a b-bit shift register that is initially set to some initialization vector (IV).

 The MSBs-bits of the output of the encryption function are XORed with the first segment of plaintext P1 to produce the first unit of ciphertext C1.

 The contents of the shift register are shifted left by s bits,and C1, LSBs-bits of the shift register.

 The received ciphertext unit is XORed with the output of the encryption function to produce the plaintext unit.

 Note: The encryption function that is used, not the decryption function.

CIPHER FEEDBACK MODE

 Let MSBs(X) be defined  C1 = P1 ⊕ MSBs[E(K, IV)]  Rearranging terms  P1 = C1 ⊕ MSBs[E(K, IV)]

34 S-BIT CIPHER FEEDBACK (CFB) MODE

ENCRYPTION

35 S-BIT CIPHER FEEDBACK (CFB) MODE

DECRYPTION

36 CIPHER FEEDBACK MODE

 CFB Mode CFB I1 = IV I1 = IV Ij = LSBb-s(Ij-1) ||Cj-1 j = 2,.., N Ij =LSBb-s(Ij-1)||Cj-1 j = 2,....., N Oj = E(K, Ij) j = 1,..., N Oj = E(K, Ij) j = 1,...... , N Cj = Pj⊕MSBs(Oj) j = 1,..., N Pj = Cj⊕MSBs(Oj) j = 1,...... , N

 CFB can be viewed as a stream cipher, it does not conform to the typical construction of a stream cipher.  CFB, the stream of bits that is XORed with the plaintext also depends on the plaintext. 37 OUTPUT FEEDBACK MODE

 Output feedback (OFB) mode is similar in structure to that of CFB.  The output of the encryption function that is fed back to the shift register in OFB.  In CFB, the ciphertext unit is fed back to the shift register.  Other difference is that the OFB mode operates on full blocks of plaintext and ciphertext, not on an S-bit subset.  ENCRYPTION :  Cj = Pj ⊕ E(K, [Cj-i ⊕ Pj-1])

 DECRYPTION:  Pj = Cj ⊕ E(K, [Cj-i ⊕ Pj-1])

OUTPUT FEEDBACK MODE

ENCRYPTION

OUTPUT FEEDBACK MODE

DECRYPTION

40 OUTPUT FEEDBACK MODE

OFB I1 = Nonce I1 = Nonce Ij =Oj-1 j= 2,....., N Ij =LSBb-s(Ij-1)||Cj-1 j = 2,....., N Oj = E(K, Ij) j = 1,...... , N Oj = E(K, Ij) j = 1,...... , N Cj = Pj ⊕ Oj j = 1,....., N-1 Pj = Cj ⊕ Oj j = 1,...... , N-1 C*N = P*N⊕MSBu(ON) P*N = C*N⊕MSBu(ON)

 Last block of plaintext contains U bits (indicated by *), with u

OUTPUT FEEDBACK MODE

 CBC and CFB, the OFB mode requires an IV.  In OFB,the IV must be a nonce.  The sequence of encryption output blocks Oj ,depends only on the key and the IV and does not depend on the plaintext.  A given key and IV, the stream of output bits used to XOR with the stream of plaintext bits is fixed.  Advantage of the OFB method is that bit errors in transmission do not propagate.  Disadvantage of OFB is that it is more vulnerable to a message stream modification attack than is CFB. 42

COUNTER MODE

 Counter (CTR) mode has increased recently with applications to ATM (asynchronous transfer mode) network security and IP security.  A counter equal to the plaintext block size is used.  The counter value must be different for each plaintext block that is encrypted.  The counter is initialized to some value and then incremented by 1.  The counter is encrypted and then XORed with the plaintext block to produce the ciphertext block , there is no chaining.

 For decryption, the same sequence of counter values 43 is used,

COUNTER MODE

 ENCRYPTION

COUNTER MODE

 DECRYPTION

45 COUNTER MODE

 CTR mode  sequence of counters T1, T2,...... TN,

CTR Cj = Pj ⊕E(K, Tj) j = 1,...., N – 1 Pj = Cj ⊕E(K,Tj) j = 1,...., N – 1

C*N = P*N ⊕ MSBu[E(K, TN)] P*N = C*N ⊕ MSBu[E(K, TN)]

 we do not need to use padding because of the structure of the CTR mode.

 Counter value is used multiple times, then the confidentiality of all of the plaintext blocks corresponding to that counter value may be compromised.

 output allows any other plaintext blocks that are encrypted using the same counter value. 46

COUNTER MODE

 Hardware & Software Efficiency:

 Can do parallel encryptions in h/w or s/w.

● Preprocess in advance of need.

● Good for bursty high speed links.  Preprocessing: The execution of the underlying encryption algorithm does not depend on input of the plaintext or ciphertext.  Random access: The ith block of plaintext or ciphertext can be processed in random-access fashion with the chaining modes. Applications in which a ciphertext is stored and it is desired to decrypt just one block 47

COUNTER MODE

 Provable security: It can be shown that CTR is at least as secure as the other modes.  Simplicity: Unlike ECB and CBC modes, CTR mode requires only the implementation of the encryption algorithm and not the decryption algorithm.  The Feedback mechanism, it is useful to think of the encryption function as taking input from a input register whose length equals the encryption block length and with output stored in an output register.  The input register is updated one block at a time by the feedback mechanism.  Both OFB and CTR produce output that is 48 independent of both the plaintext and the ciphertext. FEEDBACK CHARACTERISTIC OF MODES OF OPERATION

49 FEEDBACK CHARACTERISTIC OF MODES OF OPERATION

50 FIVE BLOCK CIPHER MODES OF OPERATION MODE Description Typical Application

Electronic Codebook Each block of 64 plaintext bits • Secure transmission of is encoded independently using single values .(e.g., an encryption (ECB) the same key. key)

Cipher Block Chaining The input to the encryption • General-purpose block oriented algorithm is the XOR of the next transmission (CBC) 64 bits of plaintext and the • Authentication preceding 64 bits of ciphertext.

Cipher Feedback (CFB) Input is processed s bits at a time. • General-purpose stream oriented Preceding ciphertext is used as input transmission to the encryption algorithm to produce • Authentication pseudorandom output,which is XORed with plaintext toproduce next unit of ciphertext. Output Feedback (OFB) Similar to CFB, except that the • Stream-oriented input to the encryption algorithm transmission over noisy channel (e.g., is the preceding encryption output and satellite communication) full blocks are used.

Counter (CTR) Each block of plaintext is XORed • Stream-oriented transmission over with an encrypted counter.The noisy channel (e.g., satellite counter is incremented for each communication) subsequent block. 51 XTS-AES MODE

Storage Encryption Requirements Operation on a Single Block Operation on a Sector  New mode, for block oriented storage use in IEEE Std 1619-2007.  This standard describes a method of encryption for data stored in sector-based devices.  XTS-AES mode is based on the concept of a tweakable block cipher.  Standard has received widespread industry support. 52

XTS-AES MODE

STORAGE ENCRYPTION REQUIREMENTS (1) The ciphertext is freely available for an attacker:  In Data Base other users can retrieve an encrypted record but are unable to read it without the key.  unauthorized user manages to gain access to encrypted records.  Data disk or laptop is stolen, giving the adversary access to the encrypted data. (2) Data layout is not changed on the storage medium and in transit. (3) Data are accessed in fixed sized blocks independently from each other. 53 XTS-AES MODE STORAGE ENCRYPTION REQUIREMENTS (4) Encryption is performed in 16-byte blocks, independently from other blocks. (5) No other metadata used, except the location of the data blocks within the whole data set. (6) A standard conformant device can be constructed for decryption of data encrypted by another standard conformant device.  CTR mode, an adversary with write access to the encrypted media can flip any bit of the plaintext by flipping the corresponding ciphertext bit.  CBC,an adversary with read/write access to the encrypted disk can copy a ciphertext sector from one position to another. 54

XTS-AES MODE OPERATION ON A SINGLE BLOCK

(1) j sequential number of the 128-bit block inside the data unit. (2) i The value of the 128-bit tweak. Each data unit (sector) is assigned.  j functions assures that if the same plaintext block appears at two different positions within a data unit, it will encrypt to two different ciphertext blocks.  i functions assures that, if the same plaintext block appears at the same position in two different data units, it will encrypt to two different ciphertext blocks. 55 OPERATION ON A SINGLE BLOCK

ENCRYPTION

56 OPERATION ON A SINGLE BLOCK

DECRYPTION

57 OPERATION ON A SINGLE BLOCK

 Encryption and decryption of a single block :

XTS-AES block T = E(K2, i) ⊕ αj T = E(K2, i) ⊕ αj Operation PP = P ⊕ T CC = C ⊕ T CC = E(K1, PP) PP = D(K1, CC) C = CC ⊕ T P = PP ⊕ T

 Encryption: C = CC ⊕ T = E(K1, PP) ⊕ T = E(K1, P ⊕ T) ⊕ T

 Decryption: P = PP ⊕ T = D(K1, CC) ⊕ T = D(K1, C ⊕ T) ⊕ T 58  Substitute C: P=(P ⊕ T) ⊕ T = P

OPERATION ON A SECTOR

 Plaintext of a sector or data unit is organized into blocks of 128 bits. Blocks are P0, P1,….., Pm.  Encryption and decryption, each block is treated independently.  The last two blocks are encrypted/decrypted using a ciphertext-stealing technique instead of padding scheme.  Use to make ciphertext length same as plaintext length.  Requires more than one block of plaintext.

XTS-AES MODE

60 XTS-AES MODE

61 XTS-AES MODE

 Block Encryption: XTS-AES-blockEnc(K, Pj, i, j)

 Block Dncryption: XTS-AES-blockEnc(K, Pj, i, j)

62 ADVANTAGES AND LIMITATIONS OF XTS-AES

● Efficiency  can do parallel encryptions in h/w or s/w  random access to encrypted data blocks

● Has both nonce(i) & counter(j)

● Addresses security concerns related to stored data

END

THANK YOU