Block Cipher Modes of Operation (Slide from John Dooley with thanks to Drs. Lawrie Brown & William Stallings) CS 330 More Block Ciphers 1 Current Block Cipher Design Principles • basic principles still like Feistel in 1970’s • number of rounds – more is better, exhaustive search best attack • function f: – provides “confusion”, is nonlinear, avalanche • key schedule – complex subkey creation, key avalanche CS 330 More Block Ciphers 2 But..... • There are things to consider when you implement a block cipher algorithm... CS 330 More Block Ciphers 3 Modes of Operation • block ciphers encrypt fixed size blocks • depending on how you implement the algorithm, you can open yourself up to guessing the plaintext or the key • four Modes of Operation were defined for the DES in ANSI standard ANSI X3.106-1983 Modes of Use CS 330 More Block Ciphers 4 Electronic Codebook (ECB) • message is broken into independent blocks which are encrypted • each block is a value which is substituted, like a codebook, hence the name • each block is encoded independently of the other blocks Ci = EK1(Pi) • this mode is typically only used when a very small number of blocks of information need to be sent. CS 330 More Block Ciphers 5 Electronic Codebook Book (ECB) CS 330 More Block Ciphers 6 Advantages and Limitations of ECB • repetitions in the message may show in ciphertext – if aligned with message block – particularly with data such as graphics – or with messages that change very little, which become a code-book analysis problem • weakness due to encrypted message blocks being independent • but, ECB is useful because the blocks can be encrypted and sent independently without affecting decryption. CS 330 More Block Ciphers 7 Cipher Block Chaining (CBC) • want a way to overcome the block independence of ECB • the message is broken into blocks, and • each previous cipher block is chained with the current plaintext block • uses an Initial Vector (IV) to start the process Ci = EKi(Pi XOR Ci-1) C-1 = IV CS 330 More Block Ciphers 8 Cipher Block Chaining (CBC) CS 330 More Block Ciphers 9 Advantages and Limitations of CBC • each ciphertext block depends on all the previous message blocks • thus a change in the message affects all ciphertext blocks after the change as well as the original block • chaining provides an avalanche effect CS 330 More Block Ciphers 10 More CBC • need Initial Value (IV) known to sender & receiver in addition to the key • at end of message, handle possible last short block CS 330 More Block Ciphers 11 Cipher FeedBack (CFB) Mode • the message is treated as a stream of bits that is added to the output of the block cipher • the result is feedback for the next stage (hence the name) • standard allows any number of bits (1,8 or 64 or whatever) to be fed back – denoted CFB-1, CFB-8, CFB-64 etc • it is most efficient to use all 64 bits (CFB-64) Ci = Pi XOR EK1(Ci-1) C-1 = IV CS 330 More Block Ciphers 12 Cipher FeedBack (CFB) CS 330 More Block Ciphers 13 Advantages and Limitations of CFB • appropriate when data arrives in bits/bytes • it is the most common stream mode • limitation is the need to stall while you do block encryption after every n-bits • note that the block cipher is used in encryption mode at both ends • errors propagate for several blocks after the error 14 CS 330 More Block Ciphers Output FeedBack (OFB) Mode • the message is treated as a stream of bits – the output of the cipher is added to the message – the output is then fed back – the feedback is independent of the message – the output can be computed in advance Ci = Pi XOR Oi Oi = EK1(Oi-1) O-1 = IV CS 330 More Block Ciphers 15 Output FeedBack (OFB) 16 CS 330 More Block Ciphers Advantages and Limitations of OFB • used when error feedback is a problem or where we need to do encryptions before the entire message is available • superficially similar to CFB – but the feedback is from the output of the cipher and is independent of the message • a variation of a Vernam cipher – hence must never reuse the same sequence (key+IV) CS 330 More Block Ciphers 17 Advantages and Limitations of OFB • the sender and receiver must remain in sync, and some recovery method is needed to ensure this occurs • originally specified with m-bit feedback in the standards • subsequent research has shown that only OFB-64 should ever be used CS 330 More Block Ciphers 18 Counter (CTR) • similar to OFB but encrypts a counter value rather than any feeDback value • must have a Different key & counter value for every plaintext block (never reused) Ci = Pi XOR Oi Oi = EK1(i) • Wireless Encryption Protocol (for 802.11b) uses a form of this methoD - not terribly secure if you re-use the IV values. CS 330 More Block Ciphers 19 Counter (CTR) CS 330 More Block Ciphers 20 Advantages and Limitations of CTR • efficiency – one can do parallel encryptions – in advance of need – good for bursty high speed links • random access to encrypted data blocks • provable security (good as other modes) • but must ensure never to reuse key/counter values CS 330 More Block Ciphers 21 Summary of modes Electronic Code Book (ECB) Ci = EK1(Pi) (simplest - parallel) Cipher Block Chaining (CBC) Ci = EK1(Pi XOR Ci-1) (block mode) C-1 = IV Cipher Feedback (CFB) Ci = Pi XOR EK1(Ci-1) (stream mode) C-1 = IV Output Feedback (OFB) Ci = Pi XOR Oi Oi = EK1(Oi-1) O-1 = IV Counter (CTR) Ci = Pi XOR Oi (simple - parallel; faster than Oi = EK1(i) CBC) CS 330 More Block Ciphers 22.