Chapter 7 Block Cipher Operation 1
Outline q Multiple Encryption and Triple DES q Electronic Codebook q Cipher Block Chaining Mode q Cipher Feedback Mode q Output Feedback Mode q Counter Mode q XTS-AES Mode for Block-Oriented Storage Devices q Format-Preserving Encryption 2
Outline q Multiple Encryption and Triple DES q Electronic Codebook q Cipher Block Chaining Mode q Cipher Feedback Mode q Output Feedback Mode q Counter Mode q XTS-AES Mode for Block-Oriented Storage Devices q Format-Preserving Encryption 3
Triple DES Needed a replacement for DES theoretical attacks that can break DES exhaustive key search attacks have been demonstrated Advanced Encryption Standard is a new cipher alternative Alternative: use multiple encryption with DES Triple-DES is the chosen form 4
Why not Double DES? C = E(K 2,E(K 1,P)) P = D(K 1,D(K 2, C)) key length is 56 x 2 = 112 bits 5
Reduction to a Single Stage The possibility to find a key K 3 such that E(K 2, E(K 1,P)) = E(K 3,P) Then double DES will be reduced to single DES Encryption vs. mapping If two input blocks mapped to the same output block, impossible to recover the original message (decryption) DES defines one mapping for each different key Total number of mapping 6
Meet-in-the-Middle Attack The use of double DES results in a mapping that is not equivalent to a single DES encryption The meet-in-the-middle attack algorithm will attack this scheme and does not depend on any particular property of DES but will work against any block encryption cipher 7
Why not Double DES Meet-in-the-Middle Attack note: X = E(K 1,P) = D(K 2,C) 1. step: encrypt P with all keys K 1 and store X 2. step: decrypt C with all keys K 2 and match X values Attacks take O(2 56 ) steps, not much better than DES with O(2 55 ) Double DES uses a 112-bit key For a given plaintext P, the number of different 112-bit keys to produce a given ciphertext: 2 112 /2 64 = 2 48 About 2 48 false alarms on the first (P, C) pair With an additional 64 bits of known plaintext and ciphertext The false alarm rate is reduced to 2 48-64 = 2-16 8
Triple DES with Two-Keys Use 3 encryptions with 2 keys C = E(K 1,D(K 2,E(K 1,P))) P = D(K 1,E(K 2,D(K 1,C))) If K1=K2 then 3DES can decrypt single DES No current known practical attacks 9
Attacks on 3DES Brute-force: 2 112 Finding plaintext to produce first intermediate value of A=0 Using meet-in-the-middle on Double DES: 2 56 Requires 2 56 chosen plaintext-ciphertext pairs: impossible Known-plaintext attack Assume that we know a and C è attacks on Double DES Hard to know a Using potential a K 1 = i K 2 = j 10
Attacks on 3DES (cont d) 1. Obtain n (P, C) pairs 2. Pick an arbitrary value a for a, and create a second table (try 2 56 possible keys) P i = D(i,a) B = D(i,C) 3. With a number of candidate values of K 1, search for K 2 For each of the 2 56 possible keys K 2 = j, calculate B j = D(j,a) If matched, key pair (i, j) is one candidate 4. Test all candidate pairs of keys (i, j) to see if all plaintext-ciphertext pair succeed If not, repeat with a new value of a 11
Selecting the Value of a The probability of selecting a correct a: 1/2 64 Given n (P, C) pairs, the probability is n/2 64 Probability theory: N balls: n red balls, N-n green balls The expected number of draws to get one red ball: (N+1)/(n+1) The expected number of values of a that must be tried: The expected running time of the attack 12
13 First Red Ball from N Balls The expected number of draws to get one red ball out of a bin containing n red balls and N-n green balls: Derived from (arithmetic mean): Example: number of draws to get the first red ball out of 4 balls (2 red balls and 2 green balls): 1 1 + + n N 1 1 1 1 1 1 1 1 1 + + = + + + + = = n N i N n j N n j N i n N i i j 3 5 2 1 3 2 2 1 3 1 4 2 3 3 2 4 2 2 4 2 1 = + + = + +
Triple DES with Three-Keys Although no practical attacks on two-key Triple-DES Can use Triple-DES with three keys to avoid any doubts C = E(K 3,D(K 2,E(K 1,P))) Has been adopted by some Internet applications, eg PGP, S/MIME 14
Outline q Multiple Encryption and Triple DES q Electronic Codebook q Cipher Block Chaining Mode q Cipher Feedback Mode q Output Feedback Mode q Counter Mode q XTS-AES Mode for Block-Oriented Storage Devices q Format-Preserving Encryption 15
Modes of Operation Block ciphers encrypt fixed size blocks Eg. DES encrypts 64-bit blocks, with 56-bit key Need way to use in practice, given usually have arbitrary amount of information to encrypt Four were defined for DES in ANSI standard ANSI X3.106-1983 Modes of Use Subsequently now have 5 for DES and AES Have block and stream modes Block modes Splits messages in blocks (ECB, CBC) Stream modes On bit stream messages (CFB, OFB) 16
Modes of Operation Mode Description Typical Application Electronic Codebook (ECB) Each block of plaintext bits is encoded independently using the same key. Cipher Block Chaining (CBC) The input to the encryption algorithm is the XOR of the next block of plaintext and the preceding block of ciphertext. Cipher Feedback (CFB) Output Feedback (OFB) Counter (CTR) Input is processed s bits at a time. Preceding ciphertext is used as input to the encryption algorithm to produce pseudorandom output, which is XORed with plaintext to produce next unit of ciphertext. Similar to CFB, except that the input to the encryption algorithm is the preceding encryption output, and full blocks are used. Each block of plaintext is XORed with an encrypted counter. The counter is incremented for each subsequent block. Secure transmission of single values (e.g., an encryption key) General-purpose blockoriented transmission Authentication General-purpose streamoriented transmission Authentication Stream-oriented transmission over noisy channel (e.g., satellite communication) General-purpose blockoriented transmission Useful for high-speed requirements 17
Electronic Codebook (ECB) 18
Electronic Codebook (ECB) Plaintext is encrypted in blocks of fixed size Possibly need padding at the end of message Each plaintext block is substituted with ciphertext block, like a codebook Blocks are encrypted independently Ci = DES(K, Pi) Disadvantage: structure in plaintext shows up in ciphertext if aligned with message block particularly with data such graphics or with messages that change very little, which become a code-book analysis problem equal blocks are encrypted as equal ciphertext blocks ciphertext blocks can be modified without detection Weakness due to encrypted message blocks being independent Main use: secure transmission of single values 19
Criteria to Compare with ECB 20
Outline q Multiple Encryption and Triple DES q Electronic Codebook q Cipher Block Chaining Mode q Cipher Feedback Mode q Output Feedback Mode q Counter Mode q XTS-AES Mode for Block-Oriented Storage Devices q Format-Preserving Encryption 21
Cipher Block Chaining (CBC) 22
Cipher Block Chaining (CBC) blocks are linked together in the encryption operation use Initial Vector (IV) to start process (needs to be known to sender and receiver) uses: bulk data encryption, authentication 23
Advantages and Limitations of CBC Each ciphertext block depends on all message blocks Thus a change in the message affects all ciphertext blocks after the change as well as the original block Need Initialization Vector (IV), nonce, known to sender & receiver However, if IV is sent in the clear, an attacker can change bits of the first block, and change IV to compensate Hence either IV must be a fixed value or it must be sent encrypted in ECB mode before rest of message At end of message, handle possible last short block By padding either with known non-data value (eg nulls) Or pad last block with count of pad size Eg. [ b1 b2 b3 0 0 0 0 5] <- 3 data bytes, then 5 bytes pad+count 24
Outline q Multiple Encryption and Triple DES q Electronic Codebook q Cipher Block Chaining Mode q Cipher Feedback Mode q Output Feedback Mode q Counter Mode q XTS-AES Mode for Block-Oriented Storage Devices q Format-Preserving Encryption 25
s-bit Cipher Feedback (CFB): Encryption 26
s-bit Cipher Feedback (CFB): Decryption 27
Cipher Feedback (CFB) Plaintext is treated as a stream of bits Appropriate when data arrives in bits/bytes Added to the output of the block cipher Result is feedback for next stage Standard allows any number of bits (1,8, 64...) to be feed back; denoted CFB-1, CFB-8, CFB-64 etc Is most efficient to use all 64 bits (CFB-64) Errors propagate for several blocks after the error Uses: stream data encryption, authentication 28