C 646 Lecture 7 Modes of Operation of Block Ciphers Required Reading: I. W. Stallings, "Cryptography and Network-Security," 5th dition, Chapter 6 Block Cipher Operation II. A. Menezes, P. van Oorschot, and S. Vanstone, Handbook of Applied Cryptography, 7.2.2 Modes of Operation Modes of Operation
Block vs. stream ciphers M 1, M 2,, M n m 1, m 2,, m n Block cipher Internal state - IS Stream cipher C 1, C 2,, C n c 1, c 2,, c n C i =f (M i ) = f (, IS i ) IS i+1 =g (, IS i ) very block of ciphertext is a function of only one corresponding block of plaintext very block of ciphertext is a function of the current block of plaintext and the current internal state of the cipher Typical stream cipher Sender key initialization vector (seed) Receiver key initialization vector (seed) Pseudorandom ey Generator Pseudorandom ey Generator k i keystream k i keystream plaintext ciphertext ciphertext plaintext Standard modes of operation of block ciphers Block ciphers Stream ciphers CB mode Counter mode OFB mode CFB mode CBC mode
CB (lectronic CodeBook) mode lectronic CodeBook Mode CB ncryption M 1 M 2 M 3 M N-1 M N C 1 C 2 C 3 C N-1 C N C i = (M i ) for i=1..n lectronic CodeBook Mode CB Decryption C 1 C 2 C 3 C N-1 C N D D D D D M 1 M 2 M 3 M N-1 M N C i = (M i ) for i=1..n
Criteria for Comparison of Modes of Operation hiding repeating message blocks speed capability for parallel processing and pipelining during encryption / decryption use of block cipher operations (encryption only or both) capability for preprocessing during encryption / decryption capability for random access for the purpose of reading / writing number of plaintext and ciphertext blocks required for exhaustive key search error propagation in the message after modifying / deleting one block / byte / bit of the corresponding ciphertext Block Cipher Modes of Operation Basic Features (1) Hiding repeating plaintext blocks Basic speed Capability for parallel processing and pipelining CB CTR OFB CFB CBC Cipher operations Preprocessing Random access Block Cipher Modes of Operation Basic Features (2) CB CTR OFB CFB CBC Security against the exhaustive key search attack Minimum number of the message and ciphertext blocks needed rror propagation in the decrypted message Modification of j-bits Deletion of j bits Integrity
Counter Mode Counter Mode - CTR ncryption +1 +2 +N-2 +N-1 k 1 k 2 k 3-1 m 1 m 2 m 3 m N-1 m N c 1 c 2 c 3 c N-1 c N = k i k i = (+i-1) for i=1..n Counter Mode - CTR Decryption +1 +2 +N-2 +N-1 k 1 k 2 k 3-1 c 1 c 2 c 3 c N-1 c N m 1 m 2 m 3 m N-1 m N = k i k i = (+i-1) for i=1..n
Counter Mode - CTR counter counter 1 L 1 L 1 L 1 L IS 1 = = (IS i ) IS i+1 = IS i +1 m 1 m 2 m 3 J-bit Counter Mode - CTR +1 +2 +N-2 +N-1 j k 1 k 2 k 3-1 j j j j j j j j j m N-1 m j N j j j j c 1 c 2 c 3 c N-1 c N = k i k i = (+i-1)[1..j] for i=1..n J-bit Counter Mode - CTR counter counter 1 L 1 L j bits L-j bits j bits L-j bits 1 j L 1 j L
OFB (Output FeedBack) Mode Output Feedback Mode - OFB ncryption k 1 k 2 k 3-1 m 1 m 2 m 3 m N-1 m N c 1 c 2 c 3 c N-1 c N = k i k i = (k i-1 ) for i=1..n, and k 0 = Output Feedback Mode - OFB Decryption k 1 k 2 k 3-1 c 1 c 2 c 3 c N-1 c N m 1 m 2 m 3 m N-1 m N = k i k i = (k i-1 ) for i=1..n, and k 0 =
Output Feedback Mode - OFB 1 L 1 L 1 L IS 1 = = (IS i ) IS i+1 = (IS i ) 1 L J-bit Output Feedback Mode - OFB shift shift L-j bits j bits L-j bits j bits 1 L-j L 1 L-j L j bits L-j bits j bits L-j bits 1 j L 1 j L CFB (Cipher FeedBack) Mode
Cipher Feedback Mode - CFB ncryption k 1 k 2 k 3-1 m 1 m 2 m 3 m N-1 m N c 1 c 2 c 3 c N-1 c N = k i k i = (-1 ) for i=1..n, and c 0 = Cipher Feedback Mode - CFB Decryption k 1 k 2 k 3-1 m 1 m 2 m 3 m N-1 m N c 1 c 2 c 3 c N-1 c N = k i k i = (-1 ) for i=1..n, and c 0 = Cipher Feedback Mode - CFB 1 L 1 L IS 1 = 1 L = (IS i ) IS i+1 = 1 L
shift J-bit Cipher Feedback Mode - CFB shift L-j bits j bits L-j bits j bits 1 L-j L 1 L-j L j bits L-j bits j bits L-j bits 1 j L 1 j L CBC (Cipher Block Chaining) Mode Cipher Block Chaining Mode - CBC ncryption m 1 m 2 m 3 m N-1 m N c 1 c 2 c 3 c N-1 c N = ( -1 ) for i=1..n c 0 =
Cipher Block Chaining Mode - CBC Decryption c 1 c 2 c 3 c N-1 c N D D D D D m 1 m 2 m 3 m N-1 m N = D ( ) -1 for i=1..n c 0 = Comparison among various modes Hiding repeating plaintext blocks Basic speed Capability for parallel processing and pipelining Block Cipher Modes of Operation Basic Features (1) CB CTR OFB CFB CBC No Yes Yes Yes Yes s CB s CB j/l s CB j/l s CB s CB ncryption and decryption ncryption and decryption None Decryption only Decryption only Cipher operations Preprocessing Random access ncryption and decryption ncryption only ncryption only ncryption only ncryption and decryption No Yes Yes No No R/W R/W No R only R only
Block Cipher Modes of Operation Basic Features (2) CB CTR OFB CFB CBC Security against the exhaustive key search attack Minimum number of the message and ciphertext blocks needed 1 plaintext block, 1 ciphertext block 1 plaintext block, 1 ciphertext block 2 plaintext blocks, 2 ciphertext blocks (for j=l) 1 plaintext block, 2 ciphertext blocks (for j=l) 1 plaintext block, 2 ciphertext blocks rror propagation in the decrypted message Modification of j-bits Deletion of j bits Integrity L bits j bits j bits L+j bits L+j bits Current and Current and all subsequent all subsequent Current and all subsequent L bits Current and all subsequent No No No No No New modes of operation valuation Criteria for Modes of Operation Security fficiency Functionality
Security fficiency valuation criteria (1) resistance to attacks proof of security random properties of the ciphertext number of calls of the block cipher capability for parallel processing memory/area requirements initialization time capability for preprocessing valuation criteria (2) Functionality security services - confidentiality, integrity, authentication flexibility - variable lengths of blocks and keys - different amount of precomputations - requirements on the length of the message vulnerability to implementation errors requirements on the amount of keys, initialization vectors, random numbers, etc. error propagation and the capability for resynchronization patent restrictions CBC m 1 m 2 m 3 m N-1 m N c 1 c 2 c 3 c N-1 c N Problems: - No parallel processing of blocks from the same packet - No speed-up by preprocessing - No integrity or authentication
Counter mode +1 +2 +N-1 +N k 0 k 1 k 2-1 m 0 m 1 m 2 m N-1 m N c 0 c 1 c 2 c N-1 c N Features: + Potential for parallel processing + Speed-up by preprocessing - No integrity or authentication Properties of existing and new cipher modes New CBC CFB OFB standard Proof of security Parallel processing Preprocessing Integrity and authentication Resistance to implementation errors decryption only OCB - Offset Codebook Mode 0 M 1 M 2 M N-1 M N Control sum length Z 1 Z 2 Z N-1 g(l) Z N Z N L Z 1 Z 2 Z N-1 M N τ bits R C 1 C 2 C N-1 C N T Z i =f(l, R, i)
New modes of block ciphers 1. CCM - Counter with CBC-MAC developed by R. Housley, D. Whiting, N. Ferguson in 2002 assures simultaneous confidentiality and authentication not covered by any patent part of the I 802.11i standard for wireless networks 2. GCM Galois/Counter Mode developed by D. McGrew and J. Viega in 2005 assures simultaneous confidentiality and authentication not covered by any patent used in the I 802.1A (MACsec) thernet security, ANSI (CITS) Fibre Channel Security Protocols (FC-SP), I P1619.1 tape storage, and ITF IPSec standards Properties of new modes of operation CBC CFB OFB CTR CCM GCM Proof of security Parallel processing Preprocessing Integrity and authentication only decryption Half of operations Half of Half of operations operations Resistance to implementation errors FIPS standards: Modes of operation of block ciphers Timeline CBC, CFB, OFB, CB FIPS 81 (for DS) CTR (counter mode) Dec. 2001 For arbitrary block cipher CCM May 2004 GCM SP 800-38A SP 800-38A SP 800-38B SP 800-38D Nov 2007 Contests: Apr. 2001 NIST 10 modes submitted to the contest (including, CTR, OCB, IACBC, IAPM) Patent issues. Attacks: Aug. 2001 DCM mode developed by NSA several days after the publication 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008