Modes of Operation of Block Ciphers



Similar documents
Table of Contents. Bibliografische Informationen digitalisiert durch

How To Attack A Block Cipher With A Key Key (Dk) And A Key (K) On A 2Dns) On An Ipa (Ipa) On The Ipa 2Ds (Ipb) On Pcode)

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

Network Security. Modes of Operation. Steven M. Bellovin February 3,

Error oracle attacks and CBC encryption. Chris Mitchell ISG, RHUL

EXAM questions for the course TTM Information Security May Part 1

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

lundi 1 octobre 2012 In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal

IT Networks & Security CERT Luncheon Series: Cryptography

WINTER SCHOOL ON COMPUTER SECURITY. Prof. Eli Biham

Message Authentication Codes. Lecture Outline

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Common Pitfalls in Cryptography for Software Developers. OWASP AppSec Israel July The OWASP Foundation

Overview of Symmetric Encryption

Symmetric Crypto MAC. Pierre-Alain Fouque


Talk announcement please consider attending!

1 Data Encryption Algorithm

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

IronKey Data Encryption Methods

Data Encryption WHITE PAPER ON. Prepared by Mohammed Samiuddin.

CS155. Cryptography Overview

MAC. SKE in Practice. Lecture 5

Developing and Investigation of a New Technique Combining Message Authentication and Encryption

Network Security - ISA 656 Introduction to Cryptography

Authentication requirement Authentication function MAC Hash function Security of

Cryptographic mechanisms

CS 758: Cryptography / Network Security

CSci 530 Midterm Exam. Fall 2012

Message authentication

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography

Lecture 9 - Network Security TDTS (ht1)

SAMPLE EXAM QUESTIONS MODULE EE5552 NETWORK SECURITY AND ENCRYPTION ECE, SCHOOL OF ENGINEERING AND DESIGN BRUNEL UNIVERSITY UXBRIDGE MIDDLESEX, UK

Massachusetts Institute of Technology Handout : Network and Computer Security October 9, 2003 Professor Ronald L. Rivest.

Security for Computer Networks

Cryptography and Network Security Chapter 11. Fourth Edition by William Stallings

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

Chapter 8. Network Security

AES Cipher Modes with EFM32

Designing Hash functions. Reviewing... Message Authentication Codes. and message authentication codes. We have seen how to authenticate messages:

Network Security. Security Attacks. Normal flow: Interruption: 孫 宏 民 Phone: 國 立 清 華 大 學 資 訊 工 程 系 資 訊 安 全 實 驗 室

Computer Networks. Network Security 1. Professor Richard Harris School of Engineering and Advanced Technology

The Advanced Encryption Standard (AES)

Network Security Technology Network Management

Network Security. Chapter 3 Symmetric Cryptography. Symmetric Encryption. Modes of Encryption. Symmetric Block Ciphers - Modes of Encryption ECB (1)

Message authentication and. digital signatures

An Introduction to Key Management for Secure Storage. Walt Hubis, LSI Corporation

Hash Functions. Integrity checks

On the Security of Double and 2-key Triple Modes of Operation

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

: Network Security. Name of Staff: Anusha Linda Kostka Department : MSc SE/CT/IT

CS Computer Security Third topic: Crypto Support Sys

Cryptography Overview

Provable-Security Analysis of Authenticated Encryption in Kerberos

Fundamentals of Computer Security

Cryptography: Motivation. Data Structures and Algorithms Cryptography. Secret Writing Methods. Many areas have sensitive information, e.g.

Network Security CS 5490/6490 Fall 2015 Lecture Notes 8/26/2015

Lecture 4 Data Encryption Standard (DES)

Authentication and Encryption: How to order them? Motivation

GCM-SIV: Full Nonce Misuse-Resistant Authenticated Encryption at Under One Cycle per Byte. Yehuda Lindell Bar-Ilan University

Cryptographic Hash Functions Message Authentication Digital Signatures

CIS433/533 - Computer and Network Security Cryptography

Message Authentication Codes

Message Authentication

Part I. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

Cryptography and Network Security Chapter 12

First Semester Examinations 2011/12 INTERNET PRINCIPLES

Chapter 10. Network Security

Visualisation of potential weakness of existing cipher engine implementations in commercial on-the-fly disk encryption software

Reconsidering Generic Composition

ETSI TS V1.2.1 ( )

Network Security (2) CPSC 441 Department of Computer Science University of Calgary

Evaluation of the RC4 Algorithm for Data Encryption

SSL Firewalls

CSCE 465 Computer & Network Security

Lecture Note 8 ATTACKS ON CRYPTOSYSTEMS I. Sourav Mukhopadhyay

1 Message Authentication

SPC5-CRYP-LIB. SPC5 Software Cryptography Library. Description. Features. SHA-512 Random engine based on DRBG-AES-128

Chapter 17. Transport-Level Security

TinySec: A Link Layer Security Architecture for Wireless Sensor Networks

The Misuse of RC4 in Microsoft Word and Excel

EDA385 Embedded Systems Design. Advanced Course

How To Encrypt With A 64 Bit Block Cipher

Ky Vu DeVry University, Atlanta Georgia College of Arts & Science

Secure Network Communications FIPS Non Proprietary Security Policy

Lecture 13: Message Authentication Codes

AN3270 Application note

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

Savitribai Phule Pune University

Insight Guide. Encryption: A Guide

The Encryption Technology of Automatic Teller Machine Networks

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch

Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

Message Authentication Code

Cryptographic Engine

CRYPTOGRAPHY IN NETWORK SECURITY

SubmitedBy: Name Reg No Address. Mirza Kashif Abrar T079 kasmir07 (at) student.hh.se

On the Security of CTR + CBC-MAC

Transcription:

Chapter 3 Modes of Operation of Block Ciphers A bitblock encryption function f: F n 2 Fn 2 is primarily defined on blocks of fixed length n To encrypt longer (or shorter) bit sequences the sender must 1 split the sequence into n-bit blocks, 2 pad the last block if necessary with zeroes or random values or context information Then each block is encrypted by f, but in general one uses some sort of chaining Four chaining procedures, called modes of operation were standardized together with DES: ECB, CBC, CFB, OFB These chaining procedures apply to each block cipher The standardization in the context of AES added two more modes: CTR, XTS 35

K Pommerening, Bitblock Ciphers 36 For a description of the modes a suitable general framework is a block alphabet Σ, with F n 2 as most important example, equipped with a group composition Furthermore we fix an encryption function f :Σ Σ The dependence on the key doesn t matter in this context and therefore is dropped in the notation

K Pommerening, Bitblock Ciphers 37 31 ECB = Electronic Code Book Description Let r be the number of blocks of the plaintext (a 1,,a r ) Encryption: In ECB mode each block is encrypted independently of the other blocks: a =(a 1,,a r ) c =(c 1,,c r ) Σ r with c i = f(a i ) a 1 c 1 a 2 c 2 a r c r Decryption: a i = f 1 (c i ) Properties ECB mode simply is a monoalphabetic substitution on Σ For sufficiently large #Σ this is secure from a ciphertext-only attack But there are several disadvantages: ECB encryption leaks information on identical blocks Even if the plaintext is not random, the rule of thumb from the Birthday Paradox applies in the interpretation (for Σ = F n 2 ): After 2 n/2 bits ECB encryption begins to leak information Wikipedia has a nice illustration of this effect, see http://enwikipediaorg/wiki/block cipher mode of operation The other modes significantly enlarge this bound Building a codebook from known plaintext blocks is not unrealistic For structured messages, say bank transactions, there occur many blocks of known plaintext An active attack by exchanging or inserting single blocks of ciphertext (for example with known, sympathic plaintext) is possible For example an attacker who knows which block contains the receiver of a money transfer could exchange this block with a corresponding block from another transfer for another receiver He doesn t need to know the key

K Pommerening, Bitblock Ciphers 38 If the situation allows for an attack with chosen plaintext (as in a black box analysis), trial encryption and dictionary attacks can be mounted In view of these problems generating diffusion between the plaintext blocks seems a much better approach In the following sections we look at modes of operation that achieve this effect

K Pommerening, Bitblock Ciphers 39 32 CBC = Cipher Block Chaining Description Choose a start value c 0 by random (also called IV = Initialization Vector ) Then the procedure looks like this: c 0 a 1 c 1 a 2 c 2 a r c r Encryption: In CBC mode the formula for encryption is: c i := f(a i c i 1 ) for i =1,,r = f(a i f(a i 1 f(a 1 c 0 ) )) Decryption: a i = f 1 (c i ) c 1 i 1 for i =1,,r Properties Each ciphertext block depends on all previous plaintext blocks (diffusion) An attacker is not able to replace or insert text blocks unnoticeably Identical plaintext blocks in general encrypt to different ciphertext blocks On the other side an attack with known plaintext is not more difficult, compared with ECB mode Each plaintext block depends on two ciphertext blocks As a consequence a transmission error in a single ciphertext block results in (only) two corrupted plaintext blocks ( self synchronisation of CBC mode) Question: Does it make sense to treat the initialization vector c 0 as secret and use it as an additional key component? (Then for the example of DES we had 56 proper key bits plus a 64 bit initialization vector, making a total of 120 key bits)

K Pommerening, Bitblock Ciphers 40 Answer: No! Reason: In the decryption process only a 1 depends on c 0 This means that keeping c 0 secret conceals known plaintext only for the first block If the attacker knows the second or a later plaintext block, then she may determine the key as in ECB mode (by exhaustion, or by an algebraic attack, or by any other attack with known plaintext) Remarks 1 CBC is the composition f (ciphertext autokey) In the trivial case f = 1 Σ only the (completely unsuited) ciphertext autokey cipher with key length 1 is left 2 (John Kelsey in the mailing list cryptography@c2net, 24 Nov 1999) If there occurs a collision c i = c j for i = j, thenf(a i c i 1 )= f(a j c j 1 ), hence a i c i 1 = a j c j 1 and therefore a 1 j a i = c j 1 c 1 i 1 In this way the attacker gains some information on the plaintext By the Birthday Paradox this situation is expected after about #Σ blocks The longer the text, the more such collisions will occur This effect reassures the rule of thumb for the frequency of key changes: change the key in good time before you encrypt #Σ blocks

K Pommerening, Bitblock Ciphers 41 33 Variants of CBC Plaintext Autokey Replacing the ciphertext autokey encryption for CBC mode by plaintext autokey yields the following scheme: a 0 3 a 1 f c 1 3 a 2 3 f c 2 a r f c r that sometimes is called PBC = Plaintext Block Chaining Encryption: After choosing an initialization vector a 0 the formula for encryption is: c i := f(a i a i 1 ) for i =1,,r Decription: The formula is: a i = f 1 (c i ) a 1 i 1 for i =1,,r However this method seems not to be in widely accepted use, and there seem to be no relevant results on its security PCBC = error-propagating CBC This procedure mixes CBC and PBC It follows the scheme: c 0 a 1 3 c 1 a 2 c 2 3 a r c r

K Pommerening, Bitblock Ciphers 42 Encryption: After choosing the initialization vector a 0 = e (neutral element of the group) encryption is by the formula c i := f(a i a i 1 c i 1 ) for i =1,,r In the case of a bitblock cipher we choose a 0 = 0, the null block Decryption: The formula is a i = f 1 (c i ) c 1 i 1 a 1 i 1 for i =1,,r This mode was implemented in early versions of Kerberos but then abandoned Generalization by Meyer/Matyas c i := f(a i h(a i 1,c i 1 )) for i =1,,r, where in the case Σ = F n 2 addition modulo 2n is suggested for h BCM = Block Chaining Mode This mode follows the scheme: c 0 d 1 a 1 c 1 d 2 a 2 c 2 a r c r d 3 Formula for encryption: d i := c 0 c i 1, c i := f(a i d i ) for i =1,,r

K Pommerening, Bitblock Ciphers 43 An Application of CBC CBC-MAC (= Message Authentication Code ) is a key-dependent hash function that serves for checking the integrity of messages It is standardized in ISO/IEC 9797 and used in electronic banking Sender and receiver of the message these could be the same person if the MAC used for securing the integrity of a stored file share the key k and use the encryption function f = f k The MAC of a text a =(a 1,,a r ) is the last ciphertext block where a is encrypted in CBC mode Hence MAC(a) =c r = f(a r f(a r 1 f(a 1 c 0 ) )) If MAC(a) is sent together with a, then the receiver may check the authenticity of the sender and the integrity of the content Only someone who has the key can calculate this value correctly The disadvantage of this procedure is the need of sharing a secret k In a legal dispute each of the two parties can contend a forgery by the other one

K Pommerening, Bitblock Ciphers 44 34 CFB = Cipher Feedback Description (of the simplest version) f a 1 f a 2 c 0 c 1 c 2 f a r c r Encryption in CFB mode is by the formula c i := a i f(c i 1 ) for i =1,,r = a i f(a i 1 f( a 1 f(c 0 ) )) Decryption: a i = c i f(c i 1 ) 1 for i =1,,r Properties As before the initialization vector is unsuited as additional key component As before this mode doesn t make an attack with known plaintext more difficult Note that also decryption uses f, not f 1 Therefore: CFB mode doesn t make sense for asymmetric ciphers On the other hand CFB mode may be used with a (key dependent) one-way or hash function f For the identical map f = 1 Σ CFB again reduces to ciphertext autokey (David Wagner)ECB CFB = CBC: For a proof take c 0 as initialization vector for CFB, and c 0 initialization vector for CBC Then := f(c 0) as c 1 = CFB(a 1 )=a 1 f(c 0 ), c 1 =ECB(c 1 )=f(a 1 f(c 0 )) = f(a 1 c 0)=CBC(a 1 ), c 2 = CFB(a 2 )=a 2 f(c 1 ), c 2 =ECB(c 2 )=f(a 2 f(c 1 )) = f(a 2 c 1)=CBC(a 2 ), etc

K Pommerening, Bitblock Ciphers 45 The Standardized Version uses a shift register, hence is defined only in the case of Σ = F n 2 Here 1 t n, and the encryption procedure uses blocks a i F t 2 of length t The current ciphertext block c i of length t is shifted from the right into the shift register (drawn in red): q 0 c f 0 p 1 q 1 a 1 c 1 q 1 c f 1 p 2 q 2 a 2 c 2 q r 1 c r 1 f p r q r a r c r The q i are bitblocks of length n t As it turned out later the security of this more general version decreases with t Therefore its use is not recommended

K Pommerening, Bitblock Ciphers 46 35 OFB = Output Feedback Description (of the simplest version) s 0 f a 1 s 1 = c 1 f a 2 s 2 = c 2 f a r s r = c r This mode also was originally defined as shift register version Here too using a blocklength of t<nweakens the security [Jueneman, Crypto 82] Encryption in OFB mode is by the formula Decryption by the formula Properties c i := a i s i, s i := f(s i 1 ) for i =1,,r a i = c i s 1 i, s i := f(s i 1 ) for i =1,,r There is no diffusion However identical plaintext blocks in general yield different ciphertext blocks In the case Σ = F s 2 OFB simply is a bitstream cipher where f serves as random generator If encryption or decryption is time critical, the sender or the receiver (or both) might precalculate the key stream s i Here too the decryption uses only f, not f 1 For Σ = F s 2 the cipher is an involution, that is encryption and decryption are the same function More generally this holds when the group Σ has exponent 2

K Pommerening, Bitblock Ciphers 47 Under an attack with known plaintext the pair (a 1,c 1 ) reveals the value of s 1, the next pair (a 2,c 2 ), the value of s 2 = f(s 1 ) This leads to an attack with known plaintext against the function f itself Keeping the initialization vector s 0 secret doesn t increase the security of the cipher for OFB (like for the other modes) Variant: Counter Mode CTR The simplest case is c i := a i f(i) for i =1,,r There are same slight variants, for example starting with another number than 1

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information