lecture 8.pdf
Document Details
Uploaded by StylishSpessartine
جامعة العلوم والتقانة
Full Transcript
University of Science and Technology Faculty of Computer Science and Information Technology Department of Information and Communication Technology Network Security: Lecture (8) Instructor: Prof. Noureldien A. Noureldien Cipher Block Modes of Operation A symmetric...
University of Science and Technology Faculty of Computer Science and Information Technology Department of Information and Communication Technology Network Security: Lecture (8) Instructor: Prof. Noureldien A. Noureldien Cipher Block Modes of Operation A symmetric block cipher processes one block of data at a time. In the case of DES and 3DES, the block length is b = 64 bits; for AES, the block length is b = 128 bits. For longer amounts of plaintext, it is necessary to break the plaintext into b-bit blocks (padding the last block if necessary). To apply a block cipher in a variety of applications, five modes of operation have been defined by NIST. 1. Electronic Codebook Mode The simplest way to proceed is using what is known as electronic codebook (ECB) mode, in which plaintext is handled b bits at a time and each block of plaintext is encrypted using the same key. The term codebook is used because, for a given key, there is a unique ciphertext for every b-bit block of plaintext. With ECB, Figure below, if the same b-bit block of plaintext appears more than once in the message, it always produces the same ciphertext. Because of this, for lengthy messages, the ECB mode may not be secure. 1 To overcome the security deficiencies of ECB, we would like a technique in which the same plaintext block, if repeated, produces different ciphertext blocks. 2. Cipher Block Chaining Mode In the cipher block chaining (CBC) mode (Figure 2.9), the input to the encryption algorithm is the XOR of the current plaintext block and the preceding ciphertext block; the same key is used for each block. In effect, we have chained together the processing of the sequence of plaintext blocks. The input to the encryption function for each plaintext block has no fixed relationship to the plaintext block. Therefore, if the same plaintext block is repeated, it produces different ciphertext. 2 For decryption, each cipher block is passed through the decryption algorithm.The result is XORed with the preceding ciphertext block to produce the plaintextblock. To produce the first block of ciphertext, an initialization vector (IV) is XORedwith the first block of plaintext. On decryption, the IV is XORed with the output ofthe decryption algorithm to recover the first block of plaintext. The IV must be known to both the sender and receiver. For maximum security,the IV should be protected as well as the key. This could be done by sendingthe IV using ECB encryption. FEEDBACK MODE Convert Block Cipher to Stream Cipher For AES, DES, or any block cipher, encryption is performed on a block of b bits.In the case of DES, b = 64 and in the case of AES, b = 128. However, it is possibleto convert a block cipher into a stream cipher, using one of the three modes, cipher feedback (CFB) mode,output feedback (OFB) mode, and counter (CTR) mode. 3 A stream cipher has the following properties: 1- Eliminatesthe need to pad a message to be an integral number of blocks. 2- It also canoperate in real time. Thus, if a character stream is being transmitted, each charactercan be encrypted and transmitted immediately using a character-orientedstream cipher. 3. Cipher Feedback (CFB) Mode Figure 7.5 depicts the CFB scheme. In the figure, it is assumed that the unit oftransmission is s bits; a common value is s = 8. As with CBC, the units of plaintextare chained together, so that the ciphertext of any plaintext unit is a function of allthe preceding plaintext. In this case, rather than blocks of b bits, the plaintext isdivided into segments of s bits. First, consider encryption. The input to the encryption function is a b-bit shiftregister that is initially set to some initialization vector (IV). The leftmost (mostsignificant) s bits of the output of the encryption function are XORed with the firstsegment of plaintext P1 to produce the first unit of ciphertext C1, which is thentransmitted. In addition, the contents of the shift register are shifted left by s bits,and C1 is placed in the rightmost (least significant) s bits of the shift register. Thisprocess continues until all plaintext units have been encrypted. For decryption, the same scheme is used, except that the received ciphertextunit is XORed with the output of the encryption function to produce the plaintextunit. Note that it is the encryption function that is used, not the decryption function. 4 44.5 OUTPUT FEEDBACK MODE 4. Output Feedback (OFB) Mode The output feedback (OFB) mode is similar in structure to that of CFB. For OFB,the output of the encryption function is fed back to become the input for encryptingthe next block of plaintext (Figure 7.6), where as in CFB, the output of the XOR unit is fedback to become input for encrypting the next block.The other difference is that theOFB mode operates on full blocks of plaintext and ciphertext, whereas CFB operateson an s-bit subset. 5 As with CBC and CFB, the OFB mode requires an initialization vector. Inthe case of OFB, the IV must be a nonce; that is, the IV must be unique to eachexecution of the encryption operation. The reason for this is that the sequence of encryption output blocks, Oi, depends only on the key and the IV and does not dependon the plaintext. One advantage of the OFB method is that bit errors in transmission do notpropagate. For example, if a bit error occurs in C1, only the recovered value of P1 isaffected; subsequent plaintext units are not corrupted. With CFB, C1 also serves asinput to the shift register and therefore causes additional corruption downstream. 5. Counter (CTR) Mode 6 Figure 7.7 depicts the CTR mode. A counter equal to the plaintext block sizeis used. The only requirement is that the counter value must bedifferent for each plaintext block that is encrypted. Typically, the counter is initializedto some value and then incremented by 1 for each subsequent block (modulo 2b,where b is the block size). For encryption, the counter is encrypted and then XORedwith the plaintext block to produce the ciphertext block; there is no chaining. Fordecryption, the same sequence of counter values is used, with each encrypted counterXORed with a ciphertext block to recover the corresponding plaintext block. For the last plaintext block, which may be a partial block of u bits, the mostsignificant u bits of the last output block are used for the XOR operation; the remainingb - u bits are discarded. Unlike the ECB, CBC, and CFB modes, we donot need to use padding because of the structure of the CTR mode. 7 8