lecture 8.pdf

Full Transcript

University of Science and Technology
Faculty of Computer Science and Information Technology
Department of Information and Communication Technology
Network Security: Lecture (8)

Instructor: Prof. Noureldien A. Noureldien

Cipher Block Modes of Operation
A symmetric block cipher processes one block of data at a time. In the case of DES
and 3DES, the block length is b = 64 bits; for AES, the block length is b = 128 bits.
For longer amounts of plaintext, it is necessary to break the plaintext into b-bit
blocks (padding the last block if necessary).

To apply a block cipher in a variety of applications, five modes of operation have
been defined by NIST.

1. Electronic Codebook Mode

The simplest way to proceed is using what is known as electronic codebook (ECB)
mode, in which plaintext is handled b bits at a time and each block of plaintext is
encrypted using the same key. The term codebook is used because, for a given
key, there is a unique ciphertext for every b-bit block of plaintext.

With ECB, Figure below, if the same b-bit block of plaintext appears more than
once in the message, it always produces the same ciphertext. Because of this, for
lengthy messages, the ECB mode may not be secure.

1
To overcome the security deficiencies of ECB, we would like a technique in which
the same plaintext block, if repeated, produces different ciphertext blocks.

2. Cipher Block Chaining Mode

In the cipher block chaining (CBC) mode (Figure 2.9), the input to the encryption
algorithm is the XOR of the current plaintext block and the preceding ciphertext
block; the same key is used for each block.

In effect, we have chained together the processing of the sequence of plaintext
blocks. The input to the encryption function for each plaintext block has no fixed
relationship to the plaintext block. Therefore, if the same plaintext block is
repeated, it produces different ciphertext.

2
For decryption, each cipher block is passed through the decryption algorithm.The
result is XORed with the preceding ciphertext block to produce the plaintextblock.

To produce the first block of ciphertext, an initialization vector (IV) is XORedwith
the first block of plaintext. On decryption, the IV is XORed with the output ofthe
decryption algorithm to recover the first block of plaintext.
The IV must be known to both the sender and receiver. For maximum
security,the IV should be protected as well as the key. This could be done by
sendingthe IV using ECB encryption.

FEEDBACK MODE
Convert Block Cipher to Stream Cipher

For AES, DES, or any block cipher, encryption is performed on a block of b bits.In
the case of DES, b = 64 and in the case of AES, b = 128. However, it is possibleto
convert a block cipher into a stream cipher, using one of the three modes, cipher
feedback (CFB) mode,output feedback (OFB) mode, and counter (CTR) mode.

3
A stream cipher has the following properties:
1- Eliminatesthe need to pad a message to be an integral number of blocks.
2- It also canoperate in real time.

Thus, if a character stream is being transmitted, each charactercan be encrypted and
transmitted immediately using a character-orientedstream cipher.

3. Cipher Feedback (CFB) Mode

Figure 7.5 depicts the CFB scheme. In the figure, it is assumed that the unit
oftransmission is s bits; a common value is s = 8. As with CBC, the units of
plaintextare chained together, so that the ciphertext of any plaintext unit is a
function of allthe preceding plaintext. In this case, rather than blocks of b bits,
the plaintext isdivided into segments of s bits.

First, consider encryption. The input to the encryption function is a b-bit
shiftregister that is initially set to some initialization vector (IV). The leftmost
(mostsignificant) s bits of the output of the encryption function are XORed with
the firstsegment of plaintext P1 to produce the first unit of ciphertext C1, which is
thentransmitted.
In addition, the contents of the shift register are shifted left by s bits,and C1 is
placed in the rightmost (least significant) s bits of the shift register. Thisprocess
continues until all plaintext units have been encrypted.

For decryption, the same scheme is used, except that the received ciphertextunit is
XORed with the output of the encryption function to produce the plaintextunit.
Note that it is the encryption function that is used, not the decryption function.

4
44.5 OUTPUT FEEDBACK MODE
4. Output Feedback (OFB) Mode

The output feedback (OFB) mode is similar in structure to that of CFB. For
OFB,the output of the encryption function is fed back to become the input for
encryptingthe next block of plaintext (Figure 7.6), where as in CFB, the output of
the XOR unit is fedback to become input for encrypting the next block.The other
difference is that theOFB mode operates on full blocks of plaintext and
ciphertext, whereas CFB operateson an s-bit subset.

5
As with CBC and CFB, the OFB mode requires an initialization vector. Inthe case
of OFB, the IV must be a nonce; that is, the IV must be unique to
eachexecution of the encryption operation. The reason for this is that the
sequence of encryption output blocks, Oi, depends only on the key and the IV and
does not dependon the plaintext.

One advantage of the OFB method is that bit errors in transmission do
notpropagate. For example, if a bit error occurs in C1, only the recovered value of
P1 isaffected; subsequent plaintext units are not corrupted. With CFB, C1 also
serves asinput to the shift register and therefore causes additional corruption
downstream.

5. Counter (CTR) Mode

6
Figure 7.7 depicts the CTR mode. A counter equal to the plaintext block sizeis
used.
The only requirement is that the counter value must bedifferent for each plaintext
block that is encrypted.

Typically, the counter is initializedto some value and then incremented by 1 for
each subsequent block (modulo 2b,where b is the block size).

For encryption, the counter is encrypted and then XORedwith the plaintext
block to produce the ciphertext block; there is no chaining.

Fordecryption, the same sequence of counter values is used, with each
encrypted counterXORed with a ciphertext block to recover the
corresponding plaintext block.

For the last plaintext block, which may be a partial block of u bits, the
mostsignificant u bits of the last output block are used for the XOR operation; the
remainingb - u bits are discarded. Unlike the ECB, CBC, and CFB modes, we
donot need to use padding because of the structure of the CTR mode.

7
8