1. Modern Symmetric-Key Ciphers
Chapter 8
Encipherment Using
Modern Symmetric-Key Ciphers
Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

2. Block length is fixed (n-bit) • How to encrypt large messages?
Chapter 8 Objectives
Block length is fixed (n-bit)
• How to encrypt large messages?
– Partition into n-bit blocks
– Choose mode of operation
• Electronic Codebook (ECB),
• Cipher-Block Chaining (CBC),
• Cipher Feedback (CFB),
• Output Feedback (OFB),
• Counter (CTR)
-- Modes of operation have been devised to encipher text of any size employing either DES or AES.
Two stream ciphers used for real-time processing of data.

3. 8-1 Continued
Figure 8.1 Modes of operation

4. Evaluation criteria • Identical messages • Chaining dependencies
– under which conditions ciphertext of two identical messages are the same
• Chaining dependencies
– how adjacent plaintext blocks affect encryption of a plaintext block
• Error propagation
– resistance to channel noise
• Efficiency
– preprocessing
– parallelization: random access

5. Electronic Codebook Book (ECB)
message is broken into independent blocks which are encrypted
each block is a value which is substituted, like a codebook, hence name
each block is encoded independently of the other blocks
uses: secure transmission of single values
The simplest mode is the electronic codebook (ECB) mode, in which plaintext is handled one block at a time and each block of plaintext is encrypted using the same key. ECB is the simplest of the modes, and is used when only a single block of info needs to be sent (eg. a session key encrypted using a master key).

6. Electronic Codebook (ECB) Mode
The simplest mode of operation is called the electronic codebook (ECB) mode.
Figure 8.2 Electronic codebook (ECB) mode

7. Advantages and Limitations of ECB
message repetitions may show in ciphertext
if aligned with message block
particularly with data such graphics
or with messages that change very little, which become a code-book analysis problem
weakness is due to the encrypted message blocks being independent
main use is sending a few blocks of data
ECB is not appropriate for any quantity of data, since repetitions can be seen, esp. with graphics, and because the blocks can be shuffled/inserted without affecting the en/decryption of each block. Its main use is to send one or a very few blocks, eg a session encryption key.

8. Electronic Codebook (ECB)
• Does not hide data patterns, unsuitable for long messages
– Wiki example: pixel map using ECB
Plain text ECB mode Other modes
• Susceptible to replay attacks
– Example: a wired transfer transaction can be replayed by resending the original message)

9. Electronic Codebook (ECB)
Example
Assume that Eve works in a company a few hours per month (her monthly payment is very low). She knows that the company uses several blocks of information for each employee in which the seventh block is the amount of money to be deposited in the employee’s account. Eve can intercept the ciphertext sent to the bank at the end of the month, replace the block with the information about her payment with a copy of the block with the information about the payment of a full-time colleague. Each month Eve can receive more money than she deserves.

10. Electronic Codebook (ECB)
Error Propagation
A single bit error in transmission can create errors in several in the corresponding block. However, the error does not have any effect on the other blocks.

11. Cipher Block Chaining (CBC)
message is broken into blocks
linked together in encryption operation
each previous cipher blocks is chained with current plaintext block, hence name
use Initial Vector (IV) to start process
uses: bulk data encryption, authentication
To overcome the problems of repetitions and order independence in ECB, want some way of making the ciphertext dependent on all blocks before it. This is what CBC gives us, by combining the previous ciphertext block with the current message block before encrypting. To start the process, use an Initial Value (IV), which is usually well known (often all 0's), or otherwise is sent, ECB encrypted, just before starting CBC use. CBC mode is applicable whenever large amounts of data need to be sent securely, provided that all data is available in advance (eg , FTP, web etc).

12. 8.1.2 Cipher Block Chaining (CBC) Mode
In CBC mode, each plaintext block is exclusive-ored with the previous ciphertext block before being encrypted.
Figure 8.3 Cipher block chaining (CBC) mode

13. Continued
Figure 8.3 Cipher block chaining (CBC) mode

14. Message Padding
at end of message must handle a possible last short block
which is not as large as block size of cipher
pad either with known non-data value (e.g. nulls)
or pad last block along with count of pad size
eg. [ b1 b2 b ]
means have 3 data bytes, then 5 bytes pad+count
this may require an extra entire block over those in message
there are other, more esoteric modes, which avoid the need for an extra block
One issue that arises with block modes is how to handle the last block, which may well not be complete. In general have to pad this block (typically with 0's), and then must recognise padding at other end - may be obvious (eg in text the 0 value should usually not occur), or otherwise must explicitly have the last byte as a count of how much padding was used (including the count). Note that if this is done, if the last block IS an even multiple of 8 bytes or has exactly the same form as pad+count, then will have to add an extra block, all padding so as to have a count in the last byte. There are other, more esoteric, “ciphertext stealing” modes, which avoid the need for an extra block.

15. Advantages and Limitations of CBC
a ciphertext block depends on all blocks before it
any change to a block affects all following ciphertext blocks
need Initialization Vector (IV)
which must be known to sender & receiver
if sent in clear, attacker can change bits of first block, and change IV to compensate
hence IV must either be a fixed value (as in EFTPOS)
or must be sent encrypted in ECB mode before rest of message
CBC is the block mode generally used. The chaining provides an avalanche effect, which means the encrypted message cannot be changed or rearranged without totally destroying the subsequent data. However there is the issue of ensuring that the IV is either fixed or sent encrypted in ECB mode to stop attacks on 1st block.

16. Cipher Feedback (CFB) Mode
In some situations, we need to use DES or AES as secure ciphers, but the plaintext or ciphertext block sizes are to be smaller.
Figure 8.4 Encryption in cipher feedback (CFB) mode

17. Continued
Note
In CFB mode, encipherment and decipherment use the encryption function of the underlying block cipher.
The relation between plaintext and ciphertext blocks is shown below:

18. Continued CFB as a Stream Cipher
Figure 8.5 Cipher feedback (CFB) mode as a stream cipher

19. Cipher FeedBack (CFB) message is treated as a stream of bits
added to the output of the block cipher
result is feed back for next stage (hence name)
standard allows any number of bit (1,8, 64 or 128 etc) to be feed back
denoted CFB-1, CFB-8, CFB-64, CFB-128 etc
most efficient to use all bits in block (64 or 128)
uses: stream data encryption, authentication
If the data is only available a bit/byte at a time (eg. terminal session, sensor value etc), then must use some other approach to encrypting it, so as not to delay the info. Idea here is to use the block cipher essentially as a pseudo-random number generator (see stream cipher lecture later) and to combine these "random" bits with the message. Note as mentioned before, XOR is an easily inverted operator (just XOR with same thing again to undo). Again start with an IV to get things going, then use the ciphertext as the next input. As originally defined, idea was to "consume" as much of the "random" output as needed for each message unit (bit/byte) before "bumping" bits out of the buffer and re-encrypting. This is wasteful though, and slows the encryption down as more encryptions are needed. An alternate way to think of it is to generate a block of "random" bits, consume them as message bits/bytes arrive, and when they're used up, only then feed a full block of ciphertext back. This is CFB-64 or CFB-128 mode (depending on the block size of the cipher used eg DES or AES respectively). CFB is the usual choice for quantities of stream oriented data, and for authentication use.

20. Advantages and Limitations of CFB
appropriate when data arrives in bits/bytes
most common stream mode
limitation is need to stall while do block encryption after every n-bits
note that the block cipher is used in encryption mode at both ends
errors propagate for several blocks after the error
CFB is the usual stream mode. As long as can keep up with the input, doing encryptions every 8 bytes. A possible problem is that if its used over a "noisy" link, then any corrupted bit will destroy values in the current and next blocks (since the current block feeds as input to create the random bits for the next). So either must use over a reliable network transport layer (pretty usual) or use OFB.

21. Output Feedback (OFB) Mode
In this mode each bit in the ciphertext is independent of the previous bit or bits. This avoids error propagation.
Figure 8.6 Encryption in output feedback (OFB) mode

22. Continued OFB as a Stream Cipher
Figure 8.7 Output feedback (OFB) mode as a stream cipher

23. Output FeedBack (OFB) message is treated as a stream of bits
output of cipher is added to message
output is then feed back (hence name)
feedback is independent of message
can be computed in advance
Ci = Pi XOR Oi
Oi = DESK1(Oi-1)
O-1 = IV
uses: stream encryption on noisy channels
The alternative to CFB is OFB. Here the generation of the "random" bits is independent of the message being encrypted. The advantage is that firstly, they can be computed in advance, good for bursty traffic, and secondly, any bit error only affects a single bit. Thus this is good for noisy links (eg satellite TV transmissions etc).

24. Advantages and Limitations of OFB
bit errors do not propagate
more vulnerable to message stream modification
a variation of a Vernam cipher
hence must never reuse the same sequence (key+IV)
sender & receiver must remain in sync
originally specified with m-bit feedback
subsequent research has shown that only full block feedback (ie CFB-64 or CFB-128) should ever be used
One advantage of the OFB method is that bit errors in transmission do not propagate. The disadvantage of OFB is that it is more vulnerable to a message stream modification attack than is CFB.
Since OFB is a Vernam cipher variant, the stream should never be used more than once (otherwise the 2 ciphertexts can be combined, cancelling these bits, and leaving a "book" cipher to solve). And sender & receiver need to remain in sync, or all data is lost. Also, research has shown that you should only ever use a full block feedback ie OFB-64/128 mode.

25. Counter (CTR) Mode
In the counter (CTR) mode, there is no feedback. The pseudorandomness in the key stream is achieved using a counter.
Figure 8.8 Encryption in counter (CTR) mode

26. Continued
Figure 8.9 Counter (CTR) mode as a stream cipher

27. Counter (CTR) a “new” mode, though proposed early on
similar to OFB but encrypts counter value rather than any feedback value
must have a different key & counter value for every plaintext block (never reused)
Oi = DESK1(i)
Ci = Pi XOR Oi
uses: high-speed network encryptions
The Counter (CTR) mode is a variant of OFB, but which encrypts a counter value (hence name). Although it was proposed many years before, it has only recently been standardized for use with AES along with the other existing 4 modes. It is being used with applications in ATM (asynchronous transfer mode) network security and IPSec (IP security). A counter, equal to the plaintext block size is used. The only requirement stated in SP A is that the counter value must be different for each plaintext block that is encrypted. Typically the counter is initialized to some value and then incremented by 1 for each subsequent block.

28. Advantages and Limitations of CTR
efficiency
can do parallel encryptions in hardware or software
can preprocess in advance of need
good for burst high speed links
random access to encrypted data blocks
provable security (good as other modes)
but must ensure never reuse key/counter values, otherwise could break (cf OFB)
CTR mode has a number of advantages in parallel h/w & s/w efficiency, can preprocess the output values in advance of needing to encrypt, can get random access to encrypted data blocks, and is simple. But like OFB have issue of not reusing the same key+counter value.

29. Continued
Comparison of Different Modes
n-bit

30. Selection of Modes Choice of encryption mode affects
Encryption/decryption speed
Security against active adversaries (bit flips)
Security against passive adversaries (ECB)
Error propagation

31. Stream Ciphers process message bit by bit (as a stream)
have a pseudo random keystream
combined (XOR) with plaintext bit by bit
randomness of stream key completely destroys statistically properties in message
Ci = Mi XOR StreamKeyi
but must never reuse stream key
otherwise can recover messages (cf book cipher)
A typical stream cipher encrypts plaintext one byte (or bit) at a time, usually by XOR’ing with a pseudo-random keystream. The stream cipher is similar to the one-time pad discussed in Chapter 2. The difference is that a one-time pad uses a genuine random number stream, whereas a stream cipher uses a pseudorandom number stream. But rely on the randomness of stream key completely destroys statistically properties in message. However, you must never reuse a stream key since otherwise you can recover messages (as with a book cipher).

32. Stream Cipher Structure
Stallings Figure 6.8 illustrates the general structure of a stream cipher, where a key is input to a pseudorandom bit generator that produces an apparently random keystream of bits, and which are XOR’d with message to encrypt it, and XOR’d again to decrypt it by the receiver.

33. Stream Cipher Properties
some design considerations are:
long period with no repetitions
statistically random
depends on large enough key
large linear complexity
properly designed, can be as secure as a block cipher with same size key
but usually simpler & faster
[KUMA97] lists the following important design considerations for a stream cipher:
The encryption sequence should have a large period, the longer the period of repeat the more difficult it will be to do cryptanalysis.
The keystream should approximate the properties of a true random number stream as close as possible, the more random-appearing the keystream is, the more randomized the ciphertext is, making cryptanalysis more difficult.
To guard against brute-force attacks, the key needs to be sufficiently long. The same considerations as apply for block ciphers are valid here .Thus, with current technology, a key length of at least 128 bits is desirable.
With a properly designed pseudorandom number generator, a stream cipher can be as secure as block cipher of comparable key length. The primary advantage of a stream cipher is that stream ciphers are almost always faster and use far less code than do block ciphers.

34. RC4 a proprietary cipher owned by RSA
another Ron Rivest design, simple but effective
variable key size, byte-oriented stream cipher
widely used (web SSL/TLS, wireless WEP)
key forms random permutation of all 8-bit values
uses that permutation to scramble input info processed a byte at a time
RC4 is a stream cipher designed in 1987 by Ron Rivest for RSA Security. It is a variable key-size stream cipher with byte-oriented operations. The algorithm is based on the use of a random permutation. Analysis shows that the period of the cipher is overwhelmingly likely to be greater than 10^100. Eight to sixteen machine operations are required per output byte, and the cipher can be expected to run very quickly in software. RC4 is probably the most widely used stream cipher. It is used in the SSL/TLS secure web protocol, & in the WEP & WPA wireless LAN security protocols. RC4 was kept as a trade secret by RSA Security, but in September 1994 was anonymously posted on the Internet on the Cypherpunks anonymous r ers list. In brief, the RC4 key is ued to form a random permutation of all 8-bit values, it then uses that permutation to scramble input info processed a byte at a time.

35. RC4
RC4 is a byte-oriented stream cipher in which a byte (8 bits) of a plaintext is exclusive-ored with a byte of key to produce a byte of a ciphertext.
State
RC4 is based on the concept of a state.

36. Continued Figure 8.10 The idea of RC4 stream cipher
The RC4 key schedule initialises the state S to the numbers , and then walks through each entry in turn, using its current value plus the next byte of key to pick another entry in the array, and swaps their values over. After doing this 256 times, the result is a well and truly shuffled array. The total number of possible states is 256! - a truly enormous number, much larger even than the 2048-bit (256*8) max key allowed can select.

37. Continued Initialization Initialization is done in two steps:
Key Stream Generation
The keys in the key stream are generated, one by one.
The RC4 key schedule initialises the state S to the numbers , and then walks through each entry in turn, using its current value plus the next byte of key to pick another entry in the array, and swaps their values over. After doing this 256 times, the result is a well and truly shuffled array. The total number of possible states is 256! - a truly enormous number, much larger even than the 2048-bit (256*8) max key allowed can select.

38. Continued
Algorithm

39. Continued
Algorithm Continued

40. Continued
Example 8.5
To show the randomness of the stream key, we use a secret key with all bytes set to 0. The key stream for 20 values of k is (222, 24, 137, 65, 163, 55, 93, 58, 138, 6, 30, 103, 87, 110, 146, 109, 199, 26, 127, 163).
Example 8.6
Repeat Example 8.5, but let the secret key be five bytes of (15, 202, 33, 6, 8). The key stream is (248, 184, 102, 54, 212, 237, 186, 133, 51, 238, 108, 106, 103, 214, 39, 242, 30, 34, 144, 49). Again the randomness in the key stream is obvious.

41. RC4 Security claimed secure against known attacks
have some analyses, none practical
result is very non-linear
since RC4 is a stream cipher, must never reuse a key
have a concern with WEP, but due to key handling rather than RC4 itself
A number of papers have been published analyzing methods of attacking RC4, but none of these approaches is practical against RC4 with a reasonable key length, such as 128 bits.
A more serious problem occurs in its use in the WEP protocol, not with RC4 itself but the way in which keys are generated for use as input to RC4.
Currently RC4 its regarded as quite secure, if used correctly, with a sufficiently large key.

42. A5/1
A5/1 (a member of the A5 family of ciphers) is used in the Global System for Mobile Communication (GSM), a network for mobile telephone communication..
Figure General outline of A5/1

43. Continued Key Generator
A5/1 uses three Linear Feedback Shift Registers (LFSRs) with 19, 22, and 23 bits.
Figure Three LFSR’s in A5/1

44. Continued
Initialization
1. set all bits in three LFSRs to 0. 2. 3.

45. Continued 4.

46. Continued
Example 8.7
At a point of time the clocking bits are 1, 0, and 1. Which LFSR is clocked (shifted)?
Solution
The result of Majority (1, 0, 1) = 1. LFSR1 and LAFS3 are shifted, but LFSR2 is not.

47. Continued Encryption/Decryption
The bit streams created from the key generator are buffered to form a 228-bit key that is exclusive-ored with the plaintext frame to create the ciphertext frame. Encryption/decryption is done one frame at a time.

48. Topics discussed in this section:
8-3 OTHER ISSUES
Encipherment using symmetric-key block or stream ciphers requires discussion of other issues.
Topics discussed in this section:
8.3.1 Key Management Key Generation

49. Key management is discussed in Chapter 15.
Alice and Bob need to share a secret key between themselves to securely communicate using a symmetric-key cipher. If there are n entities in the community, n(n − 1)/2 keys are needed.
Note
Key management is discussed in Chapter 15.

50. Random number generators are discussed in Appendix K.
Key Generation
Different symmetric-key ciphers need keys of different sizes. The selection of the key must be based on a systematic approach to avoid a security leak. The keys need to be chosen randomly. This implies that there is a need for random (or pseudorandom) number generator.
Note
Random number generators are discussed in Appendix K.