2 Block length is fixed (n-bit) • How to encrypt large messages? Chapter 8 ObjectivesBlock length is fixed (n-bit)• How to encrypt large messages?– Partition into n-bit blocks– Choose mode of operation• Electronic Codebook (ECB),• Cipher-Block Chaining (CBC),• Cipher Feedback (CFB),• Output Feedback (OFB),• Counter (CTR)-- Modes of operation have been devised to encipher text of any size employing either DES or AES.Two stream ciphers used for real-time processing of data.
4 Evaluation criteria • Identical messages • Chaining dependencies – under which conditions ciphertext of two identical messages are the same• Chaining dependencies– how adjacent plaintext blocks affect encryption of a plaintext block• Error propagation– resistance to channel noise• Efficiency– preprocessing– parallelization: random access
5 Electronic Codebook Book (ECB) message is broken into independent blocks which are encryptedeach block is a value which is substituted, like a codebook, hence nameeach block is encoded independently of the other blocksuses: secure transmission of single valuesThe simplest mode is the electronic codebook (ECB) mode, in which plaintext is handled one block at a time and each block of plaintext is encrypted using the same key. ECB is the simplest of the modes, and is used when only a single block of info needs to be sent (eg. a session key encrypted using a master key).
6 Electronic Codebook (ECB) Mode The simplest mode of operation is called the electronic codebook (ECB) mode.Figure 8.2 Electronic codebook (ECB) mode
7 Advantages and Limitations of ECB message repetitions may show in ciphertextif aligned with message blockparticularly with data such graphicsor with messages that change very little, which become a code-book analysis problemweakness is due to the encrypted message blocks being independentmain use is sending a few blocks of dataECB is not appropriate for any quantity of data, since repetitions can be seen, esp. with graphics, and because the blocks can be shuffled/inserted without affecting the en/decryption of each block. Its main use is to send one or a very few blocks, eg a session encryption key.
8 Electronic Codebook (ECB) • Does not hide data patterns, unsuitable for long messages– Wiki example: pixel map using ECBPlain text ECB mode Other modes• Susceptible to replay attacks– Example: a wired transfer transaction can be replayed by resending the original message)
9 Electronic Codebook (ECB) ExampleAssume that Eve works in a company a few hours per month (her monthly payment is very low). She knows that the company uses several blocks of information for each employee in which the seventh block is the amount of money to be deposited in the employee’s account. Eve can intercept the ciphertext sent to the bank at the end of the month, replace the block with the information about her payment with a copy of the block with the information about the payment of a full-time colleague. Each month Eve can receive more money than she deserves.
10 Electronic Codebook (ECB) Error PropagationA single bit error in transmission can create errors in several in the corresponding block. However, the error does not have any effect on the other blocks.
11 Cipher Block Chaining (CBC) message is broken into blockslinked together in encryption operationeach previous cipher blocks is chained with current plaintext block, hence nameuse Initial Vector (IV) to start processuses: bulk data encryption, authenticationTo overcome the problems of repetitions and order independence in ECB, want some way of making the ciphertext dependent on all blocks before it. This is what CBC gives us, by combining the previous ciphertext block with the current message block before encrypting. To start the process, use an Initial Value (IV), which is usually well known (often all 0's), or otherwise is sent, ECB encrypted, just before starting CBC use. CBC mode is applicable whenever large amounts of data need to be sent securely, provided that all data is available in advance (eg , FTP, web etc).
12 8.1.2 Cipher Block Chaining (CBC) Mode In CBC mode, each plaintext block is exclusive-ored with the previous ciphertext block before being encrypted.Figure 8.3 Cipher block chaining (CBC) mode
14 Message Paddingat end of message must handle a possible last short blockwhich is not as large as block size of cipherpad either with known non-data value (e.g. nulls)or pad last block along with count of pad sizeeg. [ b1 b2 b ]means have 3 data bytes, then 5 bytes pad+countthis may require an extra entire block over those in messagethere are other, more esoteric modes, which avoid the need for an extra blockOne issue that arises with block modes is how to handle the last block, which may well not be complete. In general have to pad this block (typically with 0's), and then must recognise padding at other end - may be obvious (eg in text the 0 value should usually not occur), or otherwise must explicitly have the last byte as a count of how much padding was used (including the count). Note that if this is done, if the last block IS an even multiple of 8 bytes or has exactly the same form as pad+count, then will have to add an extra block, all padding so as to have a count in the last byte. There are other, more esoteric, “ciphertext stealing” modes, which avoid the need for an extra block.
15 Advantages and Limitations of CBC a ciphertext block depends on all blocks before itany change to a block affects all following ciphertext blocksneed Initialization Vector (IV)which must be known to sender & receiverif sent in clear, attacker can change bits of first block, and change IV to compensatehence IV must either be a fixed value (as in EFTPOS)or must be sent encrypted in ECB mode before rest of messageCBC is the block mode generally used. The chaining provides an avalanche effect, which means the encrypted message cannot be changed or rearranged without totally destroying the subsequent data. However there is the issue of ensuring that the IV is either fixed or sent encrypted in ECB mode to stop attacks on 1st block.
16 Cipher Feedback (CFB) Mode In some situations, we need to use DES or AES as secure ciphers, but the plaintext or ciphertext block sizes are to be smaller.Figure 8.4 Encryption in cipher feedback (CFB) mode
17 ContinuedNoteIn CFB mode, encipherment and decipherment use the encryption function of the underlying block cipher.The relation between plaintext and ciphertext blocks is shown below:
18 Continued CFB as a Stream Cipher Figure 8.5 Cipher feedback (CFB) mode as a stream cipher
19 Cipher FeedBack (CFB) message is treated as a stream of bits added to the output of the block cipherresult is feed back for next stage (hence name)standard allows any number of bit (1,8, 64 or 128 etc) to be feed backdenoted CFB-1, CFB-8, CFB-64, CFB-128 etcmost efficient to use all bits in block (64 or 128)uses: stream data encryption, authenticationIf the data is only available a bit/byte at a time (eg. terminal session, sensor value etc), then must use some other approach to encrypting it, so as not to delay the info. Idea here is to use the block cipher essentially as a pseudo-random number generator (see stream cipher lecture later) and to combine these "random" bits with the message. Note as mentioned before, XOR is an easily inverted operator (just XOR with same thing again to undo). Again start with an IV to get things going, then use the ciphertext as the next input. As originally defined, idea was to "consume" as much of the "random" output as needed for each message unit (bit/byte) before "bumping" bits out of the buffer and re-encrypting. This is wasteful though, and slows the encryption down as more encryptions are needed. An alternate way to think of it is to generate a block of "random" bits, consume them as message bits/bytes arrive, and when they're used up, only then feed a full block of ciphertext back. This is CFB-64 or CFB-128 mode (depending on the block size of the cipher used eg DES or AES respectively). CFB is the usual choice for quantities of stream oriented data, and for authentication use.
20 Advantages and Limitations of CFB appropriate when data arrives in bits/bytesmost common stream modelimitation is need to stall while do block encryption after every n-bitsnote that the block cipher is used in encryption mode at both endserrors propagate for several blocks after the errorCFB is the usual stream mode. As long as can keep up with the input, doing encryptions every 8 bytes. A possible problem is that if its used over a "noisy" link, then any corrupted bit will destroy values in the current and next blocks (since the current block feeds as input to create the random bits for the next). So either must use over a reliable network transport layer (pretty usual) or use OFB.
21 Output Feedback (OFB) Mode In this mode each bit in the ciphertext is independent of the previous bit or bits. This avoids error propagation.Figure 8.6 Encryption in output feedback (OFB) mode
22 Continued OFB as a Stream Cipher Figure 8.7 Output feedback (OFB) mode as a stream cipher
23 Output FeedBack (OFB) message is treated as a stream of bits output of cipher is added to messageoutput is then feed back (hence name)feedback is independent of messagecan be computed in advanceCi = Pi XOR OiOi = DESK1(Oi-1)O-1 = IVuses: stream encryption on noisy channelsThe alternative to CFB is OFB. Here the generation of the "random" bits is independent of the message being encrypted. The advantage is that firstly, they can be computed in advance, good for bursty traffic, and secondly, any bit error only affects a single bit. Thus this is good for noisy links (eg satellite TV transmissions etc).
24 Advantages and Limitations of OFB bit errors do not propagatemore vulnerable to message stream modificationa variation of a Vernam cipherhence must never reuse the same sequence (key+IV)sender & receiver must remain in syncoriginally specified with m-bit feedbacksubsequent research has shown that only full block feedback (ie CFB-64 or CFB-128) should ever be usedOne advantage of the OFB method is that bit errors in transmission do not propagate. The disadvantage of OFB is that it is more vulnerable to a message stream modification attack than is CFB.Since OFB is a Vernam cipher variant, the stream should never be used more than once (otherwise the 2 ciphertexts can be combined, cancelling these bits, and leaving a "book" cipher to solve). And sender & receiver need to remain in sync, or all data is lost. Also, research has shown that you should only ever use a full block feedback ie OFB-64/128 mode.
25 Counter (CTR) ModeIn the counter (CTR) mode, there is no feedback. The pseudorandomness in the key stream is achieved using a counter.Figure 8.8 Encryption in counter (CTR) mode
26 ContinuedFigure 8.9 Counter (CTR) mode as a stream cipher
27 Counter (CTR) a “new” mode, though proposed early on similar to OFB but encrypts counter value rather than any feedback valuemust have a different key & counter value for every plaintext block (never reused)Oi = DESK1(i)Ci = Pi XOR Oiuses: high-speed network encryptionsThe Counter (CTR) mode is a variant of OFB, but which encrypts a counter value (hence name). Although it was proposed many years before, it has only recently been standardized for use with AES along with the other existing 4 modes. It is being used with applications in ATM (asynchronous transfer mode) network security and IPSec (IP security). A counter, equal to the plaintext block size is used. The only requirement stated in SP A is that the counter value must be different for each plaintext block that is encrypted. Typically the counter is initialized to some value and then incremented by 1 for each subsequent block.
28 Advantages and Limitations of CTR efficiencycan do parallel encryptions in hardware or softwarecan preprocess in advance of needgood for burst high speed linksrandom access to encrypted data blocksprovable security (good as other modes)but must ensure never reuse key/counter values, otherwise could break (cf OFB)CTR mode has a number of advantages in parallel h/w & s/w efficiency, can preprocess the output values in advance of needing to encrypt, can get random access to encrypted data blocks, and is simple. But like OFB have issue of not reusing the same key+counter value.
30 Selection of Modes Choice of encryption mode affects Encryption/decryption speedSecurity against active adversaries (bit flips)Security against passive adversaries (ECB)Error propagation
31 Stream Ciphers process message bit by bit (as a stream) have a pseudo random keystreamcombined (XOR) with plaintext bit by bitrandomness of stream key completely destroys statistically properties in messageCi = Mi XOR StreamKeyibut must never reuse stream keyotherwise can recover messages (cf book cipher)A typical stream cipher encrypts plaintext one byte (or bit) at a time, usually by XOR’ing with a pseudo-random keystream. The stream cipher is similar to the one-time pad discussed in Chapter 2. The difference is that a one-time pad uses a genuine random number stream, whereas a stream cipher uses a pseudorandom number stream. But rely on the randomness of stream key completely destroys statistically properties in message. However, you must never reuse a stream key since otherwise you can recover messages (as with a book cipher).
32 Stream Cipher Structure Stallings Figure 6.8 illustrates the general structure of a stream cipher, where a key is input to a pseudorandom bit generator that produces an apparently random keystream of bits, and which are XOR’d with message to encrypt it, and XOR’d again to decrypt it by the receiver.
33 Stream Cipher Properties some design considerations are:long period with no repetitionsstatistically randomdepends on large enough keylarge linear complexityproperly designed, can be as secure as a block cipher with same size keybut usually simpler & faster[KUMA97] lists the following important design considerations for a stream cipher:The encryption sequence should have a large period, the longer the period of repeat the more difficult it will be to do cryptanalysis.The keystream should approximate the properties of a true random number stream as close as possible, the more random-appearing the keystream is, the more randomized the ciphertext is, making cryptanalysis more difficult.To guard against brute-force attacks, the key needs to be sufficiently long. The same considerations as apply for block ciphers are valid here .Thus, with current technology, a key length of at least 128 bits is desirable.With a properly designed pseudorandom number generator, a stream cipher can be as secure as block cipher of comparable key length. The primary advantage of a stream cipher is that stream ciphers are almost always faster and use far less code than do block ciphers.
34 RC4 a proprietary cipher owned by RSA another Ron Rivest design, simple but effectivevariable key size, byte-oriented stream cipherwidely used (web SSL/TLS, wireless WEP)key forms random permutation of all 8-bit valuesuses that permutation to scramble input info processed a byte at a timeRC4 is a stream cipher designed in 1987 by Ron Rivest for RSA Security. It is a variable key-size stream cipher with byte-oriented operations. The algorithm is based on the use of a random permutation. Analysis shows that the period of the cipher is overwhelmingly likely to be greater than 10^100. Eight to sixteen machine operations are required per output byte, and the cipher can be expected to run very quickly in software. RC4 is probably the most widely used stream cipher. It is used in the SSL/TLS secure web protocol, & in the WEP & WPA wireless LAN security protocols. RC4 was kept as a trade secret by RSA Security, but in September 1994 was anonymously posted on the Internet on the Cypherpunks anonymous r ers list. In brief, the RC4 key is ued to form a random permutation of all 8-bit values, it then uses that permutation to scramble input info processed a byte at a time.
35 RC4RC4 is a byte-oriented stream cipher in which a byte (8 bits) of a plaintext is exclusive-ored with a byte of key to produce a byte of a ciphertext.StateRC4 is based on the concept of a state.
36 Continued Figure 8.10 The idea of RC4 stream cipher The RC4 key schedule initialises the state S to the numbers , and then walks through each entry in turn, using its current value plus the next byte of key to pick another entry in the array, and swaps their values over. After doing this 256 times, the result is a well and truly shuffled array. The total number of possible states is 256! - a truly enormous number, much larger even than the 2048-bit (256*8) max key allowed can select.
37 Continued Initialization Initialization is done in two steps: Key Stream GenerationThe keys in the key stream are generated, one by one.The RC4 key schedule initialises the state S to the numbers , and then walks through each entry in turn, using its current value plus the next byte of key to pick another entry in the array, and swaps their values over. After doing this 256 times, the result is a well and truly shuffled array. The total number of possible states is 256! - a truly enormous number, much larger even than the 2048-bit (256*8) max key allowed can select.
40 ContinuedExample 8.5To show the randomness of the stream key, we use a secret key with all bytes set to 0. The key stream for 20 values of k is (222, 24, 137, 65, 163, 55, 93, 58, 138, 6, 30, 103, 87, 110, 146, 109, 199, 26, 127, 163).Example 8.6Repeat Example 8.5, but let the secret key be five bytes of (15, 202, 33, 6, 8). The key stream is (248, 184, 102, 54, 212, 237, 186, 133, 51, 238, 108, 106, 103, 214, 39, 242, 30, 34, 144, 49). Again the randomness in the key stream is obvious.
41 RC4 Security claimed secure against known attacks have some analyses, none practicalresult is very non-linearsince RC4 is a stream cipher, must never reuse a keyhave a concern with WEP, but due to key handling rather than RC4 itselfA number of papers have been published analyzing methods of attacking RC4, but none of these approaches is practical against RC4 with a reasonable key length, such as 128 bits.A more serious problem occurs in its use in the WEP protocol, not with RC4 itself but the way in which keys are generated for use as input to RC4.Currently RC4 its regarded as quite secure, if used correctly, with a sufficiently large key.
42 A5/1A5/1 (a member of the A5 family of ciphers) is used in the Global System for Mobile Communication (GSM), a network for mobile telephone communication..Figure General outline of A5/1
43 Continued Key Generator A5/1 uses three Linear Feedback Shift Registers (LFSRs) with 19, 22, and 23 bits.Figure Three LFSR’s in A5/1
44 ContinuedInitialization1. set all bits in three LFSRs to 0.2.3.
46 ContinuedExample 8.7At a point of time the clocking bits are 1, 0, and 1. Which LFSR is clocked (shifted)?SolutionThe result of Majority (1, 0, 1) = 1. LFSR1 and LAFS3 are shifted, but LFSR2 is not.
47 Continued Encryption/Decryption The bit streams created from the key generator are buffered to form a 228-bit key that is exclusive-ored with the plaintext frame to create the ciphertext frame. Encryption/decryption is done one frame at a time.
48 Topics discussed in this section: 8-3 OTHER ISSUESEncipherment using symmetric-key block or stream ciphers requires discussion of other issues.Topics discussed in this section:8.3.1 Key Management Key Generation
49 Key management is discussed in Chapter 15. Alice and Bob need to share a secret key between themselves to securely communicate using a symmetric-key cipher. If there are n entities in the community, n(n − 1)/2 keys are needed.NoteKey management is discussed in Chapter 15.
50 Random number generators are discussed in Appendix K. Key GenerationDifferent symmetric-key ciphers need keys of different sizes. The selection of the key must be based on a systematic approach to avoid a security leak. The keys need to be chosen randomly. This implies that there is a need for random (or pseudorandom) number generator.NoteRandom number generators are discussed in Appendix K.