1Modes of operationof block ciphersRC5ECE 646 - Lecture 8Block vs. stream ciphersStreamcipherInternal state - ISBlockcipherKKM1, M2, …, Mnm1, m2, …, mnC1, C2, …, Cnc1, c2, …, cnCi=fK(Mi) ci= fK(mi, ISi) ISi+1=gK(mi, ISi)Every block of ciphertextis a function of only onecorresponding block of plaintextEvery block of ciphertextis a function of the current blockof plaintext and the current internal stateof the cipherTypical stream cipherSender ReceiverPseudorandomKeyGeneratormiplaintextciciphertextkikeystreamkeyinitializationvector (seed)PseudorandomKeyGeneratormiplaintextciciphertextkikeystreamkeyinitializationvector (seed)2Standard modes of operation of block ciphersBlock ciphersStream ciphersECB mode Counter modeOFB modeCFB modeCBC modeECB (Electronic CodeBook) modeElectronic CodeBook Mode – ECBEncryptionM1M2M3ECi= EK(Mi) for i=1..NMN-1MNEEE E. . .C1C2C3CN-1CNKKKKK3Electronic CodeBook Mode – ECBDecryptionC1C2C3DCi= EK(Mi) for i=1..NCN-1CNDDD D. . .M1M2M3MN-1MNKKKKKCounter ModeCounter Mode - CTREncryptionm1m2m3Eci= mi kiki= EK(IV+i-1) for i=1..NmN-1mN. . .E E E E. . .c1c2c3cN-1cNIV IV+1 IV+2IV+N-2IV+N-1k1k2k3kN-1kNKKKKK4Counter Mode - CTRDecryptionc1c2c3Emi= ci kiki= EK(IV+i-1) for i=1..NcN-1cN. . .E E E E. . .m1m2m3mN-1mNIV IV+1 IV+2IV+N-2IV+N-1k1k2k3kN-1kNKKKKKCounter Mode - CTREKINOUTcounterIV1LcimiEKINOUTcounterIV1Lcimi1L1LIS1= IVci= EK(ISi) miISi+1= ISi+1J-bit Counter Mode - CTRm1m2m3Eci= mi kiki= E(IV+i-1)[1..j] for i=1..NmN-1mN. . .E E E E. . .c1c2c3cN-1cNIV IV+1IV+2IV+N-2IV+N-1k1k2k3kN-1kNKKKKKjjjjjjjj jjjjjjj5J-bit Counter Mode - CTRj bits L-j bitsEKINOUTcounterIV1 jLcimij bits L-j bitsEKINOUTcounterIV1 jLcimi1L1LOFB (Output FeedBack) ModeOutput Feedback Mode - OFBEncryptionm1m2m3Eci= mi kiki=EK(ki-1) for i=1..N, and k0= IVmN-1mN. . .E E E E. . .c1c2c3cN-1cNIVk1k2k3kN-1kN6Output Feedback Mode - OFBDecryptionc1c2c3Emi= ci kiki=EK(ki-1) for i=1..N, and k0= IVcN-1cN. . .E E E E. . .m1m2m3mN-1mNIVk1k2k3kN-1kNOutput Feedback Mode - OFBEKINOUT1LcimiEKINOUT1Lcimi1L1LIVIVIS1= IVci= EK(ISi) miISi+1= EK(ISi)J-bit Output Feedback Mode - OFBj bits L-j bitsEKINOUT1 jLcimij bits L-j bitsEKINOUT1 jLcimiL-j bits j bits L-j bits j bitsshiftshift1LL-j 1LL-jIVIV7CFB (Cipher FeedBack) ModeCipher Feedback Mode - CFBEncryptionm1m2m3EmN-1mN. . .E E E E. . .c1c2c3cN-1cNIVci= mi kiki=EK(ci-1) for i=1..N, and c0= IVk1k2k3kN-1kNCipher Feedback Mode - CFBDecryptionm1m2m3EmN-1mN. . .E E E E. . .c1c2c3cN-1cNIVmi= ci kiki=EK(ci-1) for i=1..N, and c0= IVk1k2k3kN-1kN8Cipher Feedback Mode - CFBEKINOUT1LcimiEKINOUT1Lcimi1L1LIVIVIS1= IVci= EK(ISi) miISi+1= ciJ-bit Cipher Feedback Mode - CFBj bits L-j bitsEKINOUT1 jLcimij bits L-j bitsEKINOUT1 jLcimiL-j bits j bits L-j bits j bitsshiftshift1LL-j1LL-jIVIVCBC (Cipher Block Chaining) Mode9Cipher Block Chaining Mode - CBCEncryptionm1m2m3EIVci= EK(mi ci-1) for i=1..N c0=IVmN-1mN. . .E E E E. . .c1c2c3cN-1cNCipher Block Chaining Mode - CBCDecryptionmi= DK(ci) ci-1for i=1..N c0=IVm1m2m3mN-1mNIV. . .DD D D D. . .c1c2c3cN-1cNComparison among various modes10ECB OFBCFBCBCCTRSecurityBasic speedCapabilityfor parallelprocessingand pipeliningCipheroperationsPreprocessingRandomaccessBlock Cipher Modes of OperationBasic Features (1)weakstrongstrongstrongstrongsECBsECBj/LsECBj/LsECBsECBEncryptionanddecryptionEncryptionanddecryptionNone DecryptiononlyDecryptiononlyEncryptionanddecryptionEncryptiononlyEncryptiononlyEncryptiononlyEncryptionanddecryptionNoYesYesNo NoR/WR/W R onlyR onlyNoBlock Cipher Modes of OperationBasic Features (2)ECB OFBCFBCBCCTRSecurity against the exhaustive key search attackMinimumnumber ofthe messageand ciphertextblocksneededIntegrityError propagation in the decrypted message1 plaintextblock,1 ciphertextblock2 plaintextblocks,2 ciphertextblocks2 plaintextblocks,2 ciphertextblocks(for j=L)1 plaintextblock,2 ciphertextblocks(for j=L)1 plaintextblock,2 ciphertextblocksModificationof j-bitsDeletion of j bitsNoNoNoNoNoL bitsj bits j bitsL+j bitsL+j bitsCurrent andall subsequentCurrent andall subsequentCurrent andall subsequentL bitsCurrent andall subsequentNew modes of operation11Evaluation Criteria for Modes of OperationSecurityEfficiencyFunctionalityEvaluation criteria (1)Security• resistance to attacks• proof of security• random properties of the ciphertext• number of calls of the block cipher• capability for parallel processing• memory/area requirements• initialization time• capability for preprocessingEfficiencyFunctionality• security services- confidentiality, integrity, authentication• flexibility- variable lengths of blocks and keys- different amount of precomputations- requirements on the length of the message• vulnerability to implementation errors• requirements on the amount of keys, initializationvectors, random numbers, etc.• error propagation and the capability forresynchronization• patent restrictionsEvaluation criteria (2)12CBCm1m2m3EIVProblems:mN-1mN. . .E E E E. . .c1c2c3cN-1cN- No parallel processing of blocks from the same packet- No speed-up by preprocessing- No integrity or authenticationCounter modem0m1m2EmN-1mN. . .E E E E. . .c0c1c2cN-1cNIV IV+1IV+2IV+N-1IV+NFeatures:+ Potential for parallel processing+ Speed-up by preprocessing- No integrity or authenticationk0k1k2kN-1kNProperties of existing and new cipher modesCBC CFBOFBNewstandardProof of securityPreprocessingParallel processingIntegrity andauthenticationResistanceto implementationerrorsdecryptiononly–––– – ––13EIVEC1M1Z1Z1EC2M2Z2Z2ECN-1MN-1ZN-1ZN-1ECNMNZNMN. . .LRlengthg(L)Zi=f(L, R, i)E0ETZN bitsControl sumOCB - Offset Codebook ModeNew modes of block ciphers1. CCM - Counter with CBC-MAC• developed by R. Housley, D. Whiting, N. Ferguson in 2002• assures simultaneous confidentiality and authentication• not covered by any patent• part of the IEEE 802.11i standard for wireless networks2. GCM – Galois/Counter Mode• developed by D. McGrew and J. Viega in 2005• assures simultaneous confidentiality and authentication• not covered by any patent• used in the IEEE 802.1AE (MACsec) Ethernet security,ANSI (INCITS) Fibre Channel Security Protocols (FC-SP),IEEE P1619.1 tape storage, and IETF IPSec standardsProperties of new modes of operationCBCCFBOFBCCMonlydecryption–––– –––CTR––Half ofoperations–GCM–Half ofoperationsHalf ofoperationsProof of securityPreprocessingParallel processingIntegrity andauthenticationResistanceto
View Full Document
Unlocking...