120 likes | 277 Views
Encrypting & Authenticating with Block Ciphers. CS 519 Cryptography and Network Security Instructor: Ali Aydin Selcuk. How to Encrypt with a Block Cipher?. Electronic Codebook (ECB) Mode: The naive way.
E N D
Encrypting & Authenticatingwith Block Ciphers CS 519 Cryptography and Network Security Instructor: Ali Aydin Selcuk Modes of Operation & MACs
How to Encrypt with a Block Cipher? Electronic Codebook (ECB) Mode: • The naive way. • The plaintext is divided into blocks Pi ,each block is encrypted independently:Ci = E(Pi)Pi = D(Ci) • Problem: Leaks information about identical blocks Modes of Operation & MACs
An Illustration – The Plaintext Modes of Operation & MACs
An Illustration – ECB Encrypted Modes of Operation & MACs
Cipher Block Chaining (CBC) • Add randomization to the plaintext by mixing with the previous ciphertext: Ci = E(PiCi-1) Pi = D(Ci) Ci-1 • Initialization Vector (IV): used instead of C0 when encrypting/decrypting the first block. (not a secret) • Most common mode in practice • Features: • Error propagation: 1 wrong bit corrupts 1 block + 1 bit • Allows random access to the ciphertext • Decryption is parallelizable Modes of Operation & MACs
An Illustration – CBC Encrypted Modes of Operation & MACs
Output Feedback (OFB) Mode • Block cipher is used as the PRNG in a stream cipher. • A key stream is generated from the output: Oi = E(Oi-1) Ci = Pi Oi Pi = Ci Oi • IV used for O0 • Features: • Error propagation minimal (bit for bit) • Preprocessing possible (may be good for multimedia) • Doesn’t allow random access; not parallelizable Modes of Operation & MACs
Cipher Feedback (CFB) Mode • A key stream is generated from the ciphertext: Oi = E(Ci-1) Ci = Pi Oi Pi = Ci Oi • IV used for C0 • Features: • Error propagation: 1 bit + 1 block • Allows random access • Decryption is parallelizable Modes of Operation & MACs
Counter (CTR) Mode • A key stream is generated by encrypting a counter: Ci = Pi E(IV + i) Pi = Ci E(IV + i) • Features: • Error propagation minimal (bit for bit) • Preprocessing possible • Allows random access • Both encryption and decryption are parallelizable Modes of Operation & MACs
Message Authentication Codes (MAC) • A keyed function of a message. • Sender of a message m computes MACK(m) and appends it to the message • Verification: The receiver also computes MACK(m) & compares to the received value. • Security of a MAC: An attacker shouldn’t be able to generate a valid (m, MACK(m)), even after seeing many valid message-MAC pairs, possibly of his choice. Modes of Operation & MACs
MACs (cont’d) • MAC keys are symmetric. Hence, doesn’t provide non-repudiation. (unlike digital signatures) • MAC function doesn’t need to be invertible. • A MACed message is not necessarily encrypted. How to obtain a MAC from a block cipher? Suggestion: • divide message into blocks • compute a checksum by adding (or xoring) them • encrypt the checksum Is this construction secure? Modes of Operation & MACs
CBC-MAC • Compute the CBC over the message • The last output block is the MAC • IV: fixed or random? • Bellare-Rogaway (1994): CBC-MAC is provably secure if the underlying block cipher is secure Other alternatives: • ECB? • OFB/CTR? • CFB? Modes of Operation & MACs