400 likes | 895 Views
Block Cipher Transmission Modes. CSIS 5857: Encoding and Encryption. Transmitting Encrypted Data. Encrypted data transmitted one block at a time 64 or 128 bits Problems: A large message (such as a database) may consist of thousands of blocks Each encrypted with same key
E N D
Block Cipher Transmission Modes CSIS 5857: Encoding and Encryption
Transmitting Encrypted Data • Encrypted data transmitted one block at a time • 64 or 128 bits Problems: • A large message (such as a database) may consist of thousands of blocks • Each encrypted with same key • Patterns vulnerable to cryptanalysis • Large blocks not efficient for network transmission • May be best if ciphertext generated/transmitted one byte at a time
Cipher Block Modes • Different ways to transmit data • Ciphertext depend on something else (besides key) which is different each time • Some designed to generate ciphertext one byte at a time • Can be used with any block cipher (DES, AES…)
Electronic Codebook Mode (ECB) • Plaintext divided into N blocks of size n • Each block encrypted individually with same key • Recipient decrypts each block individually
Electronic Codebook Mode • Advantages: • Each block can be encrypted/decrypted in parallel • Noise in one block affects no other block • Disadvantage: vulnerable to cryptanalysis • Long messages often contain repeated blocks • Produce identical blocks of ciphertext 11010010 01101110 11100110 0110111001101110 000101100 Aha!
Cipher Block Chaining (CBC) • Each block of plaintext XORed with previousciphertext block before encryption • Same plaintext block different ciphertext
Cipher Block Chaining • First block XORed with initialization vector (IV) • Must be known to sender, recipient • Must be different each time to avoid patterns • Usually transmit in ECB mode as first block • Generate random IV • C0 = IV
Cipher Block Chaining Equations: • C0 = IVCi = E(K, Pi Ci-1) • IV = D(K, C0) P0 = D(K, C1) IVPi = D(K, Ci) Ci-1
Stream Cipher • Generates ciphertext one bit at a time • Ciphertext transmitted in packets of any size • Can be decrypted before entire block arrives • Key stream generation • Algorithm generates “random” key bits k1k2k3…kn from cipher key K • Specific to stream cipher (RC4, etc.) or based on existing block cipher (DES, AES)
Cipher Feedback Mode (CFB) • Stream cipher designed for network transmission • Generates r-bit ciphertext from n-bit blocks • r usually = 8 bits • n is 64 (DES) or 128 (AES) • Each byte of ciphertext depends on previous blocks to avoid patterns (like CBC mode)
Cipher Feedback Mode (CFB) • Previous ciphertexts used to create shift registerS • Shift register contents encrypted with key • Results placed in “temporary register” T
Cipher Feedback Mode (CFB) • First r bits of T used to create byte key ki • Byte key XORed with next r bits of plaintext to produces next r bits of ciphertext for transmission
Cipher Feedback Mode (CFB) • Previous r bits of ciphertext added to end of shift register S • All other bits in S shifted left • First r bits discarded b-bit shift register S Ci-k shifted left Ci-2 Ci-1 Ci discarded Inserted at end of S for next plaintext r-bit Ci transmitted
Cipher Feedback Mode (CFB) • Initial contents of shift register S is initialization vectorIV • Rest of ciphertext depends on previous ciphertext
Cipher Feedback Mode (CFB) Decryption: • Recipient uses previous ciphertext to create same shift register S • Encrypted with key • First r bits taken to create byte key ki • XORed with next r bits of ciphertext received to get next r bits of plaintext
Cipher Feedback Mode (CFB) • Transmissions can be corrupted by noise • In CFB one error corrupts many decrypted bytes(until error leaves shift register) • Generally not a problem in modern networks which do error checking Error here Corrupts future Pi
Cipher Feedback Mode (CFB) Problem: • CFB inherently sequential • Each block depends on previous block(s) • Cannot take advantage of parallel hardware to speed up encryption/decryption • Cannot generate key stream in advance while waiting for rest of message Solutions: • Output Feedback Mode (OFB) • Counter Mode (CTR)
Output Feedback Mode (OFB) • Contents added to shift register taken directly from T • Not dependent on the plaintext • Could theoretically generate all of key stream in advance
Counter Mode (CTR) • Use a simple counter to generate next bytes of ciphertext • Counter increments each time different ciphertext generated • Know all counter values in advance Know all byte keys ki in advance Can encrypt/decrypt in parallel
Counter Mode (CTR) • Counter generates next n bits used in key generator • Encrypted with key • XORed with plaintext • Can select first r bits of result for stream transmission
Counter Mode (CTR) • Sender and recipient must know initial counter value IV • Can be transmitted via ECB mode
Counter Mode (CTR) • Sender/recipient increment counter in same way for each block encrypted/decrypted
OFB and CTR Vulnerabilities • Must use different key each transmission • If opponent has single known plaintextP1 and C1can compute other plaintext P2 from C1 usingP1P2 = C1C2 • Problem for any non-chained stream cipher C2 P1 C1
XTS-AES Mode • Designed for encrypting stored data on disk • Requirements: • 128 bit plaintext blocks 128 bit ciphertext blocks • Must be able to encrypt/decrypt each block separately (can’t use chaining) • Plaintext encrypted to same plaintext when written to same location on disk • Plaint text encrypted to different plaintext when written to different location on disk
XTS-AES Mode • Encryption of block j is function of: • 128 bit keys K1and K2 • “Tweak” value i • Each sector assigned different tweak value consecutively (like counter in CTR mode) • Multiplier αj • α = 000…00010 (that is, x in GF(2128 )) • αj= αmultiplied by itself j times mod x128+x7+x2+x+1 • Different for each block j in sector i
XTS-AES Encryption • Sector-based tweak encrypted with K2 • Multiplied in GF(2128 ) by αj • XOR with plaintext before and after encryption with K1
XTS-AES Decryption • Decryption uses same sector-based tweak and αj • XOR with ciphertext before and after decryption with K1recovers the plaintext
XTS-AES Sector Operation • Sectors broken into 128 bit blocks • Last block may be less than 128 bits • Bits “borrowed” from next to last block fro encryption of last block (“ciphertext stealing”) • Last 128 – n bits of ciphertext from previous block added to n bits of last block before encryption • Resulting ciphertext swapped with remaining n bits of ciphertext from previous block • More secure than using padding to add bits, since padding may introduce patterns
XTS-AES Ciphertext Stealing • Encryption:
XTS-AES Ciphertext Stealing • Decryption: