Block Cipher Modes of Block Cipher Modes of Operation

Alberto Grand

Politecnico di TorinoComputer Systems Security – prof. Antonio Lioy

What are modes of operation?

� Block ciphers only allow to encrypt entire blocks.� Block ciphers only allow to encrypt entire blocks.

� What if our message is longer/shorter than the block size?

We use modes of operation!

� Algorithms that exploit a block cipher to provide a service (e.g. confidentiality, authentication)

5 NIST-recommended modes providing confidentiality: � 5 NIST-recommended modes providing confidentiality: ECB, CBC, CFB, OFB, CTR

� CMAC may be considered a block cipher mode of operation providing authentication.

2

Electronic Codebook (ECB)

� Associates each possible plaintext block to a ciphertext block, like a codebook.ciphertext block, like a codebook.

Hello world! aY1\:?§h24(r

� Requires padding

� Encryption/decryption of multiple blocks in parallel

� A 1-bit error in a ciphertext block garbles the corresponding decrypted block.

3

Deficiencies of ECB

� Problems when the original message contains regular � Problems when the original message contains regular data patterns, because always encrypted in the same way.

� Only suitable for 1-block-sized data (e.g. a key)

� “The securest thing you can do with ECB is not use it!”

4

Cipher Block Chaining (CBC)

� Allows the same plaintext blocks to be encrypted to � Allows the same plaintext blocks to be encrypted to different ciphertext blocks.

� Encrypted blocks are “chained” through XORing.

� Requires an initialisation vector (IV)

Hello

IV

world q%1aX l’3z1$

IV

CIPHER

q%1aX

CIPHER

l’3z1$

CIPHER-1 CIPHER-1

IV

Hello world5

Features of CBC

� No parallel encrypting , while parallel decrypting is � No parallel encrypting , while parallel decrypting is possible.

� A 1-bit error affects two blocks:

� the corresponding block is garbled

� the corresponding bit is flipped in the next block

� Problem with the IV: 1-bit error only flips 1 bit in the 1st block, no garbled block. Hard to detect!the 1st block, no garbled block. Hard to detect!

� Solutions:

� encipher the IV

� don’t transmit the IV, but compute it from a known value

� use authentication!

6

Propagating CBC (PCBC)

� It’s a variation of CBC designed to propagate errors.� It’s a variation of CBC designed to propagate errors.

� It also involves the previous plaintext block in the XOR operation.

� Is error propagation desirable? It depends!

� NO if transmission errors

� YES if intentional, malicious changes

Used in Kerberos v.4, but abandoned starting from � Used in Kerberos v.4, but abandoned starting from v.5 because inversion of two adjacent blocks does not affect subsequent blocks.

7

Cipher Feedback (CFB)

� Turns a block cipher into a stream cipher, message � Turns a block cipher into a stream cipher, message size need not be multiple of block size.

� Very similar to CBC (ciphering and XORing are swapped).

IV

CIPHER CIPHER CIPHER

IV

CIPHER

Hello

CIPHER

q%1aX

world

CIPHER

l’3z1$

q%1aX l’3z1$

Hello world

CIPHERCIPHER

8

Features of CFB

� No parallel encrypting of multiple blocks – although � No parallel encrypting of multiple blocks – although some form of pipelining is possible.

� Parallel decryption is possible

� Only the forward function is used.

� A 1-bit error :

� flips corresponding bit in current segment

may garble the next ⌈b/s⌉ segments� may garble the next ⌈b/s⌉ segments

� This is highly noticeable, so CFB is less exposed to the risk of deliberate bit changes.

9

OpenPGP with CFB

� Widespread standard for exchanging encrypted e-� Widespread standard for exchanging encrypted e-mail messages.

� A variant of CFB is used for symmetric cryptography:

� a random block R is enciphered and used as an IV

� the first 2 bytes of R are replicated in the 2nd block for integrity checksintegrity checks

� Leak of information! About 215 set-up attempts + about 215 attempts per block enable an attacker to discover the first 2 bytes of any block.

� PGP stands for “Pretty Good Privacy”!

10

Output Feedback (OFB)

� Turns a block cipher into a stream cipher.� Turns a block cipher into a stream cipher.

� It features the iteration of the forward cipher on an IV.

IV

CIPHER CIPHER CIPHER

IV

CIPHER

Hello

CIPHER

q%1aX

world

CIPHER

l’3z1$

q%1aX l’3z1$

Hello world

CIPHERCIPHER

11

Features of OFB (i)

� Neither encryption nor decryption can be performed in parallel due to block chaining.

� If IV available prior to ciphertext, keystream blocks can be pre-computed.

� IV needs to be a nonce, otherwise know-plaintext attack is possible (under same key):attack is possible (under same key):

� an attacker who knows the ith plaintext block can easily reconstruct the ith keystream block

� he can then understand the ith block of every message

12

Features of OFB (ii)

� A 1-bit error in a ciphertext block only produces a bit-specific error in the corresponding block:

� good for error correcting codes, which work even when applied before encryption

� bad because it’s hardly noticeable!

� A 1-bit error in the IV causes all blocks to be � A 1-bit error in the IV causes all blocks to be garbled.

13

Counter (CTR)

� Turns a block cipher into a stream cipher.� Turns a block cipher into a stream cipher.

� Keystreams blocks are generated by encrypting a set of counter blocks.

CTR block #1

CIPHER CIPHER CIPHERCIPHER

CTR block #2 CTR block #1 CTR block #2

Hello

CIPHER

q%1aX

world

CIPHER

l’3z1$

q%1aX l’3z1$

Hello world

CIPHERCIPHER

14

Features of CTR (i)

� Both encryption and decryption can be performed � Both encryption and decryption can be performed fully in parallel on multiple blocks.

� Provides true random access to ciphertext blocks.

� If the initial counter block is available, keystream blocks may be computed prior to receiving the ciphertext .

It’s simple!� It’s simple!

� No inverse cipher function is required for decryption.

� It is becoming increasingly used.

15

Features of CTR (ii)

� Assurance is required that:� Assurance is required that:

� counters do not repeat within a single message

� counters do not repeat across all messages under a given key

� Done through an incrementing function.

� Usually, first b-m bits are a message nonce, following m bits are incremented (message length < following m bits are incremented (message length < 2m blocks).

� Alternatively, counters are concatenated (total length of all messages < 2m blocks)

16

Padding: pros and cons

� Increases amount of data to be sent with no � Increases amount of data to be sent with no increase of transmitted information.

� With regular data pattern, padding with random values makes cryptanalysis more difficult.

� When padding scheme in known, it may expose exchange of messages to timing attacks.

OpenSSL prior to v.0.9.6c with CBC-MAC� OpenSSL prior to v.0.9.6c with CBC-MAC

� MAC is located at the end, padding is needed

� Message only evaluated if padding is correct

� Attacker may systematically find out bits starting from second-to-last block.

17

Ciphertext Stealing (CTS)

� Sometimes padding is unacceptable� Sometimes padding is unacceptable

� limited bandwidth

� exchange of many messages that would require padding

� We want to avoid extra data, but cipher blocks need entire blocks!

� Solution: use CTS!

by accomplishing some extra operations, enables to � by accomplishing some extra operations, enables to produce as many output data as given in input

� we pay in terms of complexity and execution time

� we still cannot encyrpt very short messages (< 1 block).

� Usually not worth it!

18

Related-mode attacks (i)

� Attacks against a given block cipher mode of operation:

� we must know which mode is being used

� we need an oracle of another mode, but with the same underlying cipherunderlying cipher

19

Related-mode attacks (ii)

Using ECB against CTR

� MU intercepted Ci and C0

� He chooses P’i = C0 + i

� C’i = CIPHk(P’i)

� Since Ci = CIPHk(C0 + i) ⊕ Pi he can compute Pi = ⊕

� Since Ci = CIPHk(C0 + i) ⊕ Pi he can compute Pi = Ci ⊕ C’i.

� Only one chosen plaintext query is required.

20

The CMAC Mode for The CMAC Mode for Authentication

What is CMAC?

� The 5 modes of operation provide confidentiality, � The 5 modes of operation provide confidentiality, but we need authentication and integrity.

� We must use a mode for authentication!

� it implies integrity

� A MAC algorithm provides stronger assurance of data integrity than a checksum.

CMAC exploits the CBC mode of operation to chain � CMAC exploits the CBC mode of operation to chain cipherblocks and obtain a value which depends on all previous blocks.

22

Once upon time…

� …there was an insecure mode for authentication � …there was an insecure mode for authentication named CBC-MAC:

� only provided security for messages whose length was a multiple of the block size

� attacker could change the whole message (except last block) without notice when CBC was used for encryption with the same key.

Black & Rogaway made it secure for arbitrary-length � Black & Rogaway made it secure for arbitrary-length messages using 2 extra keys (XCBC).

� Iwata & Kurosawa derived the extra keys from the shared secret (OMAC, OMAC1 = CMAC).

23

Subkey generation

� 2 subkeys K1, K2 are generated from the key� 2 subkeys K1, K2 are generated from the key

� Can be computed once and stored (must be secret!)

� Rb is a value related to the block size

� Rb = 012010000111 when b = 128

� Rb = 05911011 when b = 64

L CIPHk (0b)

if MSB (L) = 0 then K L << 1

⊕

� Finite-field mathematics are involved!

24

if MSB1(L) = 0 then K1 L << 1

else K1 (L << 1) ⊕ Rbif MSB1(K1) = 0 then K2 K1 << 1

else K2 (K1 << 1) ⊕ Rb

CMAC generation

if Mlen = 0 then n 1

⌈ ⌉

⊕

if Mlen = 0 then n 1

else n ⌈Mlen / b⌉

if M*n complete then Mn M*n ⊕ K1 else Mn (M*n ‖10

j) ⊕ K1C0 0b

for i 1 to n do

Ci CIPHk (Ci-1 ⊕ Mi)

T MSBTlen(Cn)

� Formatting of the message does not need to complete before starting CBC encryption.

25

CMAC verification

� Receiver may decrypt data with the appropriate � Receiver may decrypt data with the appropriate algorithm.

� He then applies CMAC generation process to the data.

� He compares the generated MAC with the one he received:

if identical, message is authentic� if identical, message is authentic

� if not, in-transit errors or attack!

26

Length of the MAC (i)

� When verification fails, we are sure the message is � When verification fails, we are sure the message is inauthentic.

� But when it succeeds, we are not 100% sure it is authentic!

� MU may have simply guessed the right MAC for a message

� His chances of succeeding are 1/2Tlen

� Longer MACs provide higher assurance, but use � Longer MACs provide higher assurance, but use more bandwidth/storage space.

� If attacker can make more than one attempt his chances increase!

27

Length of the MAC (ii)

� For most applications, 64 bits are enough.� For most applications, 64 bits are enough.

� NIST provides guidance. Two parameters:

� MaxInvalids : maximum number of attempts before system halts

� Risk : highest acceptable probability that an inauthentic message is mistakenly trusted.

� Tlen ≥ log2 (MaxInvalids / Risk)Tlen ≥ log2 (MaxInvalids / Risk)

� e.g. MaxInvalids = 1

Risk = 0.25

⇒ Tlen = 2 bits

28

Message span of the key (i)

� It’s the total number of messages to which CMAC is � It’s the total number of messages to which CMAC is applied with the same key.

� Affects security against attacks based on detecting 2 distinct messages that lead to the same MAC.

� We call this event a collision.

� This happens because possible messages are much more than possible MACs.than possible MACs.

� It should not occur during the lifetime of a key.

� Message span should be limited!

29

Message span of the key (ii)

� Probability says that a collision is expected among a � Probability says that a collision is expected among a set of 2b/2 messages.

� For general purpose applications:

� no more than 248 messages when b = 128

� no more than 221 messages when b = 64

� For higher level of security:

no more than 248 message blocks when b = 128 (222 GB)� no more than 248 message blocks when b = 128 (222 GB)

� no more than 221 message blocks when b = 64 (16 MB)

� Sometimes message span is time-limited.

30

Protection vs. replay attacks

� No protection against replay attacks is ensured by � No protection against replay attacks is ensured by CMAC:

� Malicious user may intercept a message with its correct MAC and send it at a later time.

� It’s perfectly valid!

� Such protection must be provided by protocol or application that uses CMAC for authentication:application that uses CMAC for authentication:

� sequential number

� timestamp

� message nonce

� etc.

31

Any questions?

32