Block Ciphers and Data Encryption Standard DES - PowerPoint PPT Presentation

1 / 65
About This Presentation
Title:

Block Ciphers and Data Encryption Standard DES

Description:

They want to encrypt their message so Trudy who also happens to know a lot about ... Horst Feistel, working at IBM Thomas J Watson Research Labs devised a suitable ... – PowerPoint PPT presentation

Number of Views:1293
Avg rating:3.0/5.0
Slides: 66
Provided by: wenpail
Category:

less

Transcript and Presenter's Notes

Title: Block Ciphers and Data Encryption Standard DES


1
Block Ciphers and Data Encryption Standard (DES)
  • Chapter 3

2
Motivation
  • Problem Alice and Bob happen to speak a language
    in which all sentences are only n-bits long
    (n-bit blocks). They want to encrypt their
    message so Trudy who also happens to know a lot
    about statistical analysis of plaintext/ciphertext
    , wont break their message
  • Assume that Alice and Bob use substitution and
    encryption is reversible (so decryption would be
    possible), determine the size of the key for each
    of the following n values.
  • (a) n 4
  • (b) n 64
  • what advice would you offer to Alice and Bob?

3
Motivation (cont.)
  • Answer
  • For an n-bit input, there are total of 2n
    possible outputs (each of these outputs is n-bit
    wide also). To be reversible, we need to have
    one-to-one mapping, that is, each output block
    maps to only one input block.
  • Hence the size of the key is n x 2n.
  • (a) For n 4 ? key size 64 too small. It
    can be vulnerable to brute attack or statistical
    analysis
  • (b) N 64 (which is more reasonable sentence
    size) ? key size 64 x 264 270 ( 1021 ) bits
    with such large key statistical characteristics
    of the source text will be masked to a point that
    cryptanalysis is infeasible no matter how
    determined Trudy is!

4
Motivation (cont.)
  • However key size of 270 bits is not manageable
    (i.e., Alice and Bob wont be able to remember
    it, and there is no such large CPU memory to
    store it!)
  • Alice and Bob need to consider using a solution
    provided by Shannon (1949) and later by Feistel
    (1971) which is the basis for most symmetric
    ciphers

5
Block vs. Stream Ciphers
  • Before we discuss Shannon/Feistel solution, lets
    define Block and Stream ciphers
  • Block ciphers work and process one block/work at
    a time (block consists of fix number of bits)
  • All of its bits have to be available before the
    block can be processed
  • Stream ciphers work on a bit or byte of the
    message at a time, hence process it as a stream
  • Most current ciphers are block cipher

6
Block Cipher
  • A block of message is encrypted using the same
    key
  • The cryptosystem encrypts one block of data at a
    time
  • Plaintext is broken into fixed length of blocks
    (often 64 bits) and processed one block at a time
  • Last block may be padded to form a complete block
  • Each block is applied to the same algorithm and
    key
  • Same key is used to encrypt each block at the
    transmitting side and decrypt each block at the
    receiving side.
  • At the receiving side, the same key and the same
    algorithm is used to decrypt the block to get the
    original plaintext
  • DES and IDEA is the typical Block Cipher

7
Claude Shannon Substitution-and-Permutation
Ciphers
  • Claude Shannons 1949 paper has the key ideas
    that led to the development of modern block
    ciphers. Critically, it was the technique of
    layering modern substitution-transposition
    product cipher S-P networks
  • S-P networks are based on the two primitive
    cryptographic operations we have seen before
  • Substitution (s-box)
  • Permutation (P-box)
  • The ideas of confusion and diffusion are added

8
Confusion and Diffusion
  • Cipher needs to completely obscure statistical
    properties of original message
  • More practically Shannon suggested combining
    elements to obtain
  • Diffusion dissipates statistical structure of
    plaintext over bulk of ciphertext. This is
    achieved by having each digit plaintext affect
    the value of many ciphertext
  • The idea is to make the statistical relationship
    between the plaintext and ciphertext as complex
    as possible in order to thwart attempts to deduce
    the key
  • Example encryp a message M m1,m2,m3, of
    characters with an averaging operation

9
Confusion and Diffusion (cont.)
  • Confusion makes relationship between ciphertext
    and key as complex as possible, again to thwart
    attempts to discover the key.
  • It is achieved through the use of complex and
    nonlinear substitution

10
Feistel Cipher
  • Horst Feistel, working at IBM Thomas J Watson
    Research Labs devised a suitable invertible
    cipher structure in early 70s
  • One of Feistels main contributions was the
    invention of a suitable structure which adapted
    Shannons S-P network in an easily inverted
    structure
  • Essentially the same hardware or software is used
    for both encryption and decryption, with just a
    slight change in how the keys are used.
  • One layer of S-box followed by P-box are used to
    form the round function

11
Feistel Cipher (cont.)
  • In the Feistel Cipher
  • Partitions input block into two halves
  • Process through multiple rounds which
  • Perform a substitution on data left-half
  • Based on round function of right half subkey
  • Then have permutation swapping halves

12
Feistel Cipher Structure
  • Can be described functionally as (for igt0),
  • L(i) R(i 1)
  • R(i) L(i1) XOR F(K(i), R(i-1))

13
Feistel Cipher Design Principles
  • Block size
  • Increasing size improves security, but slows
    cipher
  • Key size
  • Increasing size improves security, makes
    exhaustive key searching harder, but many slow
    cipher
  • Number of rounds
  • Increasing the number of rounds improves
    security, but slow cipher
  • Subkey generation
  • Greater complexity can make analysis harder, but
    slows cipher
  • Round function
  • Greater complexity can make analysis harder, but
    slows cipher
  • Fast software encryption and decryption ease of
    analysis
  • Are more recent concerns for practical use and
    testing

14
Feistel Cipher Decryption
  • The process of decryption with a Feistel cipher
    is essentially the same as the encryption
    process. The rule is as follows
  • Use the ciphertext as input to the algorithm, but
    use the subkeys Ki in reverse order. That is,
    use Kn in the first round, Kn-1 in the second
    round, and so on until K1 is used in the last
    round.
  • This is a nice feature because it means we need
    not implement two different algorithms, one for
    encryption and one for decryption

15
Data Encryption Standard (DES)
  • Published in 1977 by the National Bureau of
    Standards for use in commercial and unclassified
    US government applications
  • Specified in Federal Information Processing
    Standard (FIPS) 42.
  • Most widely used block cipher in the world
  • Use 56-bit key (8 bits for parity), and maps a
    64-bit input block to produce 64-bits output
    block
  • Pretty fast encryption algorithm in hardware
  • A de facto standard and widely used
  • A symmetric key cryptosystem, 64-bit block cipher
  • Small key space with 56-bit key size (256)
  • It is not considered to be secure

16
DES History
  • Designed by IBM (based on Lucifer cipher) with
    input from NSA
  • By team led by Feistel
  • Used 64-bit data blocks with 128-bit key
  • Then re-developed as a commercial cipher with
    input from NSA and others
  • In 1973, NBS (todays NIST) issued request for
    proposals for a national cipher standard
  • IBM submitted their revised Lucifer which was
    eventually accepted as the DES
  • The American National Standards Institute (ANSI)
    adopted DES as a standard (ANSI X3.92) in 1981.
    It is called Data Encryption Algorithm (DEA)

17
DES Design Controversy Why 56-bit key?
  • Was considerable controversy over design
  • Over the choice of 56-bit key (vs the original
    version of Lucifer, 128-bit)
  • And because design criteria was classified
  • Subsequent events and public analysis show in
    fact design was appropriate
  • DES has become widely used, especially in
    financial applications.

18
Basic Structure of DES
64-bit input
56-bit key
Initial Permutation
Permuted Choice 1
48-bit K1
Round 1
Left circular shift
Permuted choice 2
48-bit K2
Round 2
Left circular shift
Permuted choice 2
. . .
. . .
. .
48-bit K16
Round 16
Left circular shift
Permuted choice 2
32-bit Swap left and right halves
Final Permutation
64-bit output
19
DES Overview
  • Encryption
  • 64 bits input block is subjected to an initial
    permutation to obtain a 64 bits result
  • 56-bit key is used to generate 16 48-bit per
    round keys
  • Each round takes the 64-bit output from previous
    round with 48-bit per round key to produce a
    64-bit output
  • Each round is a complex key dependent round
    function involving substitution and permutation
    functions
  • After 16 round, the 64-bit output swaps its half
  • Then a final permutation (which is the inverse of
    the initial permutation) to produce a 64-bit
    output
  • The right side shows the handling of the 56-bit
    key and consist of
  • An initial permutation of the key (PC1) which
    selects 56 bits in two 28-bit halves
  • 16 stages to generate the subkeys using a left
    circular shift and a permutation

20
Initial Permutation IP
  • The initial permutation and its inverse are
    defined by tables, as shown in Tables 3.2a
    3.2b, respectively
  • The table are to be interpreted as follows the
    input to a table consists of 64 bits numbered
    from 1 to 64
  • The 64 entries in the permutation table contain a
    permutation of the numbers from 1 to 64.
  • Each entry in the permutation table indicates the
    position of the numbered input bit in the output,
    which also consists of 64 bits

21
Initial Permutation IP (cont.)
  • Note that the bit numbering for DES reflects IBM
    mainframe practice, and is the opposite of what
    we now mostly use so be careful! Numbers from
    Bit 1 (leftmost, most significant) to bit
    32/48/64 etc (rightmost, least significant)

22
DES Single Round Structure
  • DES is a Feistel cipher which can be described as
    follows
  • Use two 32-bit L R halves
  • Li Ri-1
  • Ri Li-1 XOR F(Ri-1 , Ki ), where F is called
    the Mangler Function
  • F takes 32-bit R half and 48-bit subkey and
  • Expands R to 48 bits using permutation/expansion
  • XORed with a 48-bit subkey
  • Then passes this through S-boxes to get 32-bit
    new result
  • Finally permutes this using 32-bit permutation P

23
Single Round of DES Algorithm
24
Expansion Function
  • Expands RH side data input from 32 to 48 bits
  • By duplicating 16 bits
  • Specifically split input into 8 groups (row in
    the table below) of 4 bits (columns in the table
    below)
  • Then duplicate bits from either side to form
    groups of 6 bits

25
Key Addition
  • The expanded 48 bits data are then XORed
    (addition modulo 2) to the 48 subkey bits
  • Subkeys are obtained from Permuted Choice 2 (PC2)
  • Example
  • E(R) 20 00 09 1b 3e 2d 1f 36 XOR
  • SK 38 09 1b 26 2f 3a 27 0f
  • 18 09 12 3d 11 17 38 29

26
Substitution Box S
  • The substitution consists of a set of eight
    S-boxes, each of which accepts 6 bits as input
    and produces 4 bits as output (see figure in the
    next slide)
  • These transformation are defined in Table 3.3,
    (after the next slide) which is interpreted as
    follows
  • The first and last bits of the input to box Si
    form a 2-bit binary number to select one of four
    subsititutions defined by the four rows in the
    table for Si.
  • The middle four bits select one of the sixteen
    columns.
  • The decimal value in the cell selected by the row
    and column is then converted to its 4-bit
    representation to produce the output

27
DES Round Structure
28
Definition of DES S-Boxes
29
Permutation P
  • It is the last transformation of the F function
  • It accepts 32 bits data from the S-box as input
    data (see DES Round Structure Slide) to perform
    permutation according to the table below

For example, the 1st output bit is 16th input
bit, the 2nd output bit is the 7th input bit etc.
30
DES Key Schedule
  • Generates subkeys which are used in each round
    (Schedule or have a key (Ki) ready at the start
    of its round (roundI)) (Refer to Figure 3.7)
  • Start by selecting 56-bit key from 64-bit input
    key data.
  • Selection is as indicated in Table 3.4a where bit
    in the last column are ignored (in practice we
    can use these bits as parity check bits)
  • At each round do
  • Initial permutation of the key (PC1, Permuted
    Choice 1) which governed by the permutation Table
    3.4b (there is no 64 elements in this table, why?
  • The result is 56 bits which is treated as two
    28-bit halves (Ci-1 and Di-1 in the figure)

31
DES Key Schedule (Cont.)
  • Then perform left shift rotation of 1 or 2 bits
    depending on the round, key rotation schedule K,
    as indicated in Table 3.4d, for each half, Ci-1
    and Di-1 , and separately
  • The pass these shifted halves to the next round
    where they will serve as Ci and Di .
  • These shifted halves also serve as the inputs for
    Permuted Choice 2, which performs contraction
    (drops 4 bits from each half, so its output is 24
    bits out of 28 bits) and permutation according to
    Table 3.4c

32
DES Key Schedule Calculation
33
DES Overview - Decryption
  • Decryption works by running DES backwards
  • Take 64 bits output and perform an initial
    permutation to obtain a 64 bits result (the
    initial and final permutations are inverse of
    each other)
  • 56-bit key is used to generate 16 48-bit per
    round keys
  • Each round takes the 64-bit output from previous
    round with 48-bit per round key to produce a
    64-bit output. This time, use the key in the
    opposite order (i.e., use K16 first)
  • After 16 round, the 64-bit output swaps its half
  • Then a final permutation (which is the inverse of
    the initial permutation) to produce a 64-bit
    output

34
How Secure is DES?
  • DES is a quite simple cipher only the S box is
    a nonlinear transformation in the algorithm
  • So it would have been easier to break it, if
    S-boxes were linear
  • The S-boxes provide the confusion of data and
    key values
  • Permutation P then spreads this as widely as
    possible, so each S-box output affects as many
    S-box inputs in the next round as possible,
    giving diffusion
  • However, one may get the impression that anyone
    could design a cipher Just take some bits,
    shuffle them, and then shuffle them some more,
    and you got your algorithm (you need to have M
    DK(EK (M)))

35
How Secure is DES? (cont.)
  • Since Its adoption there have been some concerns
    (mysterious and controversy) of some of the
    design aspects in DES
  • For instance we do not know the details in
    choosing the construction of the S-box
    kaufman2002, pg. 75
  • Or why the key size is 56 although the original
    recommendation from IBM is 128 bit, certainly
    would make a stronger cipher
  • However, Biham and Shamir 1991, have shown that
    a simple change of DES, an in swapping S-box 3
    with S-box 7, leads to DES with order of
    magnitude less secure

36
DES, Avalanche Effect
  • DES exhibits strong avalanche as shown in the
    Table below
  • Recall avalanche where a change of one input or
    key bit results in changing approx. half output
    bits
  • In table (a), with two plaintexts that differ by
    one bit,
  • 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 (hex)
  • 8 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 (hex)
  • Results show that about half of the bits in
    ciphertext differ after just a few rounds
  • Similarly in table (b) for a single change in the
    key
  • See figure in next slide

37
Avalanche Effects in DES
38
Strength and Weakness of DES
  • Small key length of 56 bits resulting in 256 key
    space (7.2 x 1016 values)
  • Brute force is hard but possible with this small
    key space
  • The 56-bit key is susceptible to exhaustive key
    search
  • DES was first cracked publicly in the RSA
    Challenge
  • Cracking DES, book published by OReilly tell you
    all you need to know including a sample code.
  • Very widely used commercially
  • Has demonstrated breaks
  • 1997 on a large network of computers in a few
    months
  • 1998 on dedicated hardware hardward EFF
    (Electronic Frontier in a few days
  • 1999 above combined in 22 hours
  • Still must be able to recognize plaintext

39
Strength of DES Timing Attacks
  • By performing a careful measurement of the amount
    of time it takes to encrypt and decrypt various
    ciphertexts, one can derive some knowledge of
    some/all subkey bits and eventually break the
    cipher this type of attacks is called timing
    attacks
  • Timing attacks are particularly problematic for
    smartcards and public keys as it will be
    discussed
  • So far and based on previous research results,
    DES appears to be fairly resistant to timing
    attacks

40
Differential Cryptanalysis
  • It starts with a pair of messages, say m and m
    with known XOR difference (?m m XOR m) then
    compare and trace the difference between their
    ciphertexts, at each round
  • Perform attack by repeatedly encrypting plaintext
    pairs with known input XOR until we obtain
    desired output XOR
  • When found
  • If intermediate rounds match required XOR have a
    right pair
  • If not then, have a wrong pair
  • Differential Cryptanalysis is one of the most
    significant recent (public) advances in
    cryptanalysis
  • Known by NSA in 70s cf DES design and that lead
    to some researchers to conclude the reason for
    DES resistant to such attack
  • We needed to wait until 1990 when Murphy, Biham,
    Shamir made such attack public BIHA93
  • Used to analyze most current block ciphers with
    varying degrees of success

41
Linear Cryptanalysis
  • This attack is based on finding linear
    approximations to model cipher using statistical
    method
  • Not so powerful attack against DES, why?
  • Must be iterated over rounds, with decreasing
    probabilities
  • Developed by Matsui et al in early 90s
  • Based on finding linear approximations
  • Can attack DES with 247 known plaintexts, still
    in practice infeasible

42
Modes of Operations
  • DES (or any block cipher) forms a basic building
    block, which encrypts/decrypts a fixed sized
    block of data.
  • However, in order to use them in practice, we
    usually need to handle arbitrary amounts of data,
    which may be available in advance (in which case
    a block mode is appropriate), and may only be
    available a bit/byte at a time (in which case a
    stream mode is used)
  • To cover as much as possible application needs, 4
    modes were defined for for DES in ANSI standard,
    ANSI X3.106-1983

43
Cryptography Mode of Operations
  • Larger size of messages
  • Described in DES as different mode of operations
  • Electronic Code Book (ECB)
  • Cipher Block Chaining (CBC)
  • k-Bit Cipher Feedback Mode (CFB)
  • k-Bit Output Feedback Mode (OFB)

44
DES Mode of Operation
45
Electronic Codebook (ECB) Mode
  • The simplest mode
  • Plaintext is handled 64 bits at a time and each
    plaintext is encrypted using the same key
  • Each block is a value which is substituted, like
    a codebook, hence named
  • Each block is encoded independently of the other
    blocks
  • Ci DESk1 (Pi)
  • If the message is longer than 64 bits, the
    procedure is to break the message up into 64-bit
    blocks, padding the last block if necessary

46
Electronic Codebook (ECB) Mode
P1
Pn
P2
Encryption
. . .
K
K
K
C1
Cn
C2
C1
Cn
C2
Decryption
K
K
. . .
K
P1
P2
Pn
47
Advantages and Limitations of ECB
  • ECB has some advantages
  • Simple
  • Allow parallelism implementation, hardware, speed
  • However, ECB is not appropriate for large
    quantity of data
  • If the plaintext contains two identical 64-bit
    blocks, the corresponding two blocks of
    ciphertext will be identical.
  • Cipher can be changed without being detected
  • Idea for short amount of data, such as an
    encryption key to be securely transmitted
  • Vulnerability
  • Someone seeing the ciphertext can gain
    information from repeated blocks
  • Someone can rearrange blocks or modify block to
    her own advantage

48
Example
  • Lesile, close friend of Trudy, had a fight with
    her Boss, Bob. As a result, Leslie is not
    expecting much bonus this year. Kim, in
    contrast, is the Bosss favorite and everyone
    knows about that. The figure below shows a
    portion of the annual bonuses the company decided
    to award to its employee which will be sent to
    the bank after being encrypted using ECB. Leslie
    asks Trudy if she can rectify this unfairness,
    given on the ciphertext?

49
Example
  • Answer
  • No problem said Trudy
  • She makes a copy of 12th ciphertext block (which
    contains Kims bonus) and uses it to replace the
    4th ciphertext blok (which contains Leslies
    bonus). That is even without knowing what the
    12th block is about
  • Leslie can expect to have a good vacation this
    year! (copying the 8th ciphertext block is also
    possible, but Leslie is not that greedy person
    after all!! (TB, book)

50
Randomized Electronic Codebook (ECB) Mode
P1
P2
Pn
Encryption
r1
r2
rn



. . .
K
K
K
C1
C2
Cn
C1
C2
Cn
Decryption
K
K
K
. . .
r1
r2
rn



P1
Pn
P2
51
Cipher Block Chaining (CBC) Mode
  • To overcome these problems of repetitions and
    order independence in ECB, we want some ways of
    making the ciphertext dependent on all blocks
    before message is broken into blocks
  • Make each previous cipher blocks chained with
    current plaintext block, hence name CBC
  • Start with an initial random number, the
    Initialization Vector (IV) do not use a value 0
    as IV
  • The IV must known to both the sender and receiver
  • For maximum security, IV should be protected as
    well as the key
  • Plaintext is then XOR with IV or the preceding
    ciphertext block
  • The result is then encrypted with the same key
  • Ci DESK1(Pi XOR Ci-1) where C-1 is IV
  • The input to the encryption function for each
    plaintext block bears no fixed relationship to
    the plaintext block.

52
Cipher Block Chaining (CBC) Mode
P1
P2
Pn
Encryption
IV



. . .
K
K
K
C1
C2
Cn
C1
C2
Cn
Decryption
K
K
K
. . .
IV



P1
Pn
P2
53
Advantages and Limitations of CBC
  • Each ciphertext block depends on all message
    blocks
  • Thus a change in the message affects all
    ciphertext blocks after the change as well as the
    original block
  • Need IV known to sender and receiver
  • However, if IV is sent in the clear, an attacker
    can change bits of the first block, and change IV
    to compensate
  • Hence either IV must be a fixed value (as in
    EFTPOS) or it must be sent encrypted in ECB mode
    before rest of message
  • Not appropriate for byte-by-byte like interactive
    applications where people type a short message
    and wait for response
  • At end of message, handle possible last short
    block
  • By padding either with known non-data value
  • CBC encryption has the same performance as ECB
    mode except for the cost of generating and
    transmitting the IV

54
Cipher Feedback (CFB) Mode
  • Message is treated as a stream of bits. So CFB
    converts DES (a block cipher into stream cipher)
  • The unit of transmission is k bits (see diagram
    in next slide)
  • The Ci result of each plaintext Pi (of k-bit in
    size) is feedback for next stage (hence name)
  • Standard allows any number of k bit (1,8 or 64
    ..) to be feedback
  • Denoted CFB-1, CFB-8, CFB-64, etc.
  • It uses 64 bit shift register that is initially
    set to some IV value
  • The k- MSB of the register are pushed to left and
    replace by the next k-bit on the register
  • Only the k-MSB of the encryption box are XOR with
    plaintext Pi (of size k bits)
  • At the end of processing, Pi (of size k bits) the
    register is shifted to the left by k bits (so k
    MSB are dropped) and the new s bits from Ci are
    placed to right of the register

55
K-bit Cipher Feedback (CFB) Mode
Encryption
k
k
IV
K
K
K
discarded
discarded
discarded
k bits
k bits
k bits
P1
P2
P3



k bits
k bits
k bits
C1
C2
C3
56
K-bit Cipher Feedback (CFB) Mode
Decryption
k
k
IV
K
K
K
discarded
discarded
discarded
k bits
k bits
k bits
P1
P2
P3



k bits
k bits
k bits
C1
C2
C3
57
Advantages and Limitation of CFB
  • Appropriate when data arrives in bits/bytes
  • Most common stream mode
  • Limitation is need to stall while do block
    encryption after every k bits
  • Note that the block cipher is used in encryption
    mode and both ends
  • Errors propagate for several blocks after the
    error
  • This eliminate the padding of the last block and
    can operate in real time
  • The ciphertext should be the same length as
    plaintext
  • CFB-encrypted messages are somewhat less subject
    to tampering than either CBC or OFB

58
Output Feedback (OFB) Mode
  • Like CFB, message is treated as a stream of bits
  • The output of encryption box is feedback (hence
    named) as compared to CFB that we have to wait
    until we got the ciphertext itself then feed it
    back
  • Act like a pseudorandom generator, assuming IV is
    b0
  • The encryption of IV with a key K produce b1
  • The results is a string of pseudorandom stream
    b0b1
  • The ciphertext is obtained by XOR with Plaintext.
  • This is also called one-time pad
  • Feedback is independent of message, so can be
    computed in advance (see figure in the next
    slide)
  • Ci Pi XOR Oi
  • Oi DESK1(Oi-1) where O-1 is IV

59
K-bit Output Feedback (OFB) Mode
Encryption
k
k
IV
K
K
K
discarded
discarded
discarded
k bits
k bits
k bits
b1
b2
b3
P1
P2
P3



k bits
k bits
k bits
C1
C2
C3
60
K-bit Output Feedback (OFB) Mode
Decryption
k
k
IV
K
K
K
discarded
discarded
discarded
k bits
k bits
k bits
b1
b2
b3
C1
C2
C3



k bits
k bits
k bits
P1
P2
P3
61
Limitation and Advantages of OFB
  • Used when error feedback a problem or where need
    to encryptions before message is available
  • Superficially similar to CFB
  • But feedback is from the output of cipher and is
    independent of message
  • Another advantage over CFB, any bit error only
    affects a single bit. Thus this is good for
    noisy links (e.g., satellite TV transmissions
    etc.), i.e., Any errors in transmission will not
    propagate and only the recover value of P is
    affected
  • No costly cryptographic operations are needed
    (just XOR)
  • Sender and receiver must remain in sync, and some
    recovery method is needed to ensure this occurs
  • Originally specified with m-bit feedback in the
    standards
  • Subsequent research has shown that only OFB-64
    should ever be used
  • Vulnerability subject to message stream
    modification attacks
  • Bad guys can modify the plaintext into any he
    wants by simply XORing the ciphertext with the
    known plaintext

62
Counter (CTR)
  • A new mode, though proposed early on
  • Similar to OFB but encrypts counter value rather
    than any feedback value
  • Must have a different key and counter value for
    every plaintext block (never reused)
  • Ci Pi XOR Oi
  • Oi DESK1(i)
  • Uses high speed network encryptions

63
Counter (CTR)
64
Advantages and Limitations of CTR
  • Efficiency
  • Can do parallel encryptions
  • In advance of need
  • Good for bursty high speed link
  • Random access to encrypted data blocks
  • Provable security (good as other modes)
  • But must ensure never reuse key/counter values,
    otherwise could break (cf OFB)

65
Summary of Block Cipher Modes
Write a Comment
User Comments (0)
About PowerShow.com