Cryptographic Algorithms and Protocols

About This Presentation

Title:

Cryptographic Algorithms and Protocols

Description:

Lecture Notes: Adapted from that of Lawrie Brown. Lecturer: ... Re-order the bit stream; e.g. 1st bit of input stream is moved to 9th bit of output stream ... – PowerPoint PPT presentation

Number of Views:249

Avg rating:3.0/5.0

Slides: 92

Provided by: scie241

Category:

more less

Transcript and Presenter's Notes

Title: Cryptographic Algorithms and Protocols

1
Cryptographic Algorithms and Protocols

Text Book Williams Stalling
Lecture Notes Adapted from that of Lawrie Brown
Lecturer
Professor Frances Yao Professor Xiaotie Deng
Department of Computer Science
City University of Hong Kong

2
Block Ciphers

Ciphers in general
Block ciphers Stream ciphers
DES and Operating Modes for secure communication
AES
Other Block Ciphers
Applications

3
Modern Block Ciphers

Among the most widely used types of cryptographic
algorithms
Services Provided
secrecy
authentication services

4
Block vs Stream Ciphers

Block ciphers split messages in into blocks, each
block is then en/decrypted
The same block is encrypted to the same cipher
text if the same key is used.
A substitution cipher (dependent on keys) on very
big characters
64-bits or more
Stream ciphers process messages a bit at a time
when en/decrypting
NOTE many current ciphers are block ciphers

5
Stream Ciphers

To encrypt plaintext stream,
A random set of bits is generated from a seed key
It is called a keystream, which is as long as the
message
Keystream bits are added modulo 2 to plaintext to
form the ciphertext stream
To decrypt ciphertext stream
use the same seed key to generate the same
keystream used in encryption
Add the keystream modulo 2 to the ciphertext to
retrieve the plaintext
i.e. C P?K ? C?K (P?K)?K P

6
Stream Ciphers
Plaintext bits
Encryption
Ciphertext bits
Keystream bits
Key Generator
Seed key

a method of encrypting text in which a key and
algorithm are applied to each binary digit in a
data stream, one bit at a time
We want the keystream bits to be close to random
bits.
Pseudo-random number generators are good as key
generators.

7
Block Cipher
Encryption E
ciphertext block e.g. 64 bits
Plaintext block e.g. 64 bits
Key K

A method of encrypting text in which a key and
algorithm are applied to blocks of data
Message is broken into fixed sized blocks.
It is encrypted, one block at a time.

8
Choice of Block Size

Small block size may be insecure
The same plaintext block always produces the same
ciphertext block
8-bit block size has only 256 values ? use
frequency analysis to break it!
In practice, encryption algorithms are designed
to ensure that all subsequent blocks result in
ciphertext that are not the same
Use large block size
Use different keys for different blocks
Generate new keys using initial key and the
ciphertext from the previous encrypted block
using a psudo-random number generator.

9
Block Cipher Principles

Block ciphers look like an extremely large
substitution
Not convenient since it would need table of 264
entries for a 64-bit block
To improve it, it is created from smaller
building blocks
By applying the idea of a product cipher
Most symmetric block ciphers are based on a
Feistel Cipher Structure
http//home.ecn.ab.ca/jsavard/crypto/co040906.htm

10
Claude Shannon and Substitution-Permutation
Ciphers

in 1949 Claude Shannon introduced idea of
substitution-permutation (S-P) networks
modern substitution-transposition product cipher
these form the basis of modern block ciphers
S-P networks are based on the two primitive
cryptographic operations
substitution (S-box)
permutation (P-box)
provide confusion and diffusion of message

11
Example of Transposition Techniques

Key A permutation of size the same as the
plaintext
Ciphertext the permuted plaintext
Example Rail Fence of depth 2
Plaintext meet me after the toga party
mematrhtgpry
etefeteoaat
Ciphertext mematrhtgpryetefeteoaat

12
More Complex Transposition Scheme

Key a permutation of fixed size 431256
Plaintext meet me after the toga party
4 3 1 2 5 6
m e e t m e
a f t e r t
h e t o g a
p a r t y z
Ciphertext ettrteotefeamahpmrgyetaz
We may encrypt it one more time using the same
key.

13
Properties of Good CiphersConfusion and
Diffusion

In theory, cipher needs to completely obscure
statistical properties of original message
a one-time pad does this
More practically Shannon suggested combining
elements to obtain
diffusion dissipates statistical structure of
plaintext over bulk of ciphertext
confusion makes relationship between ciphertext
and key as complex as possible

14
Feistel Cipher Structure

Horst Feistel (of IBM) devised the feistel cipher
that implements Shannons substitution-permutation
network concept to obtain invertible product
cipher
http//en.wikipedia.org/wiki/Feistel_network
Ideas for each round
partition input block into two halves
process through multiple rounds which
perform a substitution on left data half
based on a round function of right half subkey
then have permutation swapping halves

15
Feistel Cipher Structure
16
Feistel Cipher Design Principles

block size
increasing size improves security, but slows
cipher
key size
increasing size improves security, makes
exhaustive key searching harder, but may slow
cipher
number of rounds
increasing number improves security, but slows
cipher
subkey generation
greater complexity can make analysis harder, but
slows cipher
round function
greater complexity can make analysis harder, but
slows cipher
fast software en/decryption ease of analysis
are more recent concerns for practical use and
testing

17
Feistel Cipher Decryption
18
DES a specific design

Overview
Encryption
Decryption
Security

19
DES Data Encryption Standard

A Block cipher
Data encrypted in 64-bit blocks using a 56-bit
key (effective key) Ciphertext is of 64-bit long
Encrypts by series of substitution and
transpositions (or permutations)

20
DES History

The first commercially available Feistel Cipher
was developed by IBM in the 1960's called
Lucifer (by Feistel and Coppersmith).
US National Bureau of Standards (NBS) issued a
call for proposals in 1972
Lucifer was refined, renamed the Data Encryption
Algorithm (DEA) in 1974
Adopted as the standard by NBS in 1976
DES is the first official U.S. government cipher
intended for commercial use
Replacement standard (AES) is in effect May 26,
2002
http//csrc.nist.gov/CryptoToolkit/aes/frn-fips197
.pdf

21
DES Design Controversy

There has been considerable controversy over
design
in choice of 56-bit key (vs Lucifer 128-bit)
and because design criteria were classified
subsequent events and public analysis show in
fact design was appropriate
DES has become widely used, esp in financial
applications
Best known and widely used symmetric algorithm in
the world
But, no longer is considered secure for highly
sensitive applications.

22
Input of DES

Data need to be broken into 64-bit blocks add
pad at the last message if necessary.
e.g. X(3 5 0 7 7 F 1 0 A B 1 2 F C 6 5)HEX
Secret key
Any string of 64 bits long including 8 parity
bits.
1 parity bit in each 8-bit byte of the key may be
utilized for error detection in key generation,
distribution, and storage
K(k1k7k8 k15k16k17k24k32 k40 k48 k56
k64)
The parity bits k8,k16,k24,k32,k40,k48,k56,k64
help ensure that each byte is of odd parity

23
DES Encryption Diagram
64-bit plaintext
Initial permutation
K1
Iteration 1
Iteration 2
K2
16 subkeys of each 48-bits
Iteration 16
K16
32-bit Swap
Inverse permutation
64-bit ciphertext
24
Description

DES operates on 64-bit blocks of plaintext. After
an initial permutation the block is broken into
right half and left half, each being 32 bits long
There are 16 rounds of identical operations, call
Function f, in which data are combined with 16
keys of 48 bits, one for each round
After the 16th round the right and left halves
are joined, and a final permutation (the inverse
of the initial permutation) finishes the
algorithm
Because DESs operation is very repetitive, it is
readily implementable in hardware, as well as
software

25
DES Round Structure

uses two 32-bit L R halves
as for any Feistel cipher can describe as
Li Ri1
Ri Li1 xor F(Ri1, Ki)
takes 32-bit R half and 48-bit subkey and
expands R to 48-bits using perm E (transposition)
adds to subkey (substitution)
passes through 8 S-boxes to get 32-bit result
(ST)
finally permutes this using 32-bit perm P
(transposition)

26
DES Round Structure
27
DES Module Operations

Permutation boxes
Specific boxes used in DES includes PC1 and PC2
for sub-key generation IP, IP-1, E-box and P-box
Substitution boxes
8 specific S-boxes are used in DES This is the
core of DES This step is non-linear
Modulo 2 addition
Addition in binary form used in function f
32 bits registers
Use only to store data. In the key generator two
shift registers are used to cyclically shift the
data used in key generation

28
Permutation
Input
0 1 0 1 1 0 0 1 1

Re-order the bit stream e.g. 1st bit of input
stream is moved to 9th bit of output stream
Permutation size of input and output are the
same used in DES Initial permutation, Inverse
permutation, etc
Expansion size of output is greater than input
stream, some input bits appear at two places in
output
Compression box size of output is smaller than
input stream, then some input stream will not
appear in the output

Output
1 0 1 0 0 1 1 0 0
P-box contents 2 6 4 8 7 5 9 3 1
Input
0 1 0 1 1 0 0
Output
1 0 1 0 0 1 0 0 0
E-box contents 2 6 4 1 7 5 7 3 1
29
Substitution

Substitution boxes provide a substitution code,
i.e. there is a code output stored for each input
Each S box stores a different set of 48
hexadecimal numbers in a matrix of 16?4
There are 8 S boxes in DES, each accepts a 6-bit
input and returns a 4-bit output
Consider a 48-bit input stream, first 6 bits
input will be input to the first S box, next 6
bits will be for the second S box, and so on.

30
DES Key Schedule
31
Form subkeys used in each round

consists of
initial permutation of the key (PC1) which
selects 56-bits in two 28-bit halves
16 stages consisting of
selecting 24-bits from each half
permuting them by PC2 for use in function f,
rotating each half separately either 1 or 2
places depending on the key rotation schedule K

32
Sub-Key generations

Now, lets first learn how to generate 16
sub-keys for each round of DES, given a secret
key K of 64 bits long (includes 8 parity bits) by
the sender
K 0101 1000 0001 1111 1011 1100 1001 0100 1101
0011 1010 0100 0101 0010 1110 1010
For each byte, the 8th bit is 1 if the number of
1s in the first 7 bits is even, 0 otherwise.

33
One sub-key
64-bit Secret key

64 bits of secret key are input to the key
generator, 8 parity bits are removed So, DES key
has only 56 bits
Objective use these 56 bits to generate a
different 48 bit sub-key for each round of DES
PC1 is a P box where 8 parity bits are removed
with input of 64 bits key
56-bit output of PC1 is split into two 28-bit
keys which is input into shift registers C and D
PC2 is also a P box which ignores certain input
bits and permutes to a 48-bit sub-key

PC1 (64?56)
C (28-bit)
D (28-bit)
PC2 (56?48)
48-bit sub-key
34
Generation of Many Sub-Keys
K
PC1
48-bit sub-keys
D1
C1
K1
PC2
C2
D2
K2
PC2
C3
D3
C16
D16
K16
PC2
35
Permuted Choice 1(PC1)

The table below specifies how the key is loaded
to memory in PC1.
If 64-bit Secret Key K 0101 1000 0001 1111
1011 1100 1001 0100 1101 0011 1010 0100 0101 0010
1110 1010, then PC1(K) L R where both L and
R are 28 bits long and
L 1011110011010001101001000101 and
R 1101001000101110100001111111

36
Shift Registers C and D

The contents of C C1, C2, C16 and D D1,
D2, D16 are circularly shifted to left by 1 or
2 bits (according to a shift table) prior to each
iteration
Total of 28 bit shifts will be done after 16
rounds
Shift tables is determined as below.
Assume we are at the first round. According to
the table, the number of shift to left 1.
C1(L) 0111100110100011010010001011 and D1(R)
1010010001011101000011111111
And C2(C1(L)) 1111001101000110100100010110 and
D2(D1(R)) 0100100010111010000111111111

37
Permuted Choice 2 (PC2)

PC2 is determined by the table below
Consider input X C1(L) D1(R) and YC2(L)
D2(R)
K1 PC2(X) 27A1 69E5 8DDAHEX (001001 111010
000101 101001 111001 011000 110111 011010)
K2 PC2(Y) DA91 DDD7 B748HEX (110110 101001
000111 011101 110101 111011 011101 001000)

38
Use Sub-keys to encrypt
64-bit plaintext

Now we have K1 and K2
Repeat the previous process 14 more times, we
will get altogether 16 sub-keys
Assume M is the 64-bit plaintext

Initial permutation
K1
Iteration 1
Iteration 2
K2
Iteration 16
K16
32-bit Swap
Inverse permutation
M 3570 E2F1 BA46 82C7HEX
64-bit ciphertext
39
Initial Permutation
40
64-bit plaintext

64 bits output of Initial permutation is split
Left hand 32 bits sent to L
Right hand 32 bits sent to R

Initial permutation
K1
Iteration 1
Iteration 2
K2
56-bit key
Iteration 16
K16
32-bit Swap
Inverse permutation
64-bit ciphertext
41
Initial Permutation (IP)

IP is determined as the following table
It occurs before round one
Bits in the plaintext are move into next
location, e.g. bit 58 to bit 1, bit 50 to bit 2
and bit 42 to bit 3, etc

42
Initial Permutation (IP)

Since M 3570 E2F1 BA46 82C7HEX (0011 0101
0111 0000 1110 0010 1111 0001 1011 1010 0100 0110
1000 0010 1100 0111), then IP(M) L0 R0 where
L0 1010 1110 0001 1011 1010 0001 1000 1001
AE1BA189HEX
R0 1101 1100 0001 1111 0001 0000 1111 0100
DC1F10F4HEX
Now we have L0 and R0 ready for iteration!

43
Operations in Each Round
44
Structure
32 bits
32 bits
Li-1
Ri-1
Li-1? f(Ri-1, Ki)
Li
Ri
32 bits
32 bits
45
f(Ri-1, Ki)
R (32 bits)
E
48 bits
K (48 bits)

S1
S2
S3
S4
S5
S6
S7
S8
P
32 bits
46
Computation of f(Ri-1, Ki)

Three types of boxes E, S, P
R (32 bits) is passed to expansion and
permutation box E-box
48 bits output of E-box is added modulo 2 to 48
bits sub-key and result sent to S boxes
S boxes (S1, S2S8) store a set of numbers input
48 (6?8) bits used to look up numbers like a
code book and 32 bits output is sent to
permutation box P
Permutation box P permutes 32 bit input producing
a 32-bit output

47
E-box used in DES

The E-box expands 32 bits to 48 bits it changes
the order of the bits as well as repeating
certain bits.

48
Substitution Boxes S

have eight S-boxes which map 6 to 4 bits
each S-box is actually 4 little 4 bit boxes
outer bits 1 6 (row bits) select one rows
inner bits 2-5 (col bits) are substituted
result is 8 lots of 4 bits, or 32 bits
row selection depends on both data key
feature known as autoclaving (autokeying)
exampleS(18 09 12 3d 11 17 38 39) 5fd25e03

49
Input of S-boxes

R0 DC1F 10F4HEX and
K K0 27A1 69E5 8DDAHEX (here K is not the
secret key but a symbol for all sub-keys)
? E(R0) 0110 1111 1000 0000 1111 1110 1000 1010
0001 0111 1010 1001 6F80 FE8A 17A9HEX
? E(R0) ? K0 0100 1000 0010 0001 1001 0111 0110
1111 1001 1010 0111 0011 4821976F9A73HEX
? Input Z 4821976F9A73HEX into S-boxes

R (32 bits)
E
48 bits
K (48 bits)

50
S-box

After the sub-key is XORed with the expanded
right blocked, 48-bit result moves to the
substitution operation, S-boxes
The S-boxes in DES swap bits around in the 48-bit
block in a reversible manner
Each S-box are differently defined.
Each input b1b2b3b4b5b6, S box will output a
hexadecimal number at
Row (b1b6)
Column (b2b3b4b5 )

Z
S1
S2
S3
S4
S5
S6
S7
S8
P
32 bits
51
S-box used in DES S1 and S2

The 48-bit input (from ) is separated into
eight 6-bit blocks (B1-8).
Each block is subjected to a unique substitution
function (S1-8) yielding a 4-bit block as output.
This is done by taking the first and last bits of
the block to represent a 2-digit binary number
(i) in the range of 0 to 3.
The middle 4 bits of the block represent a
4-digit binary number (j) in the range of 0 to
15.
The unique substitution number to use is the one
in the ith row and jth column, which is in the
range of 0 to 15 and is represented by a 4-bit
block.

52
S-box used in DES S1 and S2

Since Z 4821976F9A73HEX 010010 000010 000110
010111 011011 111001 101001 110011
? S1(010010) is the value 10 (at row 0 and column
10012 910 )
? S2(000010) 110 00012 (at row 0 and column
00012 110 )

53
S-box used in DES S3 and S4

Since Z 4821976F9A73HEX 010010 000010 000110
010111 011011 111001 101001 110011
? S3(000110) 1410 11102
? S4(010111) 1210 11002

54
S-box used in DES S5 and S6

Since Z 4821 976F 9A73HEX 010010 000010 000110
010111 011011 111001 101001 110011
? S5(011011) 910 10012
? S6(111001) 610 01102

55
S-box used in DES S7 and S8

Since Z 4821976F9A73HEX 010010 000010 000110
010111 011011 111001 101001 110011
? S7(101001) 110 00012
? S8(010011) 910 11002

56
Combine all 8 S-boxes

Now we have all outputs from 8 S-boxes
S(Z) 1010 0001 1110 1100 1001 0110 0001 1100
A1EC961CHEX
Input the result into P-box!

Z
S1
S2
S3
S4
S5
S6
S7
S8
A1EC961CHEX
P
32 bits
57
P-box used in DES

The P-box permutation is determined as below
which is a straight permutation no bits are used
twice, and no bits are ignored.
? P(A1EC961CHEX) 0010 1011 1010 0001 0101 0011
0110 1100 2BA1536CHEX

58
An example for first two rounds
59
First Round

L0 AE1BA189HEX and R0 DC1F10F4HEX
Sub-key K2 27A1 69E5 8DDAHEX
f(R1,K2) 2BA1 536CHEX
?L0? f(R0,K1)1000 0101 1011 1010 1111 0010 1110
010185BAF2E5HEX
? L1 DC1F 10F4HEX and R1 85BA F2E5HEX

L0
R0
L0? f(R0, K1)
L1
R1
60
Second Round

L1 DC1F 10F4HEX and R1 85BA F2E5HEX
Sub-key K2 DA91 DDD7 B748HEX
E(R1) 110000001011110111110101011110100
101011100001011 C0BD F57A 570BHEX
E(R1)? K2000110100010110000101000101011011110
000001000011
S1(000110)0001 S2(100010)1110S3(110000)1011
S4(101000)1100 S5(101011)1110
S6(011110)1011 S7(000001)1101 S8(000011)1111
P(8 outputs of S-boxes) 0101 1111 0011 1110
0011 1001 1111 0111 5F3E 39F7HEX f(R1,K2)
?L1? f(R1,K1) 1000 0011 0010 0001 0010 1001
0000 0011 8321 2903HEX
? L2 R1 85BA F2E5HEX R2 8321 2903HEX

L1
R1
L1? f(R1, K2)
L2
R2
61
The last step to get Ciphertext
62
DES Ciphertext
32 bits
32 bits

Express DES encryption algebraically (in binary
number)
RjLj-1? f(Rj-1,Kj)
LjRj-1
After 16 rounds of iterations, the contents of L
and R are swapped and input to Inverse
permutation
Finally, a 64-bit ciphertext is done!

Li-1
Ri-1
Li-1? f(Ri-1, Ki)
For i16
Li
Ri
32 bits
32 bits
32-bit Swap
Inverse permutation
64-bit ciphertext
63
Inverse Initial Permutation (IP-1)

IP-1 is determined as the following table
Since DES consists of 16 rounds, too many for our
lecture!
Consider DES algorithm of two rounds.
Ciphertext IP-1(R1L1) 1101 0111 0110 1001
1000 0010 0010 0100 0010 1000 0011 1110 0000 1010
1110 1010 D7698224283E0AEAHEX

64
DES Decryption
65

DES decryption is straightforward
e.g. to permute n bits with inverse permutation
and then initial permutation will do nothing on
the n bits
Decryption processes are almost the same except
that
16 sub-keys are entered in reverse order
Decryption sub-keys are formed using a different
shift table with C and D shifts to the right in
stead of the left

x
Inverse permutation
Initial permutation
yx
66
DES Encryption Decryption
64-bit plaintext
64-bit ciphertext
Initial permutation
Initial permutation
K1
K16
Iteration 1
Iteration 1
Iteration 2
Iteration 2
K2
K15
56-bit key
56-bit key
Iteration 16
Iteration 16
K16
K1
32-bit Swap
32-bit Swap
Decryption
Inverse permutation
Inverse permutation
Encryption
64-bit ciphertext
64-bit plaintext
67
Detailed Description

decrypt must unwind steps of data computation
with Feistel design, do encryption steps again
using subkeys in reverse order (SK16 SK1)
note that IP undoes final FP step of encryption
1st round with SK16 undoes 16th encrypt round
.
16th round with SK1 undoes 1st encrypt round
then final FP undoes initial encryption IP
thus recovering original data value

68
Algebraic Expressions

Encryption (M)
Input plaintext to Initial permutation box to get
L0 and R0
Repeat 15 times with
RjLj-1? f(Rj-1,Kj)
LjRj-1
to get L16 and R16
Swap them to get R16L16
Put R16L16 to Inverse permutation box to get
ciphertext

Decryption (C)
Input ciphertext to Initial permutation box to
get A16 and B16
Repeat 15 times with
Bj-1Aj ? f(Bj,Kj)
Aj-1Bj
to get A0 and B0
Swap them to get B0A0
Put B0A0 to Inverse permutation box to get back
the plaintext

69
A Simple Example

Consider there are only 2 rounds in DES
Given ciphertext C D7698224283E0AEAHEX
Lets decipher it to get back our plaintext M.
Normally, in deciphering operation, sub-key must
be used in reversed order i.e. K16, K15,
In our case, we will use K2 and then K1 only
Also, those shift registers C C1, C2 and D
D1,D2 will be altered to right shift
?IP(C) 8321 2903 85BA F2E5HEX
?Let A2 8321 2903HEX and B2 85BA F2E5HEX

70
Decryption

A2 8321 2903HEX and B2 85BA F2E5HEX
First Round
E(B2)110000 001011 110111 110101 011110 100101
011100 001011
E(B2)?K2000110 100010 110000 101000 101011
011110 000001 000011
S1(000110)0001 S2(100010)1110
S3(110000)1011 S4(101000)1100
S5(101011)1110 S6(011110)1011
S7(000001)1101 S8(000011)1111
Let S0001 1110 1011 1100 1110 1011 1101 1111
P(S)0101 1111 0011 1110 0011 1001 1111 0111
P(S)?A2 1101 1100 0001 1111 0001 0000 1111 0100
DC1F10F4HEX

71
Decryption

B1 DC1F10F4HEX and A1 B2 85BA F2E5HEX
Second Round
E(B1)011011 111000 000011 111110 100010 100001
011110 101001
E(B1)?K1010010 000010 000110 010111 011011
111001 101001 110011
S1(010010)1010 S2(000010)0001
S3(000110)1110 S4(010111)1100
S5(011011)1001 S6(111001)0110
S7(101001)0001 S8(110011)1100
Let S 1010 0001 1110 1100 1001 0110 0001 1100
P(S) 0010 1011 1010 0001 0101 0011 0110 1100
P(S)?A1 1010 1110 0001 1011 1010 0001 1000 1001
AE1BA189HEX
B0 AE1B A189HEX and A0 B1 DC1F 10F4HEX
IP-1(B0A0) 0011 0101 0111 0000 1110 0010 1111
0001 1011 1010 0100 0110 1000 0010 1100 0111
3570 E2F1 BA46 82C7HEX

M
72
Modes of Operation
73
How to use DES?

Four modes of operations were defined for DES in
ANSI standard ANSI X3.106-1983 Modes of Use
subsequently now have 5 for DES and AES
have block and stream modes
http//www.itl.nist.gov/fipspubs/fip81.htm

74
Handle long messages

Block ciphers encrypt fixed size blocks
eg. DES encrypts 64-bit blocks, with 56-bit key
How to encrypt arbitrary amount of information ?
Message is broken into blocks of 64 bits
At end of message, handle possible last short
block
by padding either with known non-data value (eg
nulls)
or pad last block with count of pad size
eg. b1 b2 b3 0 0 0 0 5 lt- 3 data bytes, then 5
bytes padcount
Then they are encrypted and decrypted in various
combinations of keys and texts.

75
Electronic Codebook Book (ECB)

Use it as a substitution cipher for letters of 64
bits long.
message is broken into independent blocks which
are encrypted
each block is a value which is substituted, like
a codebook
each block is encoded independently of the other
blocks
Ci DESK (Pi)

76
Electronic Codebook Book (ECB)
77
Advantages and Limitations of ECB

Repetitions in message may show in ciphertext
if aligned with message block
particularly with data such as graphics
or with messages that change very little, which
become a code-book analysis problem
Good for a small amount of data
Typical application secure transmission of a
single value such as a session key for
transmission.
Weakness output the same ciphertext for the same
block of 64 bits.

78
Cipher Block Chaining (CBC)

Message is broken into blocks
which are linked together in the encryption
operation
each previous cipher blocks is chained with
current plaintext block
An Initial Vector (IV) is used to start process
Ci DESK1(Pi XOR Ci-1)
C0 IV

79
Cipher Block Chaining (CBC)
80
Advantages and Limitations of CBC

Each ciphertext block depends on all message
blocks proceeding it
A change in the message affects all ciphertext
blocks after the change as well as the original
block
Initial Value (IV) need to be known to sender
receiver
If IV is sent in the clear, an attacker can
change bits of the first block, and change IV to
compensate
Either IV must be a fixed value (as in EFTPOS) or
it must be sent encrypted in ECB mode before rest
of message
Applications bulk data encryption, authentication

81
Cipher FeedBack (CFB)

Message is treated as a stream of bits
Bitwise-added to the output of the block cipher
Result is feed back for next stage (hence name)
Standard allows any number of bit (1,8 or 64 or
whatever) to be feed back
denoted CFB-1, CFB-8, CFB-64 etc
Ci Pi XOR SsDESK(Ri-1)
R0 IV , Ri LeftShifts (Ri-1, Ci-1)
Where SsX stands for the most significant s
bits.
LeftShifts(X,Y) shifts X to the left by s bits
and put Y in place of the rightmost s bits.
Exercise How to do decryptions? (there is some
error in the next page).

82
Cipher FeedBack (CFB)
83
Advantages and Limitations of CFB

Appropriate when data arrives in a fixed size
Most commonly used stream mode
Limitation need to stall while do block
encryption after every n-bits
note that the block cipher (DES) is used in
encryption mode at both ends (of encryption and
decryption)
Applications stream data encryption,
authentication

84
Output FeedBack (OFB)

Again, message is treated as a stream of bits
Output of cipher is added to message and used as
feedback
feedback is independent of message
can be computed in advance
Ci Pi XOR Oi
Oi DESK1(Oi-1)
O0 IV
Advantage bit error in transmission does not
propagate

85
Output FeedBack (OFB)
86
Advantages and Limitations of OFB

Used when error feedback is a problem or where
need to encryptions before message is available
Superficially similar to CFB
but feedback is from the output of cipher and is
independent of message
a variation of a Vernam cipher
hence must never reuse the same sequence (keyIV)
Sender and receiver must remain in
synchronization, and some recovery method is
needed to ensure it
Originally specified with m-bit feedback in the
standards
Subsequent research has shown that only OFB-64
should ever be used
Applications stream encryption over noisy
channels

87
Counter (CTR)

a new mode, though proposed early
similar to OFB but encrypts counter value rather
than any feedback value
must have a different key counter value for
every plaintext block (never reused)
Ci Pi XOR Oi
Oi DESK(i)
uses high-speed network encryptions

88
Counter (CTR)
89
Advantages and Limitations of CTR

efficiency
can do parallel encryptions
in advance of need
good for bursty high speed links
random access to encrypted data blocks
provable security (good as other modes)
but must ensure never reuse key/counter values,
otherwise could break (similar to OFB)

90
Summary