Transcript Document

Chapter 8
Encipherment Using
Modern Symmetric-Key
Ciphers
Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
8.1
Objectives
❏ To show how modern standard ciphers, such as
DES or AES, can be used to encipher long messages.
❏ To discuss five modes of operation designed to be
used with modern block ciphers.
❏ To define which mode of operation creates stream
ciphers out of the underlying block ciphers.
❏ To discuss the security issues and the error
propagation of different modes of operation.
❏ To discuss two stream ciphers used for real-time
processing of data.
8.2
8.1 USE OF MODERN BLOCK CIPHERS
Symmetric-key encipherment can be done
using modern block ciphers.
DES encrypts and decrypts a block of 64 bits;
AES encrypts and decrypts a block of 128 bits;
In real life applications,
the text to be enciphered is of variable size and
normally much larger than 64 or 128
bits.
Modes of operation have been devised
to encipher text of any size
8.3
employing either DES or AES.
8.1 USE OF MODERN BLOCK CIPHERS
Figure 8.1 Modes of operation
8.4
8.1.1 Electronic Codebook (ECB) Mode
The simplest mode of operation is called
the electronic codebook (ECB) mode.
The same key is used to encrypt and decrypt each block.
Figure 8.2 Electronic codebook (ECB) mode
8.5
8.1.1 Electronic Codebook (ECB) Mode
Example 8.1
It can be proved that each plaintext block at Alice’s site
is exactly recovered at Bob’s site.
Because encryption and decryption are inverses of each other,
Example 8.2
This mode is called electronic codebook
because one can precompile 2K codebooks (one for each key)
in which each codebook has 2n entries in two columns.
Each entry can list the plaintext and
the corresponding ciphertext blocks.
However, if K and n are large, the codebook would be
far too large to precompile and maintain.
8.6
8.1.1 Electronic Codebook (ECB) Mode
Following are security issues in ECB mode :
Security Issues
1.Patterns at the block level are preserved.
For example, equal blocks in the plaintext become
equal blocks in the
ciphertext.
2.The block independency creates opportunities for Eve
to exchange some ciphertext blocks
without knowing the
key.
For example,
if Eve knows that block 8 always convey
some specific information,
she can replace this block with the corresponding
block
in the previously intercepted
8.7
8.1.1 Electronic Codebook (ECB) Mode
Example 8.3
Assume that Eve works in a company a few hours per month
(her monthly payment is very low).
She knows that the company uses
several blocks of information for each employee
in which the seventh block is the amount of money
to be deposited in the employee’s account.
Eve can intercept the ciphertext sent to the bank
at the end of the month,
replace the block with the information about her payment
with a copy of the block with the information
about the payment of a full-time colleague.
Each month Eve can receive more money than she deserves.
8.8
8.1.1 Electronic Codebook (ECB) Mode
Error Propagation
A single bit error in transmission can create errors
in several (normally half of the bits or all of the bits)
in the corresponding block.
However, the error does not have any effect
on the other blocks.
8.9
8.1.1 Electronic Codebook (ECB) Mode
Ciphertext Stealing
A technique called ciphertext stealing (CTS) can make it
possible to use ECB mode without padding.
In this technique the last two plaintext blocks, PN−1 and PN,
are encrypted differently and out of order, as shown below,
assuming that PN−1 has n bits and PN has m bits,
where m ≤ n .
The headm function selects the leftmost m bits;
The tailn-m function selects the rightmost n-m bits.
8.10
8.1.1 Electronic Codebook (ECB) Mode
Application
The ECB mode of operation is not recommended
for encryption of messages of more than one block
to be transferred through an insecure channel.
Usefulness of the independency of ciphertext block:
1. The area where records need to be encrypted
before they are stored in a database
or decrypted before they are
retrieved,
because the order of encryption and decryption of blocks
is not important in this mode.
2. We can use parallel processing if we need to create,
8.11
for example, a very huge encrypted
8.1.2 Cipher Block Chaining(CBC) Mode
In CBC mode, each plaintext block is exclusive-ored
with the previous ciphertext block before being encrypted.
Figure 8.3 Cipher block chaining (CBC) mode
8.12
8.1.2 Cipher Block Chaining(CBC) Mode
The relation between plaintext and ciphertext blocks
is shown below:
Example 8.4
It can be proved that each plaintext block at Alice’s site
is recovered exactly at Bob’s site.
Because encryption and decryption are inverses of each other,
8.13
8.1.2 Cipher Block Chaining(CBC) Mode
Initialization Vector (IV)
The initialization vector (IV) should be known
by the sender and the receiver.
Although keeping the IV secret is not necessary,
the integrity of the vector plays an important role
in the security of CBC mode;
IV should be kept safe from change.
Several methods have been recommended for using IV:
A pseudorandom number can be selected by the sender
and transmitted through secure channel
(e.g., using ECB mode).
A fixed value can be agreed upon IV by Alice and Bob
when the secret key is established.
8.14
8.1.2 Cipher Block Chaining(CBC) Mode
Security Issues
Following are two of the security issues in CBC mode :
1.Equal plaintext blocks belonging to the same message
are enciphered into different ciphertext blocks.
However, if two messages are equal,
same IV.
their encipherment is the same if they use the
For this reason, some people recommend
the use of a timestamp as an IV.
2.Eve can add some ciphertext blocks
to the end of the ciphertext stream.
8.15
8.1.2 Cipher Block Chaining(CBC) Mode
Error Propagation
In CBC mode,
a single bit error in ciphertext block Cj during transmission
may create error in most bits in plaintext block Pj
during decryption.
However, this single error toggles only one bit
in the plaintext block Pj+1 (the bit in the same location).
Plaintext blocks Pj+2 to PN are not affected
by this single bit error.
A single bit error in ciphertext is self-recovered.
8.16
8.1.2 Cipher Block Chaining(CBC) Mode
Algorithm
8.17
8.1.2 Cipher Block Chaining(CBC) Mode
Ciphertext Stealing
The ciphertext stealing technique described for ECB mode
can also be applied to CBC mode, as shown below.
The head function is the same as described in ECB mode;
the pad function inserts 0’s.
8.18
8.1.2 Cipher Block Chaining(CBC) Mode
Application
The CBC mode of operation can be used
to encipher messages.
However, because of chaining mechanism,
parallel processing is not possible.
CBC mode is not used to encrypt and decrypt
random-access files records
because encryption and decryption require access
to the previous records.
CBC mode is also used for authentication (Chapter 11).
8.19
8.1.3 Cipher Feedback (CFB) Mode
In some situations,
we need to use DES or AES as secure ciphers,
but the plaintext or ciphertext block sizes are to be smaller.
In this mode the size of the block used in DES or AES is n,
but the size of the plaintext or ciphertext block is r,
where r≤ n.
The idea is to use DES or AES,
not for encrypting the plaintext or decrypting the ciphertext,
but for encrypting or decrypting the contents
of a shift register, S, of size n.
8.20
8.1.3 Cipher Feedback (CFB) Mode
Encryption is done by XORing an r-bit plaintext block
with r bits of S.
Decryption is done by XORing an r-bit ciphertext block
with r bits of S.
For each block, the shift register Si is made
by shifting Si-1 r bits to the left
and filling the rightmost r bits with Ci-1.
Si is then encrypted to Ti.
Only the rightmost r bits of Ti are XORed with Pi to make Ci.
8.21
8.1.3 Cipher Feedback (CFB) Mode
Figure 8.4 Encryption in cipher feedback (CFB) mode
8.22
8.1.3 Cipher Feedback (CFB) Mode
In CFB mode, encipherment and decipherment use
the encryption function of the underlying block cipher.
The relation between plaintext and ciphertext blocks
is shown below:
8.23
8.1.3 Cipher Feedback (CFB) Mode
CFB as a Stream Cipher
Figure 8.5 Cipher feedback (CFB) mode as a stream cipher
8.24
8.1.3 Cipher Feedback (CFB) Mode
8.25
8.1.3 Cipher Feedback (CFB) Mode
Security Issues
There are three security issues in CFB mode :
1.Just like CBC, the pattern at block level are not preserved.
2.More than one message can be encrypted
with the same key,
but the value IV should be changed for each message.
3.Eve can add some ciphertext block
stream.
8.26
to the end of the ciphertext
8.1.3 Cipher Feedback (CFB) Mode
Error Propagation
In CFB mode,
a single bit error in ciphertext block Cj during transmission
creates a single bit error (at the same position)
in plaintext block Pj.
However,
most of the bits in the following plaintext blocks are
in error (with 50 percent probability)
as long as some bits of Cj are still in the register.
After the shift register is totally refreshed,
the system recovers from the error.
8.27
8.1.3 Cipher Feedback (CFB) Mode
Application
The CFB mode of operation can be used to encipher
blocks of small size such as one character or bit at a time.
There is no need for padding
because the size of the plaintext block is normally fixed
(8 for a character or 1 for a bit).
Special Case
If the blocks in the text and in the underlying cipher
are the same size (n=r),
the encryption/decryption becomes simpler.
8.28
8.1.4 Output Feedback (OFB) Mode
Output feedback mode (OFB) is very similar to CFB mode,
with one difference:
each bit in the ciphertext is independent of
the previous bit or bits.
This avoids error propagation.
If an error occurs in transmission,
it does not affect the bits that follow.
8.29
8.1.4 Output Feedback (OFB) Mode
Figure 8.6 Encryption in output feedback (OFB) mode
8.30
8.1.4 Output Feedback (OFB) Mode
OFB as a Stream Cipher
Figure 8.7 Output feedback (OFB) mode as a stream cipher
8.31
8.1.4 Output Feedback (OFB) Mode
8.32
8.1.4 Output Feedback (OFB) Mode
Security Issues
There are two security issues in OFB mode :
1.Just like CFB, the pattern at block level are not preserved.
2.Any change in the ciphertext affects
the plaintext encrypted at the receiver
side.
Error Propagation
A single bit error in ciphertext affects
only the corresponding bit in the plaintext.
Special Case
If the blocks in the text and in the underlying cipher
are the same size (n=r),
the encryption/decryption becomes simpler.
8.33
8.1.5 Counter (CTR) Mode
In the counter (CTR) mode, there is no feedback.
The pseudorandomness in the key stream is achieved
using a counter.
To provide a better randomness,
the increment value can depend on
the block number to be incremented.
8.34
8.1.5 Counter (CTR) Mode
Figure 8.8 Encryption in counter (CTR) mode
8.35
8.1.5 Counter (CTR) Mode
The relation between plaintext and ciphertext blocks
is shown below.
Like OFB, CTR creates a key stream
that is independent from the previous ciphertext block,
but CTR does not use feedback.
Like ECB, CTR creates n-bit ciphertext blocks
that is independent from each other;
they depend only on the value of the counter.
8.36
8.1.5 Counter (CTR) Mode
Like ECB,
CTR cannot be used for real-time processing,
since it need to wait
to get a complete n-bit block of data.
CTR can be used to encrypt and decrypt random-access files
as long as the value of the counter can be related
to the record number in the file.
8.37
8.1.5 Counter (CTR) Mode
CTR as a Stream Cipher
Figure 8.9 Counter (CTR) mode as a stream cipher
8.38
8.1.5 Counter (CTR) Mode
8.39
8.1.5 Counter (CTR) Mode
Security Issues
The security issues for the CTR mode are
the same as those for OFB mode.
Error Propagation
A single error in the ciphertext affects
only the corresponding bit in the plaintext.
8.40
8.1.5 Counter (CTR) Mode
Comparison of Different Modes
8.41
8.2 USE OF STREAM CIPHERS
Although the five modes of operations enable
the use of block ciphers
for encipherment of messages or files
in large units and small units,
sometimes pure stream are needed for enciphering
small units of data such as characters or bits.
Stream ciphers are more efficient
for real-time processing.
Several stream ciphers have been used
in different protocols during the last few decades.
We will discuss here only two : RC4 and A5/1.
8.42
8.2.1 RC4
RC4 is a stream cipher that was designed in 1984
by Ronald Rivest and used in many data communication
and networking protocols, including SSL/TLS and
the IEEE802.11 wireless LAN standard.
RC4 is a byte-oriented stream cipher in which
a byte of a plaintext is exclusive-ored with a byte of key
to produce a byte of a ciphertext.
8.43
8.2.1 RC4
State
RC4 is based on the concept of a state.
At each moment, a state of 256 bytes is active,
from which one of the bytes is randomly selected
to serve as the key for encryption.
The idea can be shown as an array of bytes :
8.44
8.2.1 RC4
The Idea
Figure 8.10 The idea of RC4 stream cipher
8.45
8.2.1 RC4
Initialization
Initialization is done in two steps:
The first step
The second step
8.46
8.2.1 RC4
Key Stream Generation
The keys in the key stream are generated, one by one.
i and j are initialized to 0.
Encryption or Decryption
After k has been created,
the plaintext byte is encrypted with k
to create the ciphertext byte.
Decryption is the reverse process.
8.47
8.2.1 RC4
Algorithm
8.48
8.2.1 RC4
Algorithm (Continued)
8.49
8.2.1 RC4
Example 8.5
To show the randomness of the stream key,
we use a secret key with all bytes set to 0.
The key stream for 20 values of k is (222, 24, 137, 65, 163, 55,
93, 58, 138, 6, 30, 103, 87, 110, 146, 109, 199, 26, 127, 163).
Example 8.6
Repeat Example 8.5, but let the secret key be five bytes of
(15, 202, 33, 6, 8).
The key stream is (248, 184, 102, 54, 212, 237, 186, 133, 51, 238,
108, 106, 103, 214, 39, 242, 30, 34, 144, 49).
Again the randomness in the key stream is obvious.
8.50
8.2.1 RC4
Security Issues
It is believed that the cipher is secure
if the key size is at least 128 bits (16 bytes).
There are some reported attacks
for smallest key sizes (less than 5 bytes),
but the protocols that use RC4 today all use
key size that make RC4 secure.
However, to protect against differential cryptanalysis,
it is recommended the different keys be used
for different sessions.
8.51
8.2.2 A5/1
A5/1 (a member of the A5 family of ciphers) is used
in the Global System for Mobile Communication (GSM),
a network for mobile telephone communication.
Phone communication in GSM is done
as a sequence of 228-bit frames
in which each frame lasts 4.6 milliseconds.
8.52
8.2.2 A5/1
Figure 8.11 General outline of A5/1
8.53
8.2.2 A5/1
Key Generator
A5/1 uses three LFSRs with 19, 22, and 23 bits.
1-bit output is fed to 228-bit buffer
to be used for encryption (or decryption).
Figure 8.12 Three LFSR’s in A5/1
8.54
8.2.2 A5/1
Initialization
Initialization is done for each frame
of encryption (or decryption).
The initialization uses a 64-bit secret key and
22 bits of corresponding frame number.
1. First, set all bits in three LFSRs to 0.
2.
8.55
8.2.2 A5/1
3.
4.
8.56
8.2.2 A5/1
Majority Function
The majority function, Majority(b1, b2, b3), has a value
before each click of time;
the three input bits are called clocking bits :
LFSR1[10], LFSR2[11], and LFSR3[11] if the rightmost bit is 0.
(Bit positions are counted from the right.)
Key Stream Bits
The key generator creates the key stream
one bit at each click of time.
Before the key is created the majority function is calculated.
Then each LFSR is clocked if its clocking bit matches
with the result of the majority function;
otherwise, it is not clocked.
8.57
8.2.2 A5/1
Example 8.7
At a point of time the clocking bits are 1, 0, and 1.
Which LFSR is clocked (shifted)?
Solution
The result of Majority(1, 0, 1) = 1.
LFSR1 and LFSR3 are shifted, but LFSR2 is not.
8.58
8.2.2 A5/1
Encryption/Decryption
The bit streams created from the key generator
are buffered to form a 228-bit key
that is exclusive-ored with the plaintext frame
to create the ciphertext frame.
Encryption/decryption is done one frame at a time.
8.59
8.2.2 A5/1
Security Issues
Although GSM continues to use A5/1,
several attacks on GSM have been recorded.
Two have been mentioned.
In 2000, Alex Biryukov, Adi Shamir, and David Wagner
showed that a real-time attack that finds the key
in minutes from small known plaintexts,
but it needs a preprocessing stage with 248 steps.
In 2003, Ekdahl and Johnson published an attack
that broke A5/1 in a few minutes
using 2 to 5 minutes of plaintext.
With some new attack on the horizon,
GSM may need to replace or fortify A5/1 in the future.
8.60
8.3 OTHER ISSUES
Encipherment
using symmetric-key block or stream ciphers
requires discussion of other issues.
8.61
8.3.1 Key Management
Alice and Bob need to share a secret key
between themselves to securely communicate
using a symmetric-key cipher.
If there are n entities in the community,
n(n − 1)/2 keys are needed.
Key management is discussed in Chapter 15.
8.62
8.3.2 Key Generation
Different symmetric-key ciphers need keys
of different sizes.
The selection of the key must be based
on a systematic approach to avoid a security leak.
The keys need to be chosen randomly.
This implies that there is a need
for random (or pseudorandom) number generator.
Random number generators are discussed in Appendix K.
8.63