Chapter 6 – Block Cipher

Cryptography and Operation

Network Security Many savages at the present day regard
Chapter 6 their names as vital parts of themselves,
and therefore take great pains to conceal
their real names, lest these should give to
Fifth Edition evil-disposed persons a handle by which
by William Stallings to injure their owners.
Lecture slides by Lawrie Brown — The Golden Bough, Sir James George
(with edits by RHB) Frazer

Outline Multiple Encryption & DES

• Multiple Encryption & Triple-DES • clear a replacement for DES was needed
• Modes of Operation – theoretical attacks that can break it
– ECB, CBC, CFB, OFB, CTR, XTS-AES – demonstrated exhaustive key search attacks
• AES is a new cipher alternative
• prior to this alternative was to use multiple
encryption with DES implementations
• Triple-DES is the chosen form
 Double-DES? Triple-DES with Two-Keys
• could use 2 DES encrypts on each block • hence must use 3 encryptions
– C = EK2(EK1(P)) – would seem to need 3 distinct keys
• issue of reduction to single stage • but can use 2 keys with E-D-E sequence
– C = EK1(DK2(EK1(P)))
• and have “meet-in-the-middle” attack
– nb encrypt & decrypt equivalent in security
– works whenever use a cipher twice – if K1 = K2 then can work with single DES
– since X = EK1(P) = DK2(C)
• standardized in ANSI X9.17 & ISO8732
– attack by encrypting P with all keys and store
• no current known practical attacks
– then decrypt C with keys and match X value
– several proposed impractical attacks might
– can show takes O(256) steps become basis of future attacks

Triple-DES with Three-Keys Modes of Operation

• although are no practical attacks on two- • block ciphers encrypt fixed size blocks
key Triple-DES, have some doubts – eg. DES encrypts 64-bit blocks with 56-bit key
• can use Triple-DES with Three-Keys to • need some way to en/decrypt arbitrary
avoid even these amounts of data in practise
– C = EK3(DK2(EK1(P)))
• NIST SP 800-38A defines 5 modes
• has been adopted by some Internet • have block and stream modes
applications, eg PGP, S/MIME
• to cover a wide variety of applications
• can be used with any block cipher
 Electronic Codebook Book (ECB)
• message is broken into independent
blocks which are encrypted Electronic
• each block is a value which is substituted, Codebook
like a codebook, hence name Book
• each block is encoded independently of (ECB)
the other blocks
Ci = EK(Pi)
• uses: secure transmission of single values

Advantages and Limitations of ECB Cipher Block Chaining (CBC)

• message repetitions may show in ciphertext • message is broken into blocks
– if aligned with message block • linked together in encryption operation
– particularly with data such graphics
• each previous cipher blocks is chained
– or with messages that change very little, which
become a code-book analysis problem with current plaintext block, hence name
• weakness is due to the encrypted message • use Initial Vector (IV) to start process
blocks being independent Ci = EK(Pi XOR Ci-1)
• main use is sending a few blocks of data C-1 = IV
• uses: bulk data encryption, authentication
 Message Padding

• at end of message must handle a possible

Cipher last short block
Block – which is not as large as blocksize of cipher
– pad either with known non-data value (eg nulls)
Chaining – or pad last block along with count of pad size
(CBC) • eg. [ b1 b2 b3 0 0 0 0 5]
• means have 3 data bytes, then 5 bytes pad+count
– this may require an extra entire block over
those in message
• there are other, more esoteric modes,
which avoid the need for an extra block

Advantages and Limitations of CBC Stream Modes of Operation

• a ciphertext block depends on all blocks • block modes encrypt entire block
before it • may need to operate on smaller units
• any change to a block affects all following – real time data
ciphertext blocks • convert block cipher into stream cipher
• need Initialization Vector (IV) – cipher feedback (CFB) mode
– which must be known to sender & receiver
– output feedback (OFB) mode
– if sent in clear, attacker can change bits of first block,
and change IV to compensate – counter (CTR) mode
– hence IV must either be a fixed value (as in EFTPOS) • use block cipher as some form of pseudo-
– or must be sent encrypted in ECB mode before rest of
message random number generator
 Cipher FeedBack (CFB)
• message is treated as a stream of bits
• added to the output of the block cipher s-bit
• result is fed back for next stage (hence name)
• standard allows any number of bit (1,8, 64 or
Cipher
128 etc) to be feed back FeedBack
– denoted CFB-
CFB-1, CFB-
CFB-8, CFB-
CFB-64, CFB-
CFB-128 etc
• most efficient to use all bits in block (64 or 128) (CFB-s)
Ci = Pi XOR EK(Ci-1) (with suitable shifts)
C-1 = IV
• uses: stream data encryption, authentication

Advantages and Limitations of CFB Output FeedBack (OFB)

• appropriate when data arrives in bits/bytes • message is treated as a stream of bits
• most common stream mode • output of cipher is added to message
• limitation is need to stall while do block • output is then fed back (hence name)
encryption after every n-bits • feedback is independent of message
• block cipher is used in encryption mode • can be computed in advance
at both ends to yield ps-random bitstream Oi = EK(Oi-1)
Ci = Pi XOR Oi
• errors propagate for several blocks after
O-1 = IV (Nonce)
the error (but not indefinitely)
• uses: stream encryption on noisy channels
 Advantages and Limitations of OFB
• needs an IV which is unique for each use
– if ever reuse attacker can recover outputs
Output • bit errors do not propagate
FeedBack • more vulnerable to message stream modification
• sender & receiver must remain in sync
(OFB) • only use with full block feedback
– subsequent research has shown that only full block
feedback (ie CFB-
CFB-64 or CFB-
CFB-128) should ever be
used

Counter (CTR)
• a “new” mode, though proposed early on
• similar to OFB but encrypts counter value
rather than any feedback value Counter
• must have a different key & counter value (CTR)
for every plaintext block (never reused)
Oi = EK(i)
Ci = Pi XOR Oi
• uses: high-speed network encryptions
Advantages and Limitations of CTR
• efficiency
– can do parallel encryptions in h/w or s/w Feedback
– can preprocess in advance of need
– good for bursty high speed links
Character-
• random access to encrypted data blocks istics
• provable security (good as other modes)
• but must ensure never reuse key/counter
values, otherwise could break (cf OFB)

XTS-AES Mode
• new mode, for block oriented storage use
– in IEEE Std 1619-2007
• concept of tweakable block cipher
XTS-AES
• different requirements to transmitted data Mode
• uses AES twice for each block per block
Tj = EK2(i) × αj (× and exp. in GF(2128))
Cj = EK1(Pj XOR Tj) XOR Tj
where i is tweak and j is sector no
• each sector may have multiple blocks
 Advantages and Limitations of
XTS-AES
• efficiency
– can do parallel encryptions in h/w or s/w
XTS-AES
– random access to encrypted data blocks
Mode • has both nonce & counter
Overview • addresses security concerned related to
stored data