Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Block Ciphers Modes of Operation
1. Properties of new NIST
block cipher modes of
operation
Roman Oliynykov
Professor at
Information Technologies Security Department
Kharkov National University of Radioelectronics
Head of Scientific Research Department
JSC “Institute of Information Technologies”
Ukraine
Visiting professor at
Samsung Advanced Technology Training Institute
Korea
ROliynykov@gmail.com
December 2014
2. Outline
A few words about myself
Need of block cipher modes of operation and well-
known standard modes
Newly developed and NIST adopted modes and
their properties
Conclusions
3. About myself (I)
I’m from Ukraine (Eastern part of
Europe),
host country of Euro2012 football
championship
I live in Kharkov (the second biggest
city in the country, population is 1.5
million people), Eastern Ukraine
(near Russia),
former capital of the Soviet Ukraine
(1918-1934)
three Nobel prize winners worked at
Kharkov University
4. About myself (II)
Professor at Information Technologies Security
Department at Kharkov National University of
Radioelectronics
courses on computer networks and operation
system security, special mathematics for
cryptographic applications
Head of Scientific Research Department at JSC
“Institute of Information Technologies”
Scientific interests: symmetric cryptographic
primitives synthesis and cryptanalysis
Visiting professor at Samsung Advanced
Technology Training Institute
courses on computer networks and operation
system security, software security, effective
application and implementation of symmetric
cryptography
5. Need for modes of operation
stream cipher:
encryption of arbitrary length message
no error propagation during decryption (adversary can
selectively change plaintext bits by ciphertext modification)
no integrity check
same procedure for encryption and decryption
block cipher (ECB mode):
encryption of fixed block
error propagation during decryption (avalanche effect)
no integrity check
the same plaintext blocks have the same ciphertext (until
key is changed)
different procedures for encryption and decryption
6. Main block cipher modes of
operation: confidentiality only
Electronic Codebook Mode (ECB)
Cipher Block Chaining (CBC)
Cipher Feedback (CFB)
Output Feedback (OFB)
Counter (CTR)
US National Institute of Standard Special Publications (NIST SP) 800-38
ISO/IEC 10116:2006
ANSI X9.52
8. ECB advantages
any part of encrypted message could be
easily decrypted (or re-encrypted after
modification)
error multiplication properties:
if ciphertext is modified by attacker, modifications
in plaintext would be random, unpredictable and
inside one block only
errors in plaintext cannot be controlled by the
attacker (without knowledge of the secret key)
NB: error multiplication may seem as disadvantage on noisy physical channels with error correction
codes before encryption
NB: error correction codes should be applied after encryption – there should be no such huge
redundancy of plaintext
9. ECB disadvantages: equal plaintext
blocks lead to equal ciphertext
blocks: ECB IS NOT RECOMMEDED
TO SEPARATE USE
NB: message length must be aligned to the cipher block size
NB: encryption and decryption function must be implemented
10. Cipher Block Chaining (CBC)
Unique and random (unpredictable) IV must be provided for each message
11. CBC advantages and
disadvantages
advantages
equal messages using the same keys will be encrypted to
different cryptograms (ciphertexts)
message can be decrypted from any part (but decrypted only)
error multiplication properties (single bit + the next block)
disadvantages
message length must be aligned to the cipher block size
message blocks cannot be re-encrypted after modification (the
rest of message must be re-encrypted)
decryption implementation is needed
if attacker can insert some parts into message and get ciphertext,
part of user message can be compromised (cookie stealing
attack over SSL connection when hacker can sniff traffic and
install malicious plug-in to Firefox was demonstrated)
not recommended for the future (CTR is better variant)
13. CFB advantages and
disadvantages
advantages
equal messages using the same keys will be encrypted to
different cryptograms (ciphertexts)
message length can be arbitrary
randomness of IV is not needed
error multiplication properties (single bit + several blocks)
decryption implementation (ECB) is not needed
disadvantages
message blocks cannot be decrypted from any part or re-
encrypted after modification
encryption speed is significantly slower
not recommended for the future (CTR is better
variant)
15. OFB advantages and
disadvantages
advantages
equal messages using the same keys will be encrypted to
different cryptograms (ciphertexts)
message length can be arbitrary
randomness of IV is not needed
decryption implementation (ECB) is not needed
disadvantages
no error multiplication properties
message blocks cannot be decrypted from any part or re-
encrypted after modification
key sequence period is expected to 2n/2, where n – block size in
bits (but with some probability could be much shorter, so there is
security threat)
not recommended for the future (CTR is better variant)
17. CTR advantages and
disadvantages
advantages
equal messages using the same keys will be encrypted to
different cryptograms (ciphertexts)
message length can be arbitrary
randomness of IV is not needed (IV is encrypted and used as
start counter value), simple counter can be used (e.g., arithmetic
addition)
message blocks can be decrypted from any part or re-encrypted
after modification
decryption implementation (ECB) is not needed
disadvantages
no error multiplication properties
main recommended mode of operation for confidentiality
20. CMAC (Cipher-based Message
Authentication Code)
integrity check (not encryption mode)
length extensions attack protected
no attack published (September 2013)
effective more than to 2Tlen/2 encryptions,
where Tlen – integrity check value (ICV) size
in bits
21. Galois/Counter Mode (GCM) and
GMAC (Galois MAC):
encryption with GCTR
NB: equal to CTR mode with specific given incremental function
25. Galois/Counter Mode (GCM)
and GMAC (Galois MAC)
used for confidentiality and integrity
there may be present optional not encrypted part
of message (A): e.g., network packet headers
computation of integrity check value (ICV) is made
over the ciphertext (not plaintext): effective for
network traffic protection with denial-of-service
(DoS) attack countermeasures
the fastest mode for confidentiality and integrity
special Intel and AMD processor assembler
instruction (PCLMULQDQ) for this mode supports
length extensions attack protected
small amount of weak keys may exist for integrity
check
26. CCM (Counter (CTR) mode and the
Cipher Block Chaining-Message
Authentication Code (CBC-MAC))
advanced mode of combining CMAC and CTR (with
improvement)
there may be present optional not encrypted part of
message (A): e.g., network packet headers
developed and well suitable for hardware
implementation
implemented in IEEE 802.11 (WiFi) networks in
hardware (communication chips)
29. XTS (Xor еncrypt xor
Tweakable block Cipher)
mode intended to on-the-fly encryption of storage
with block access (hard drives, etc.)
blocks have equal size
no room to save integrity check value
advantages (over ECB and CTR):
the same data in the different blocks will give different
ciphertext
ciphertext modification will give random plaintext
modification (no predictable data changing for attacker)
highly effective (almost like CTR, but gives additional basic
and simple integrity service)
may be used with padding if data block length is not aligned
to the cipher block size (but less effective here)
disadvantage:
decryption implementation is needed
32. Key Wrapping mode
intended to protect key data confidentiality
advantages
may be used with padding if data block length is not
aligned to the cipher block size (but less effective here)
ciphertext modification will give random plaintext
modification (no predictable data changing for attacker)
no IV required
disadvantages
much slower comparing to other modes
equal messages will have equal cryptograms (no IV in this
mode)
33. FF (Format-Preserving
Encryption) mode
intended to protect specific data (like credit
card numbers) in existing IT systems with
strong limitation to ciphertext length and
presentation
advantage
preserves original message alphabet (any, may
be decimal or else, not only binary, hexadecimal,
etc.) and length of the message
disadvantage
much slower comparing to other modes
35. Conclusions
Block ciphers may provide excellent
cryptographic properties, but for practical
application they need modes of operation
Such modes of operation may be used both for
confidentiality and integrity
There are many different modes of operation for
specific purposes, including network traffic
protection, hard drive encryption, etc.
Careful selection of mode is needed, otherwise
even a strong block cipher (e.g., AES-256)
protection might be broken in some
circumstances