Chapter 4

Secret Key Cryptography (II)

Modes of Operation

Encrypting a Large Message

ECB (Electronic Code Book)
CBC (Cipher Block Chaining Mode)
OFB (Output Feedback Mode)
CFB (Cipher Feedback Mode)
Triple DES
Stream Cipher

Electronic Code Book (ECB)

M1
64

M2
64

M3
64

M4
46 pad

ENC

ENC

ENC

ENC

C1

C2

C3

C4

ECB Problem #1
M1
64

M2
64

M3
64

M4
46 pad

ENC

ENC

ENC

ENC

C1

C2

C3

C4

(M1 == M3) => (C1 == C3)

ECB Problem #2
Lack the basic protection against integrity
attacks on the ciphertext at message level
(i.e., multiple cipher blocks)
Without additional integrity protection

cipher block substitution and rearrangement

attacks
fabrication of specific information

Cipher Block Chaining (CBC)

M1
64
IV
Initialization
Vector
ENC

C1

M2
64

M3
64

M4
46 pad

ENC

ENC

ENC

C2

C3

C4

(M1 == M3) very unlikely leads to (C1 == C3)

CBC Decryption
M1

M2

M3

M4

DEC

DEC

DEC

DEC

C3

C4

IV

C1

C2

CBC Vulnerabilities
Loss sync of block boundary garbles the rest
of the stream
Create desired change in decrypted block P n
by sacrificing block P n-1

P n-1

Pn

DEC

DEC

C n-1

Cn

General k-bit Cipher Feedback

Mode (CFB)
k

k IV

ENC
M1

K bits

C1

k
ENC

M2

K bits

C2

ENC
M3

K bits

C3

CFB General

Si : the ith state of the shift register

a << x : a shifted up x bits
head(a, x) : the x highest bits of a
n : number of bits of IV

CFB Properties

Advantage compared with CBC.

With k=8, errors on one byte of ciphertext only

affect 8 more bytes beyond.

Disadvantage compared with OFB.

Random stream can no longer be computed in

advance.

Output Feedback Mode (OFB)

Like a Random Number Generator...

IV

ENC
M1

ENC
M2

C1

ENC
M3

C2

ENC
M4

C3

C4

OFB Properties

Advantages
Allow pre-computing of pseudo-random stream

(One-Time Pad); XOR can be implemented very

efficiently
No error propagation problem as in CBC
Allow in-time encrypt/decrypt due to bit-wise
computation (versus the fixed blocks)

Counter Mode (CTR)

IV

IV+1

ENC

ENC

M1

M2
C1

IV+2

ENC
M3

C2

IV+3

ENC
M4

C3

C4

Random number encryptions

RC4, OFB, CTR, etc.
Parallel processing
Weakness: random sequence must not be
used more than once.

If

m1 and C1 are known, then:

R1 = m1 XOR C1, m1 = R1 XOR C1

Even if m1 and m1 are not known:

C1 XOR C1 = m1 XOR m1

Generating MICs
Stream ciphers dont work
CBC: Only send last block of CBC (CBS
residue)

Send plaintext

Any modification in plaintext modifies CBC

residue
Insures integrity

Encryption + Integrity ?

CBC Plus Residue

M1
64
IV
Initialization
Vector
ENC

C1

M2
64

M3
64

M4
46 pad

ENC

ENC

ENC

C2

C3

C4

residue

Insuring Both Confidentiality and

Integrity

Replicating last CBC block doesnt work

No immediate indication of tempering
Append last cipher block to plain text: No

CBC (message | hash, e.g. CRC): Almost

P+I: use separate (but maybe related) secret
keys for encryption and MIC (two
encryption passes)

Triple DES
DES brutal force: 256 search space
3DES, or EDE
Two keys: m E with K1 D with K2
E with K1 c
3 DES brutal force: 2112 search space

Alternatives
3 keys: Even more stronger
2 DES with one key:

m E with K1 E with K1

Brutal force: 256 search space

2 DES with two keys:

m E with K1 E with K2

c
Brutal force: 256 search space if there are known
<m, c> pair(s)