Applied Cryptography Spring 2015 Chaining Modes

What happens when the clear text is longer than the block length k? Most simple solution — encrypt each block separately. This mode is called ECB, Electronic Code Book Clear text Cipher text Enc Key Chaining ciphers - ECB [From Mårten Trolin]

Problems with ECB: two transmissions of the same plaintext will be identical (i.e. if, you know, that there were 2 identical transmissions, you can guess the ciphertext of these). This could be dealt with timestamps. block replay. A poptential cure is the use of MAC, however this still remains an unpleasant feature. ECB still can be used in some cases for transmission of short messages e.g. cipher keys Chaining ciphers - ECB

Padding k - block length, n - message length if n is a multiple of k, there are no problems what to do with the last block, if n is not a multiple of k? extra bytes can be added at the end of the last block, however, it ould be useful to know, where the actual message ends... Chaining ciphers - ECB

Some padding schemes add padding in all cases (i.e., also when n is a multiple of k) if m bytes are added, fill each of them with value m (used in e.g. RC5-CBC-PAD) if m bytes are added, fill each of them with values 1,2,..., m (used in e.g. ESP and IPSec) Chaining ciphers - ECB

ECB - Example Original ECB mode "other" mode

A feedback is introduced to link the blocks together Clear textCipher text Enc Key IV Cipher Block Chaining [From Mårten Trolin]

Cipher Block Chaining

Errors error in plaintext bit error in ciphertext syncronisation error in ciphertext? What should be done with IV? no need to be secret should be transmitted can IV be reused? CBC - issues

Can be done similarly as in ECB add padding in all cases (i.e., also when n is a multiple of k) if m bytes are added, fill each of them with value m (used in e.g. RC5-CBC-PAD) if m bytes are added, fill each of them with values 1,2,..., m (used in e.g. ESP and IPSec) CBC - padding

Some problems with padding.... assume that the same IV is used for all transmissions, as well as one of the 2 padding schemes described above. Also, assume that there is an oracle, that gives an answer, whether a given message ends with a correct padding (available e.g. in server using SSL/TLS). Is this secure? try to send to oracle blocks r,C i... CBC - padding

CBC - alternative encryption of the last block

CBC - ciphertext stealingg

Stream and block ciphers - Definition ?

Stream ciphers

Keystream generator

Self synchronizing stream cipher Ciphertext Auto-Key (CTAK) Another possibility:Key Auto-Key (KAK)

Stream ciphers - Insertion attack

Key generators - CFB (cipher_feedback) mode

Key generators - LFSR (linear feedback shift registers)

Key generators - A5/1 A5/1 - used in GSM "less than one minute of computations, and a few seconds of known conversation". A register is clocked if its clocking bit (orange) agrees with the majority of the clocking bits of all three registers.

Key generators - RC4 Ron Rivest (RSA Security) 1987 Widely used in SSL, WEP etc 104-bit RC4 used in WEP can be cracked in less than a minute for i=0,…,N-1 S[i]=i j=0 for i=0…N-1 j=j+S[i]+Key[i mod l] Swap[S[i], S[j]] i=i+1 j=j+S[i] Swap(S[i],S[j]) Output z =S[S[i]+S[j]]

Key generators - RC4 Easy computation –Fast –Can use large bit blocks and keys Stream based encryption Key can be made to change at regular intervals using fancy programming Implementation in Popular languages (C, perl) well documented. Vulnerable to brute force attacks Require a large data structure Proven Breakable by researchers at ATT and Rice Univ. (August, 2001) –“One hour of brute force computation to break standard WEP” Once Key is broken all messages are easily readable.

Quadratic residues and Blum Integers If p and q are two primes, and both are congruent to 3 modulo 4, then n = p*q is sometimes called a Blum integer. If n is a Blum integer, each quadratic residue has exactly four square roots. One of them is also a square - the principal square root. The function f: Z n * → Z n * defined by f(x) = x 2 mod n is a permutation. The inverse function of f is: f -1 (x) = x ((p-1)(q-1)+4)/8 mod n.

Quadratic residues and Blum Integers The function f: Z n * → Z n * defined by f(x) = x 2 mod n is a permutation. The inverse function of f is: f -1 (x) = x ((p-1)(q-1)+4)/8 mod n. p,q - primes, n = pq Guessing the last significant bit of square root of x mod n with any non-negligible advantage is as hard as factoring n.

Blum, Blum and Shub (BBS) key generator Let n be a Blum integer. Choose a random quadratic residue x 0 (modulo n). For i  0 let x i+1 = x i 2 mod n, b i = the least significant bit of x i For each integer i, let BBS n, i (x 0 ) = b 0 …b i-1 be the first i bits of the pseudo-random sequence generated from the seed x 0 by the BBS pseudo-random generator. Note that b i is the least significant bit of x i = x 0 (2 i )mod(p-1)(q-1)

BBS pseudo-random generator - analysis Assume that the BBS pseudo-randomize generator with a Blum integer is not unpredictable to the left. Let y be a quadratic residue from Z n *. Compute BBS n, i -1 (y) for some i > 1. Note that the last (i -1) of BBS n, i (x) are also the first (i -1) bits of BBS n, i -1 (y), where x is the principal square root of y. Hence, if the BBS pseudo-random generator is not unpredictable to the left, then there exists a better method than coin-tossing to determine the least significant bit of x, what is, as mentioned above, impossible. Choose random x, relatively prime to n, compute x 0 = x 2 mod n x i +1 = x i 2 mod n, b i = the least significant bit of x i BBS n, i (x 0 ) = b 0 …b i-1

Key generators - OFB (output feedback) mode

Keystream generator in OFB mode

CFB (cipher_feedback) mode

Chaining in CFB mode

Errors error in plaintext bit error in ciphertext syncronisation error in ciphertext? What should be done with IV? no need to be secret should be transmitted should be unique! CFB - issues

OFB (output feedback) mode

Chaining in OFB mode

Just as with other stream ciphers, flipping a bit in the ciphertext produces a flipped bit in the plaintext at the same location. This property allows many error correcting codes to function normally even when applied before encryption.

Chaining in counter (CTR) mode

Data integrity and MAC

CBC-MAC Issues: - not secure for variable length messages (we can inludemessage length in computation, still it doesn’t help too much...) - different keys should be used for chaining and MAC (ok, this should always be the case !)

CMAC

Length of MAC? Birthday paradox: What should be the size k of a group of people, such that with probablity 1/2 at least two persons from the group will have birthday on the same day?

Length of MAC?

Combining chaining and data integrity CCMCounter with CBC-MAC EAX Authenticated Encryption with Associated Data GCM Galois/Counter Mode OCBOffset Codebook Mode OCB mode

GCM mode (Galois/Counter Mode) Combines privacy and data integrity protection Defined for 128 bit blocks mult H - multiplication in GF(2 7 )

Disk encryption Some additional constraints: limited length chaining (e.g. at sector level, around 512 bytes) implementation shall efficiently encrypt and decrypt data in any sector implementation shall use only constant amount of additional storage for a device of arbitrary size integrity problem is important CBC : IV for each sector derived from the sector number etc LRW (Tweakable Narrow-Block Encryption): K - key, F - additional key, I - block index (tweak)

ECB - overview

CBC - overview Probably most useful. Best for encrypting files (usually no synchronization errors).

CFB - overview Recoverable synchronization errors. Mainly used in stream mode.

OFB - overview Recommended for error-prone environments.

Some other chaining modes Counter Mode. Characteristics similar to OFB. Useful, when an instant access to a random part of message is desirable. Block Chaining Mode (BC). Similar to CBC, but XOR all previous ciphertext block to the next one. No error tolerance. Propagating Cipher Block Chaining Mode (PCBC). Similar to CBC, but both, previous ciphetext and plaintext blocks are XORed to the next one. Used in Kerberos (before version 5). Swapping of two ciphertext blocks does not affect integrity check! Output feedback with a non-linear function (OFBNLF). Variant of OFB/ECB with K i =E K (K i–1 )

Interleaving