Overview Review of AES block cipher Block cipher modes of operation:

Overview Review of AES block cipher Block cipher modes of operation:
ECB mode CBC mode CFB mode OFB mode Counter mode Summary Semester 1, 2018 IFN642

Advanced Encryption Standard
Encryption/Decryption process is combination of simple operations, performed in rounds: Number of rounds depends on key size Round operations include: Substitute, Shift, Mix and Binary addition (of Round Key) Starts and ends with AddRoundKey Invertible stages: Inverse Substitute, Inverse Shift, Inverse Mix Semester 1, 2018 IFN642

AES Encryption / Decryption
Semester 1, 2018 IFN642

AES Data Structures 128-bit block as 4x4 matrix – each cell holds one byte

Advanced Encryption Standard
AES Round function: Each round uses 4 separate functions: SubBytes: Byte substitution ShiftRows: Permutation MixColumns: Arithmetic operations AddRoundKey: XOR with key Number of rounds performed depends on key size 128-bit key: bit key: bit key: 14 Semester 1, 2018 IFN642

AES Round function Semester 1, 2018 IFN642

1. SubBytes use AES S-BOX Split byte into two 4-bit strings, use for table lookup

Inverse AES S-BOX 8 7 Semester 1, 2018 IFN642

2. ShiftRows: AES Shift, Inverse Shift Bytes shifted within row

3. MixColumns: AES Mix, Inverse Mix Matrix mult
3. MixColumns: AES Mix, Inverse Mix Matrix mult. with cell entries as polynomial coeff. Inverse Mix Matrix Mix Matrix Semester 1, 2018 IFN642

3. MixColumns: AES Mix, Inverse Mix Matrix mult. with cell entries as polynomial coeff. Cell entry (byte) shown in hex convert to bitstrings Consider bits as coefficients of polynomial of degree 8: f(x) = b7x7+b6x6+...+b1x+b0 For AES, MixColumns multiplication is polynomial arithmetic in finite field GF(28) defined by irreducible polynomial of degree 8 Semester 1, 2018 IFN642

3. MixColumns: AES Mix, Inverse Mix Matrix mult. with cell entries as polynomial coeff. Example: Steps to follow: D As polynomial of form: f(x) = b7x7+b6x6+...+b1x+b0 = 1x7+1x6+0x5+1x4+0x3+1x2+0x+0 = x7+ x6+ x4 + x2 Multiply by other polys: x.f(x) = b7x8+b6x7+...+b1x2+b0x x (x7+ x6+ x4 + x2) = x8+ x7+ x5 + x3 Reduce as required: x8 + x7+ x5 + x3 = (x4+ x3+ x + 1) + x7+ x5 + x3 = x7 + x5 + x4+ x3 + x3 + x + 1 = x7 + x5 + x4+ x + 1 Cell entry (byte) shown in hex: convert to bitstrings Consider bits as coeff’s (mod 2) of polynomial of degree 8: f(x) = b7x7+b6x6+...+b1x+b0 MixColumns multiplication polynomial arith, defined by f(x) = x8+x4+x3+x+1 Reduce higher order terms using x8 = x4+x3+x+1 Semester 1, 2018 IFN642

Example: AES MixColumns (partial example)
State 3 02 03 01 d4 e0 b8 1e bf b4 41 27 5d 52 11 98 30 ae f1 e5 x 0010 0011 0001 x (x)(x7+x5+x4+x3)+(x+1)(x6+1)+(1)(x4+1)+(1)(x7+x6+x5+x4+1)=48 (1)(x7+x5+x4+x3)+(x)(x6+1)+(x+1)(x4+1)+(1)(x7+x6+x5+x4+1)=f8 (1)(x7+x5+x4+x3)+(1)(x6+1)+(x)(x4+1)+(x+1)(x7+x6+x5+x4+1)=d3 (x+1)(x7+x5+x4+x3)+(1)(x6+1)+(1)(x4+1)+(x)(x7+x6+x5+x4+1)=7a Semester 1, 2018 IFN642

4. Add Round Key: AES Key Expansion
View column of matrix as 4-byte word Use current 4 words to form next 4 words Every 4th word requires g function: g Function Rotate word: b0,b1,b2,b3 becomes b1,b2,b3,b0 Substitute Word: Byte by byte substitution using AES Substitution Box XOR with RCON[i] in GF(28): RCON[1] = 1 mod x8+x4+x3+x+1 RCON[2] = x mod x8+x4+x3+x+1 RCON[3] = x2 mod x8+x4+x3+x+1 … RCON[j] = x×RCON[j-1] mod x8+x4+x3+x+1 Semester 1, 2018 IFN642

Overview Review of AES Block cipher modes of operation: Summary
ECB mode CBC mode OFB mode CFB mode CTR mode Summary Semester 1, 2018 IFN642

Modes of Operation Block ciphers use p/text & c/text in fixed size blocks: Examples: DES - 64-bit blocks, AES -128-bit blocks Different modes are defined in order to provide different security services Common modes of operation include: Electronic Codebook Book (ECB) Cipher Block Chaining (CBC) Cipher Feed Back (CFB) Output Feed Back (OFB) Counter (CTR) There are more – see NIST special publications These 5 included in SP A (5 modes for confidentiality) SP800-B-G contain other modes Semester 1, 2018 IFN642

ECB mode CBC mode CFB mode OFB mode CTR mode Summary Semester 1, 2018 IFN642

Block Ciphers: ECB mode
Electronic Code Book (ECB) encryption Plaintext data is divided into blocks P1, P2, …, Pn last block is padded to length as required Each block processed separately/independently Two inputs to encryption algorithm: plaintext block Pi and key K Called Code Book style Encrypt K P1 C1 P2 C2 Pn Cn Semester 1, 2018 IFN642

ECB mode decryption: Ciphertext data is divided into blocks C1, C2, …, Cn Each block is then processed separately Two inputs to decryption algorithm: ciphertext block Ci and key Need to use same key as used for encryption (symmetric cipher) Recovered plaintext assembled by concatenating blocks, removing padding from last block if required Decrypt K C1 P1 C2 P2 Cn Pn Semester 1, 2018 IFN642

ECB mode security service: Intended to provide confidentiality for plaintext Useful for short (1 block) messages (perhaps a session key) Problem: For a given key, same plaintext encrypts to same ciphertext For longer messages, this may: leak information about underlying plaintext allow an attacker to construct a code book of known plaintext/ciphertext blocks. Attacker could use this codebook to alter the data stream: Insert blocks, Delete blocks, Reorder blocks, or Replay data blocks Semester 1, 2018 IFN642

Repetitive plaintext: bitmap images and ECB mode From And Semester 1, 2018 IFN642

Other ECB Mode Issues What happens when there is an error? If there is a bitflip error (0 to 1 or vice versa) That block will be decrypted incorrectly – other blocks will be OK If a ciphertext bit (or even a character) is inserted or deleted This will be detected because of the incorrect ciphertext length Inserting or deleting one or more blocks Will not detect insertion/deletion of multiples of block size by length alone However, the plaintext blocks corresponding to the deleted ciphertext will be deleted, which may be noticed after decryption Semester 1, 2018 IFN642

ECB mode CBC mode OFB mode CFB mode CTR mode Summary Semester 1, 2018 IFN642

Block Ciphers: CBC mode
Cipher Block Chaining (CBC) mode To hide repetition and prevent codebook construction, need to ensure that: if the same plaintext block is encrypted multiple times, then the ciphertext formed may be different each time. Do this by using three inputs to encryption: the key, the plaintext, and the previous ciphertext For the first plaintext block (no previous ciphertext), an initialisation vector (IV) is used Forms a ‘chain’ of blocks Chain useful in preventing other alterations to data May assist in detecting integrity breaches such as insertion, deletion or reordering of data blocks in the ciphertext Semester 1, 2018 IFN642

CBC mode encryption: Plaintext data is divided into blocks P1, P2, …, Pn (last block is padded as necessary) The encryption algorithm now takes three inputs: For the first plaintext block, an initialisation vector (IV) is used (XORed with plaintext before block encryption): C1 = E(P1  IV, K) For subsequent plaintext blocks, the previous ciphertext block is used (XORed with plaintext before block encryption): Ci = E(Pi  Ci-1 ,K) Semester 1, 2018 IFN642

CBC mode decryption Ciphertext is divided into blocks C1, C2, …, Cn Decryption: P1 = D(C1, K)  IV Pi = D(Ci, K)  Ci-1 where K is the same key used during encryption, and IV is the same initialisation vector used during encryption. Remove padding from last plaintext block Semester 1, 2018 IFN642

Block Ciphers: CBC Mode Encryption and Decryption

Block Ciphers: CBC mode Data leakage comparison with ECB mode
Images from: Images from: Semester 1, 2018 IFN642

CBC Mode Issues What happens when there is an error? If there is a bitflip error (0 to 1 or vice versa) That block and the following block will be decrypted incorrectly If a ciphertext bit (or even a character) is inserted or deleted This will be detected because of the incorrect ciphertext length Will not detect insertion or deletion of multiples of block size this way Inserting or deleting one or more blocks Will cause incorrect decryption Each ciphertext block depends on all previous message blocks Changes in the message will affect all of the subsequent blocks (so provide an avalanche effect) Semester 1, 2018 IFN642

Other CBC mode issues: Need Initial Value (IV) known to sender & receiver If IV is sent in the clear, an attacker can change bits of the first block, and change IV to compensate IV may be a fixed value IV may be sent encrypted using ECB mode before rest of message is sent encrypted using CBC mode Last short block Padding with known non-data value (eg nulls) Pad last block with count of pad size eg. [ b1 b2 b ] , 3 data bytes, then 5 bytes (pad+count) Semester 1, 2018 IFN642

Block Ciphers: CBC mode and Integrity assurance
Can use a block cipher in CBC mode to provide integrity assurance, rather than confidentiality For a given message or data file: The file is encrypted using the block cipher in CBC mode The last ciphertext block is used as a Message Authentication Code (MAC) value Both the message and the MAC are sent to the receiver Usually referred to as CBC-MAC Described in ISO/IEC :1999 Considered secure for messages of a pre-selected fixed length Bellare, M., J. Kilian and P. Rogaway, "The Security of the Cipher Block Chaining Message Authentication Code," Journal of Computer and System Sciences (JCSS), Vol. 61, No. 3, December 2000, pp ISO/IEC 9797, Data cryptographic techniques { Data integrity mechanism using a cryptographic check function employing a block cipher algorithm, 1989. See AS —2001 for example application Semester 1, 2018 IFN642

Diagram Block Ciphers: CBC mode and Integrity assurance same key Sender Receiver MAC MAC=MAC’? Ciphertext blocks Encrypt with Block Cipher in CBC Mode Message M MAC = last block of E(M,K) IV=0 MAC’ Message M’ MAC’= last block of E(M’,K) possible modifications in transit MAC Encryption key and decryption key are the same. So need a secure channel for key distribution. MAC=MAC’? Semester 1, 2018 IFN642 2

To use a block cipher in CBC mode for integrity assurance: Sender: Generates message M Encrypts message M using block cipher in CBC mode, using shared secret key K MAC = last ciphertext block (discard the other c/text blocks!) Sends both M and MAC to Receiver Receiver: Receives {M’, MAC} Generates MAC’ from M’ Compares MAC’ and MAC If MAC’ = MAC assume M’ = M, i.e. message is unaltered Semester 1, 2018 IFN642

Block Ciphers: CBC mode Integrity assurance and Message authentication
CBC-MAC requires use of a shared secret key For message transmission scenarios, the MAC provides an additional security service of Message Authentication: A correct MAC value confirms the sender of the message is in possession of the shared secret key This provides the receiver with some assurance of the authenticity of the message sender. NOTE: An assurance of message integrity is meaningless without knowing who sent the message. Semester 1, 2018 IFN642

Block Ciphers: CFB mode
In Cipher Feed Back (CFB) mode plaintext is not input directly to the block encryption algorithm Instead (for block cipher with block size N): A shift register (length N) used to hold input block values Initial value of shift register is IV Contents of register input to block encryption algorithm Output of the block encryption procedure used to produce keystream Possible to use only part of the block: say s bits, for 1 ≤ s ≤ L Encryption of plaintext block is by XORing output with the keystream block: Ci = Pi XOR Oi NOTE: keystream block size should be same size as plaintext block size The ciphertext block is also used to feed back into the shift register, Effectively using the block cipher as a keystream generator for a stream cipher Semester 1, 2018 IFN642

Block Ciphers: CFB mode Encryption using CFB Mode
Diagram Block Ciphers: CFB mode Encryption using CFB Mode K Ci AES block encryption procedure shift register (128 bits) 128-L bits L bits Pi  Oi As with CBC mode, the blocks are chained together, because the ciphertext blocks Ci are used in the generation of the key blocks Oi . Semester 1, 2018 IFN642

CFB mode decryption: The block cipher is used as a keystream generator for a stream cipher Encryption operation is XOR: Ci = Pi XOR Oi Need to produce exactly the same keystream for decryption Decryption operation is XOR: Pi = Ci XOR Oi Note 1: Only use block cipher encryption procedure Note 2: Even though the block cipher is acting as a keystream generator; keystream is not independent of plaintext, since ciphertext feeds back Semester 1, 2018 IFN642

Block Ciphers: CFB mode Example: DES in CFB mode

CFB Mode Issues What happens when there is an error? If there is a bitflip error (0 to 1 or vice versa) Just like stream ciphers, that bit will be decrypted incorrectly So less error propagation than ECB or CBC modes If a ciphertext bit (or even a character) is inserted or deleted This will cause a loss of synchronisation: so at the point of insertion/deletion, decryption stops recovering message Inserting or deleting one or more blocks Causes a loss of synchronisation; as above Semester 1, 2018 IFN642

Block Ciphers: OFB mode
Output Feed Back (OFB) mode: Similar to CFB mode: plaintext is not input to block encryption algorithm, instead (for block cipher with block size N): Shift register (length = N) used to hold input block values Initial value of shift register is IV Contents of register are input to block encryption algorithm Output of block encryption used in two ways: Providing keystream NOTE: keystream block size can be any length from 1 to L bits Feedback to register: same block as used for keystream Encryption of plaintext block is by XORing with the keystream block: Ci = Pi XOR Oi Effectively using the block cipher as a keystream generator for a synchronous stream cipher – keystream independent of p/text The alternative to CFB is OFB. Here the generation of the pseudorandom bits is independent of the message being encrypted. Semester 1, 2018 IFN642

Block Ciphers: OFB Mode Encryption operation
Diagram Block Ciphers: OFB Mode Encryption operation K Ci Block encryption Procedure Example: AES shift register (128 bits) 128-L bits L bits Pi  Oi Note: A block cipher used in OFB mode is, in effect, a stream cipher. Note also that the keystream blocks are generated distinctly from the data blocks. Semester 1, 2018 IFN642

Block Ciphers: OFB mode Example: DES in OFB mode

Block Ciphers: OFB mode
OFB Mode Issues What happens when there is an error? If there is a bitflip error (0 to 1 or vice versa) Just like stream ciphers and CFB, that bit will be decrypted incorrectly So less error propagation than ECB or CBC modes If a ciphertext bit (or even a character) is inserted or deleted This will cause a loss of synchronisation: so at the point of insertion/deletion, decryption stops recovering message correctly Inserting or deleting one or more blocks Causes a loss of synchronisation; as above Semester 1, 2018 IFN642

Block Ciphers: CTR mode
Counter mode (CTR) Similar to CFB and OFB: output of block encryption combined with plaintext block using XOR: Ci = Pi XOR Oi Different to CFB and OFB: no feedback to register Uses three inputs to encryption: the key, the plaintext, and a counter value Initial counter value is a random integer Generally, just increment the counter value by 1 (modulo 2L) to obtain next counter value Block cipher output is encrypted counter value: Oi = EK(i) Semester 1, 2018 IFN642

Counter mode (CTR) CTR Encryption: Ciphertext block obtained by XORing block cipher output with plaintext block: Ci = Pi XOR Oi CTR Decryption: Same sequence of counters must be used Plaintext block obtained by XORing block cipher output with ciphertext block: Pi = Ci XOR Oi Only need to use block cipher encryption function For both CTR encryption and CTR decryption Semester 1, 2018 IFN642

Block Ciphers: Counter mode (CTR)

Counter mode issues: Same sequence of counters must be used for encryption and decryption: If obtained by incrementing by 1, need initial value to commence decryption Really important not to reuse counters: Use a different counter value for all message blocks encrypted using that key Otherwise confidentiality compromised (recall OTP) Semester 1, 2018 IFN642

CTR Mode Issues What happens when there is an error? If there is a bitflip error (0 to 1 or vice versa) Just like stream ciphers, CFB, and OFB, that bit will be decrypted incorrectly So less error propagation than ECB or CBC modes If a ciphertext bit (or even a character) is inserted or deleted This will cause a loss of synchronisation with the keystream: so at the point of insertion/deletion, decryption stops recovering message correctly Inserting or deleting one or more blocks Still causes a loss of synchronisation; as above Semester 1, 2018 IFN642

Summary Block ciphers can be used in different modes
Different properties associated with these: ECB mode – confidentiality for short messages CBC mode – better than ECB mode at hiding repetition in longer messages, can be used for integrity assurance CFB mode, OFB mode, CTR mode: all use XOR - like stream ciphers Implementation: ECB and CTR mode can parallelise computations CBC, CFB and OFB chaining: serial CFB, OFB and CTR only require block encryption These are all symmetric ciphers: security provided depends on the security of a shared secret key Semester 1, 2018 IFN642

Overview Review of AES block cipher Block cipher modes of operation:

Similar presentations

Presentation on theme: "Overview Review of AES block cipher Block cipher modes of operation:"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Overview Review of AES block cipher Block cipher modes of operation:

Similar presentations

Presentation on theme: "Overview Review of AES block cipher Block cipher modes of operation:"— Presentation transcript:

Similar presentations

About project

Feedback