Presentation is loading. Please wait.

Presentation is loading. Please wait.

Applied Cryptography Spring 2015 Chaining Modes. What happens when the clear text is longer than the block length k? Most simple solution — encrypt each.

Published byBasil Stanley Modified over 9 years ago

Similar presentations

Presentation on theme: "Applied Cryptography Spring 2015 Chaining Modes. What happens when the clear text is longer than the block length k? Most simple solution — encrypt each."— Presentation transcript:

1 Applied Cryptography Spring 2015 Chaining Modes

2 What happens when the clear text is longer than the block length k? Most simple solution — encrypt each block separately. This mode is called ECB, Electronic Code Book Clear text Cipher text Enc Key Chaining ciphers - ECB [From Mårten Trolin]

3 Problems with ECB: two transmissions of the same plaintext will be identical (i.e. if, you know, that there were 2 identical transmissions, you can guess the ciphertext of these). This could be dealt with timestamps. block replay. A poptential cure is the use of MAC, however this still remains an unpleasant feature. ECB still can be used in some cases for transmission of short messages e.g. cipher keys Chaining ciphers - ECB

4 Padding k - block length, n - message length if n is a multiple of k, there are no problems what to do with the last block, if n is not a multiple of k? extra bytes can be added at the end of the last block, however, it ould be useful to know, where the actual message ends... Chaining ciphers - ECB

5 Some padding schemes add padding in all cases (i.e., also when n is a multiple of k) if m bytes are added, fill each of them with value m (used in e.g. RC5-CBC-PAD) if m bytes are added, fill each of them with values 1,2,..., m (used in e.g. ESP and IPSec) Chaining ciphers - ECB

6 ECB - Example Original ECB mode "other" mode

7 A feedback is introduced to link the blocks together Clear textCipher text Enc Key IV Cipher Block Chaining [From Mårten Trolin]

8 Cipher Block Chaining

9 Errors error in plaintext bit error in ciphertext syncronisation error in ciphertext? What should be done with IV? no need to be secret should be transmitted can IV be reused? CBC - issues

10 Can be done similarly as in ECB add padding in all cases (i.e., also when n is a multiple of k) if m bytes are added, fill each of them with value m (used in e.g. RC5-CBC-PAD) if m bytes are added, fill each of them with values 1,2,..., m (used in e.g. ESP and IPSec) CBC - padding

11 Some problems with padding.... assume that the same IV is used for all transmissions, as well as one of the 2 padding schemes described above. Also, assume that there is an oracle, that gives an answer, whether a given message ends with a correct padding (available e.g. in e-mail server using SSL/TLS). Is this secure? try to send to oracle blocks r,C i... CBC - padding

12 CBC - alternative encryption of the last block

13 CBC - ciphertext stealingg

14 Stream and block ciphers - Definition ?

15 Stream ciphers

16 Keystream generator

17 Self synchronizing stream cipher Ciphertext Auto-Key (CTAK) Another possibility:Key Auto-Key (KAK)

18 Stream ciphers - Insertion attack

19 Key generators - CFB (cipher_feedback) mode

20 Key generators - LFSR (linear feedback shift registers)

21 Key generators - A5/1 A5/1 - used in GSM "less than one minute of computations, and a few seconds of known conversation". A register is clocked if its clocking bit (orange) agrees with the majority of the clocking bits of all three registers.

22 Key generators - RC4 Ron Rivest (RSA Security) 1987 Widely used in SSL, WEP etc 104-bit RC4 used in WEP can be cracked in less than a minute for i=0,…,N-1 S[i]=i j=0 for i=0…N-1 j=j+S[i]+Key[i mod l] Swap[S[i], S[j]] i=i+1 j=j+S[i] Swap(S[i],S[j]) Output z =S[S[i]+S[j]]

23 Key generators - RC4 Easy computation –Fast –Can use large bit blocks and keys Stream based encryption Key can be made to change at regular intervals using fancy programming Implementation in Popular languages (C, perl) well documented. Vulnerable to brute force attacks Require a large data structure Proven Breakable by researchers at ATT and Rice Univ. (August, 2001) –“One hour of brute force computation to break standard WEP” Once Key is broken all messages are easily readable.

24 Quadratic residues and Blum Integers If p and q are two primes, and both are congruent to 3 modulo 4, then n = p*q is sometimes called a Blum integer. If n is a Blum integer, each quadratic residue has exactly four square roots. One of them is also a square - the principal square root. The function f: Z n * → Z n * defined by f(x) = x 2 mod n is a permutation. The inverse function of f is: f -1 (x) = x ((p-1)(q-1)+4)/8 mod n.

25 Quadratic residues and Blum Integers The function f: Z n * → Z n * defined by f(x) = x 2 mod n is a permutation. The inverse function of f is: f -1 (x) = x ((p-1)(q-1)+4)/8 mod n. p,q - primes, n = pq Guessing the last significant bit of square root of x mod n with any non-negligible advantage is as hard as factoring n.

26 Blum, Blum and Shub (BBS) key generator Let n be a Blum integer. Choose a random quadratic residue x 0 (modulo n). For i  0 let x i+1 = x i 2 mod n, b i = the least significant bit of x i For each integer i, let BBS n, i (x 0 ) = b 0 …b i-1 be the first i bits of the pseudo-random sequence generated from the seed x 0 by the BBS pseudo-random generator. Note that b i is the least significant bit of x i = x 0 (2 i )mod(p-1)(q-1)

27 BBS pseudo-random generator - analysis Assume that the BBS pseudo-randomize generator with a Blum integer is not unpredictable to the left. Let y be a quadratic residue from Z n *. Compute BBS n, i -1 (y) for some i > 1. Note that the last (i -1) of BBS n, i (x) are also the first (i -1) bits of BBS n, i -1 (y), where x is the principal square root of y. Hence, if the BBS pseudo-random generator is not unpredictable to the left, then there exists a better method than coin-tossing to determine the least significant bit of x, what is, as mentioned above, impossible. Choose random x, relatively prime to n, compute x 0 = x 2 mod n x i +1 = x i 2 mod n, b i = the least significant bit of x i BBS n, i (x 0 ) = b 0 …b i-1

28 Key generators - OFB (output feedback) mode

29 Keystream generator in OFB mode

30 CFB (cipher_feedback) mode

31 Chaining in CFB mode

32 Errors error in plaintext bit error in ciphertext syncronisation error in ciphertext? What should be done with IV? no need to be secret should be transmitted should be unique! CFB - issues

33 OFB (output feedback) mode

34 Chaining in OFB mode

35

36 Just as with other stream ciphers, flipping a bit in the ciphertext produces a flipped bit in the plaintext at the same location. This property allows many error correcting codes to function normally even when applied before encryption.

37 Chaining in counter (CTR) mode

38 Data integrity and MAC

39 CBC-MAC Issues: - not secure for variable length messages (we can inludemessage length in computation, still it doesn’t help too much...) - different keys should be used for chaining and MAC (ok, this should always be the case !)

40 CMAC

41 Length of MAC? Birthday paradox: What should be the size k of a group of people, such that with probablity 1/2 at least two persons from the group will have birthday on the same day?

42 Length of MAC?

43

44 Combining chaining and data integrity CCMCounter with CBC-MAC EAX Authenticated Encryption with Associated Data GCM Galois/Counter Mode OCBOffset Codebook Mode OCB mode

45 GCM mode (Galois/Counter Mode) Combines privacy and data integrity protection Defined for 128 bit blocks mult H - multiplication in GF(2 7 )

46 Disk encryption Some additional constraints: limited length chaining (e.g. at sector level, around 512 bytes) implementation shall efficiently encrypt and decrypt data in any sector implementation shall use only constant amount of additional storage for a device of arbitrary size integrity problem is important CBC : IV for each sector derived from the sector number etc LRW (Tweakable Narrow-Block Encryption): K - key, F - additional key, I - block index (tweak)

47 ECB - overview

48 CBC - overview Probably most useful. Best for encrypting files (usually no synchronization errors).

49 CFB - overview Recoverable synchronization errors. Mainly used in stream mode.

50 OFB - overview Recommended for error-prone environments.

51 Some other chaining modes Counter Mode. Characteristics similar to OFB. Useful, when an instant access to a random part of message is desirable. Block Chaining Mode (BC). Similar to CBC, but XOR all previous ciphertext block to the next one. No error tolerance. Propagating Cipher Block Chaining Mode (PCBC). Similar to CBC, but both, previous ciphetext and plaintext blocks are XORed to the next one. Used in Kerberos (before version 5). Swapping of two ciphertext blocks does not affect integrity check! Output feedback with a non-linear function (OFBNLF). Variant of OFB/ECB with K i =E K (K i–1 )

52 Interleaving

Download ppt "Applied Cryptography Spring 2015 Chaining Modes. What happens when the clear text is longer than the block length k? Most simple solution — encrypt each."

Similar presentations

Block Cipher Modes of Operation and Stream Ciphers

Block Cipher Modes of Operation and Stream Ciphers
ECE454/CS594 Computer and Network Security

ECE454/CS594 Computer and Network Security
“Advanced Encryption Standard” & “Modes of Operation”

“Advanced Encryption Standard” & “Modes of Operation”
CS470, A.SelcukStream Ciphers1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukStream Ciphers1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Encipherment Using Modern Symmetric-Key Ciphers. 8.2 Objectives ❏ To show how modern standard ciphers, such as DES or AES, can be used to encipher long.

Encipherment Using Modern Symmetric-Key Ciphers. 8.2 Objectives ❏ To show how modern standard ciphers, such as DES or AES, can be used to encipher long.
Modern Symmetric-Key Ciphers

Modern Symmetric-Key Ciphers
Modern Symmetric-Key Ciphers

Modern Symmetric-Key Ciphers
Modern Symmetric-Key Ciphers

Modern Symmetric-Key Ciphers
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.

Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.
Cryptography and Network Security Chapter 6. Chapter 6 – Block Cipher Operation Many savages at the present day regard their names as vital parts of themselves,

Cryptography and Network Security Chapter 6. Chapter 6 – Block Cipher Operation Many savages at the present day regard their names as vital parts of themselves,
Cryptography1 CPSC 3730 Cryptography Chapter 6 Triple DES, Block Cipher Modes of Operation.

Cryptography1 CPSC 3730 Cryptography Chapter 6 Triple DES, Block Cipher Modes of Operation.
Stream cipher diagram + + Recall: One-time pad in Chap. 2.

Stream cipher diagram + + Recall: One-time pad in Chap. 2.
Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture.

Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture.
Modes of Operation CS 795. Electronic Code Book (ECB) Each block of the message is encrypted with the same secret key Problems: If two identical blocks.

Modes of Operation CS 795. Electronic Code Book (ECB) Each block of the message is encrypted with the same secret key Problems: If two identical blocks.
RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.

RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.
Introduction to Modern Cryptography Lecture 2 Symmetric Encryption: Stream & Block Ciphers.

Introduction to Modern Cryptography Lecture 2 Symmetric Encryption: Stream & Block Ciphers.
McGraw-Hill©The McGraw-Hill Companies, Inc., 2004 1 Security PART VII.

McGraw-Hill©The McGraw-Hill Companies, Inc., Security PART VII.
15-441 Computer Networking Lecture 21: Security and Cryptography Thanks to various folks from 15-441, semester’s past and others.

Computer Networking Lecture 21: Security and Cryptography Thanks to various folks from , semester’s past and others.
Lecture 23 Symmetric Encryption

Lecture 23 Symmetric Encryption

Similar presentations

Ads by Google