# Block Cipher Modes of Operation

Alberto Grand

Politecnico di Torino Computer Systems Security – prof. Antonio Lioy

What are modes of operation?
Block ciphers only allow to encrypt entire blocks. What if our message is longer/shorter than the block size? We use modes of operation!
Algorithms that exploit a block cipher to provide a service (e.g. confidentiality, authentication) 5 NIST-recommended modes providing confidentiality: ECB, CBC, CFB, OFB, CTR CMAC may be considered a block cipher mode of operation providing authentication.

2

Electronic Codebook (ECB)
Associates each possible plaintext block to a ciphertext block, like a codebook.

Hello world!

aY1\:?§h24(r

Requires padding Encryption/decryption of multiple blocks in parallel A 1-bit error in a ciphertext block garbles the corresponding decrypted block.

3

Deficiencies of ECB
Problems when the original message contains regular data patterns, because always encrypted in the same way.

Only suitable for 1-block-sized data (e.g. a key) “The securest thing you can do with ECB is not use it!”
4

Cipher Block Chaining (CBC)
Allows the same plaintext blocks to be encrypted to different ciphertext blocks. Encrypted blocks are “chained” through XORing. Requires an initialisation vector (IV)
Hello IV CIPHER CIPHER IV world q%1aX CIPHER-1 l’3z1\$ CIPHER-1

q%1aX

l’3z1\$

Hello

world
5

Features of CBC
No parallel encrypting , while parallel decrypting is possible. A 1-bit error affects two blocks:
the corresponding block is garbled the corresponding bit is flipped in the next block

Problem with the IV: 1-bit error only flips 1 bit in the 1st block, no garbled block. Hard to detect! Solutions:
encipher the IV don’t transmit the IV, but compute it from a known value use authentication!
6

Propagating CBC (PCBC)
It’s a variation of CBC designed to propagate errors. It also involves the previous plaintext block in the XOR operation. Is error propagation desirable? It depends!
NO if transmission errors YES if intentional, malicious changes

Used in Kerberos v.4, but abandoned starting from v.5 because inversion of two adjacent blocks does not affect subsequent blocks.

7

Cipher Feedback (CFB)
Turns a block cipher into a stream cipher, message size need not be multiple of block size. Very similar to CBC (ciphering and XORing are swapped).
IV CIPHER Hello q%1aX world l’3z1\$ Hello CIPHER IV CIPHER q%1aX world
8

CIPHER l’3z1\$

Features of CFB
No parallel encrypting of multiple blocks – although some form of pipelining is possible. Parallel decryption is possible Only the forward function is used. A 1-bit error :
flips corresponding bit in current segment may garble the next ⌈b/s⌉ segments

This is highly noticeable, so CFB is less exposed to the risk of deliberate bit changes.

9

OpenPGP with CFB
Widespread standard for exchanging encrypted email messages. A variant of CFB is used for symmetric cryptography:
a random block R is enciphered and used as an IV the first 2 bytes of R are replicated in the 2nd block for integrity checks

Leak of information! About 215 set-up attempts + about 215 attempts per block enable an attacker to discover the first 2 bytes of any block. PGP stands for “Pretty Good Privacy”!
10

Output Feedback (OFB)
Turns a block cipher into a stream cipher. It features the iteration of the forward cipher on an IV.
IV CIPHER Hello q%1aX world l’3z1\$ CIPHER q%1aX Hello IV CIPHER l’3z1\$ world
11

CIPHER

Features of OFB (i)
Neither encryption nor decryption can be performed in parallel due to block chaining. If IV available prior to ciphertext, keystream blocks can be pre-computed. IV needs to be a nonce, otherwise know-plaintext attack is possible (under same key):
an attacker who knows the ith plaintext block can easily reconstruct the ith keystream block he can then understand the ith block of every message
12

Features of OFB (ii)
A 1-bit error in a ciphertext block only produces a bit-specific error in the corresponding block:
good for error correcting codes, which work even when applied before encryption bad because it’s hardly noticeable!

A 1-bit error in the IV causes all blocks to be garbled.

13

Counter (CTR)
Turns a block cipher into a stream cipher. Keystreams blocks are generated by encrypting a set of counter blocks.
CTR block #1 CIPHER Hello q%1aX world l’3z1\$ CTR block #2 CIPHER q%1aX Hello CTR block #1 CIPHER l’3z1\$ world
14

CTR block #2 CIPHER

Features of CTR (i)
Both encryption and decryption can be performed fully in parallel on multiple blocks. Provides true random access to ciphertext blocks. If the initial counter block is available, keystream blocks may be computed prior to receiving the ciphertext . It’s simple!
No inverse cipher function is required for decryption.

It is becoming increasingly used.

15

Features of CTR (ii)
Assurance is required that:
counters do not repeat within a single message counters do not repeat across all messages under a given key

Done through an incrementing function. Usually, first b-m bits are a message nonce, following m bits are incremented (message length < 2m blocks). Alternatively, counters are concatenated (total length of all messages < 2m blocks)
16

Increases amount of data to be sent with no increase of transmitted information. With regular data pattern, padding with random values makes cryptanalysis more difficult. When padding scheme in known, it may expose exchange of messages to timing attacks.
OpenSSL prior to v.0.9.6c with CBC-MAC MAC is located at the end, padding is needed Message only evaluated if padding is correct Attacker may systematically find out bits starting from second-to-last block.
17

Ciphertext Stealing (CTS)
limited bandwidth exchange of many messages that would require padding

We want to avoid extra data, but cipher blocks need entire blocks! Solution: use CTS!
by accomplishing some extra operations, enables to produce as many output data as given in input we pay in terms of complexity and execution time we still cannot encyrpt very short messages (< 1 block).

Usually not worth it!
18

Related-mode attacks (i)

Attacks against a given block cipher mode of operation:
we must know which mode is being used we need an oracle of another mode, but with the same underlying cipher

19

Related-mode attacks (ii)
Using ECB against CTR MU intercepted Ci and C0 He chooses P’i = C0 + i C’i = CIPHk(P’i) Since Ci = CIPHk(C0 + i) ⊕ Pi he can compute Pi = Ci ⊕ C’i. Only one chosen plaintext query is required.

20

The CMAC Mode for Authentication

What is CMAC?
The 5 modes of operation provide confidentiality, but we need authentication and integrity. We must use a mode for authentication!
it implies integrity

A MAC algorithm provides stronger assurance of data integrity than a checksum. CMAC exploits the CBC mode of operation to chain cipherblocks and obtain a value which depends on all previous blocks.

22

Once upon time…
…there was an insecure mode for authentication named CBC-MAC:
only provided security for messages whose length was a multiple of the block size attacker could change the whole message (except last block) without notice when CBC was used for encryption with the same key.

Black & Rogaway made it secure for arbitrary-length messages using 2 extra keys (XCBC). Iwata & Kurosawa derived the extra keys from the shared secret (OMAC, OMAC1 = CMAC).
23

Subkey generation
2 subkeys K1, K2 are generated from the key Can be computed once and stored (must be secret!) Rb is a value related to the block size
Rb = 012010000111 when b = 128 Rb = 05911011 when b = 64
L ⃪ CIPHk (0b) if MSB1(L) = 0 then K1 ⃪ L << 1 else K1 ⃪ (L << 1) ⊕ Rb if MSB1(K1) = 0 then K2 ⃪ K1 << 1 else K2 ⃪ (K1 << 1) ⊕ Rb

Finite-field mathematics are involved!
24

CMAC generation
if Mlen = 0 then n ⃪ 1 else n ⃪ ⌈ len / b⌉ ⌈M ⌉ if M*n complete then Mn ⃪ M*n ⊕ K1 else Mn ⃪ (M*n ‖10j) ⊕ K1 C0 ⃪ 0b for i ⃪ 1 to n do Ci ⃪ CIPHk (Ci-1 ⊕ Mi) T ⃪ MSBTlen(Cn)

Formatting of the message does not need to complete before starting CBC encryption.

25

CMAC verification
Receiver may decrypt data with the appropriate algorithm. He then applies CMAC generation process to the data. He compares the generated MAC with the one he received:
if identical, message is authentic if not, in-transit errors or attack!

26

Length of the MAC (i)
When verification fails, we are sure the message is inauthentic. But when it succeeds, we are not 100% sure it is authentic!
MU may have simply guessed the right MAC for a message His chances of succeeding are 1/2Tlen

Longer MACs provide higher assurance, but use more bandwidth/storage space. If attacker can make more than one attempt his chances increase!
27

Length of the MAC (ii)
For most applications, 64 bits are enough. NIST provides guidance. Two parameters:
MaxInvalids : maximum number of attempts before system halts Risk : highest acceptable probability that an inauthentic message is mistakenly trusted. Tlen ≥ log2 (MaxInvalids / Risk) e.g. MaxInvalids = 1 Risk = 0.25 ⇒ Tlen = 2 bits

28

Message span of the key (i)
It’s the total number of messages to which CMAC is applied with the same key. Affects security against attacks based on detecting 2 distinct messages that lead to the same MAC.
We call this event a collision. This happens because possible messages are much more than possible MACs. It should not occur during the lifetime of a key.

Message span should be limited!

29

Message span of the key (ii)
Probability says that a collision is expected among a set of 2b/2 messages. For general purpose applications:
no more than 248 messages when b = 128 no more than 221 messages when b = 64

For higher level of security:
no more than 248 message blocks when b = 128 (222 GB) no more than 221 message blocks when b = 64 (16 MB)

Sometimes message span is time-limited.

30

Protection vs. replay attacks
No protection against replay attacks is ensured by CMAC:
Malicious user may intercept a message with its correct MAC and send it at a later time. It’s perfectly valid!

Such protection must be provided by protocol or application that uses CMAC for authentication:
sequential number timestamp message nonce etc.
31

Any questions?

32