Block Cipher Modes of Operation

and Stream Ciphers

CSE 651: Introduction to Network
Security
 Abstract
• We will discuss
– How to use block ciphers?

– RC4: a widely used stream cipher

– Problems with WEP’s use of RC4

2
Modes of Operations
 How to use a block cipher?
• Block ciphers encrypt fixed-size blocks
– e.g. DES encrypts 64-bit blocks
• We need some way to encrypt a message of
arbitrary length
– e.g. a message of 1000 bytes
• NIST defines several ways to do it
– called modes of operation

4
 Five Modes of Operation
– Electronic codebook mode (ECB)

– Cipher block chaining mode (CBC) – most

popular

– Output feedback mode (OFB)

– Cipher feedback mode (CFB)

– Counter mode (CTR)

5
 Message Padding
• The plaintext message is broken into
blocks, P1, P2, P3, ...
• The last block may be short of a whole
block and needs padding.
• Possible padding:
– Known non-data values (e.g. nulls)
– Or a number indicating the size of the pad
– Or a number indicating the size of the plaintext
– The last two schemes may require an extra block.

6
 Electronic Code Book (ECB)
• The plaintext is broken into blocks, P1, P2, P3, ...
• Each block is encrypted independently:
Ci = EK(Pi)
• For a given key, this mode behaves like we have a
gigantic codebook, in which each plaintext block has
an entry, hence the name Electronic Code Book

7
 Remarks on ECB

• Strength: it’s simple.

• Weakness:
– Repetitive information contained in the
plaintext may show in the ciphertext, if aligned
with blocks.
– If the same message (e.g., an SSN) is
encrypted (with the same key) and sent twice,
their ciphertexts are the same.
• Typical application: secure transmission of short
pieces of information (e.g. a temporary
encryption key)
8
 Cipher Block Chaining (CBC)
 The plaintext is broken into blocks: P1 , P2 , P3 , ...
 Each plaintext block is XORed  chained  with the previous
ciphertext block before encryption (hence the name):

Ci  E K  Ci 1  Pi 

C0  IV

 Use an Initial Vector  IV  to start the process.

 Decryption : Pi  Ci 1  D K (Ci )
 Application : general block-oriented transmission.
9
Cipher Block Chaining (CBC)

10
 Remarks on CBC

• The encryption of a block depends on the current

and all blocks before it.
• So, repeated plaintext blocks are encrypted
differently.
• Initialization Vector (IV)
– Must be known to both the sender & receiver
– Typically, IV is either a fixed value or is sent
encrypted in ECB mode before the rest of ciphertext.

11
 Without knowing the key k , for any data block x,
Ek ( x ) is unknown to the adversary.

 To encrypt P1 , P2 , P3 ,..., we may use Ek to generate

a key stream (a sequence of "masks")
K1 , K 2 , K3 ,..., and encrypt Pi as Ci  Pi  Ki .

 Three different ways to generate K1, K 2 , K 3 ,...

12
 Cipher feedback mode (basic version)
• Plaintext blocks: p1, p2, …
• Key: k
• Basic idea: construct key stream k1, k2, k3, …
• Encryption:

c0  IV

ki  Ek (ci 1 ), for i  1

ci  pi  ki , for i  1

13
Cipher Feedback (CFB) Mode
 The plaintext is a sequence of segments of s bits
(where s  block-size): P1 , P2 , P3 , P4 , 
 Encryption is used to generate a sequence of keys,
each of s bits: K1 , K 2 , K3 , K 4 , 
 The ciphertext is C1 , C2 , C3 , C4 , , where
Ci  Pi  Ki
 How to generate the key stream?

14
Generating Key Stream for CFB
 The input to the block cipher is a shift register x;
its value at stage i is denoted as xi .

 Initially, x1  an initial vector (IV).

For i  1, xi  shift-left-s -bits(xi 1 ) Ci 1.

 Then, Ki  s-most-significant-bits(E K ( xi )).

15
Encryption in CFB Mode

16
 Decryption in CFB Mode
 Generate key stream K1 , K 2 , K3 , K 4 , 
the same way as for encryption.
 Then decrypt each ciphertext segment as:
Pi  Ci  Ki

17
 Remark on CFB
• The block cipher is used as a stream cipher.
• Appropriate when data arrives in bits/bytes.
• s can be any value; a common value is s = 8.
• A ciphertext segment depends on the current and
all preceding plaintext segments.
• A corrupted ciphertext segment during
transmission will affect the current and next
several plaintext segments.
– How many plaintext segments will be affected?

18
 Output feedback mode (basic version)
• Plaintext blocks: p1, p2, …
• Key: k
• Basic idea: construct key stream k1, k2, k3, …
• Encryption:

k0  IV

ki  Ek (ki 1 ), for i  1

ci  pi  ki , for i  1

19
 Output Feedback (OFB) Mode
 Very similar to Cipher Feedback in structure.
 But K i 1 rather than Ci 1 is fed back to the next stage.

 As in CFB, the input to the block cipher is a shift

register x; its value at stage i is denoted as xi .

 Initially, x1  an initial vector (IV).

For i  1, xi  shift-left-s -bits(xi 1 ) K i 1.

 Then, K i  s -most-significant-bits(E K ( xi )).

20
Cipher Feedback

Output Feedback

21
 Remark on OFB
• The block cipher is used as a stream cipher.
• Appropriate when data arrives in bits/bytes.
• Advantage:
– more resistant to transmission errors; a bit error in a ciphertext
segment affects only the decryption of that segment.
• Disadvantage:
– Cannot recover from lost ciphertext segments; if a ciphertext
segment is lost, all following segments will be decrypted
incorrectly (if the receiver is not aware of the segment loss).
• IV should be generated randomly each time and sent with
the ciphertext.

22
 Counter Mode (CTR)
• Plaintext blocks: p1, p2, p3, …
• Key: k
• Basic idea: construct key stream k1, k2, k3, …
• Encryption:

T1 = IV (random)
Ti = IV + i - 1
Ci = Pi ♁ EK(Ti)
C = (IV, C1, C2, C3, ...)
23
 Remark on CTR
• Strengthes:
– Needs only the encryption algorithm
– Fast encryption/decryption; blocks can be processed
(encrypted or decrypted) in parallel; good for high
speed links
– Random access to encrypted data blocks
• IV should not be reused.

24
Stream Ciphers
Vernam’s one-time pad cipher
 Key = k1k2k3k4 (random, used one-time only)

 Plaintext = m1m2m3m4

 Ciphertext = c1c2c3c4
where ci  mi  ki

 Can be proved to be unconditionally secure.

26
Stream Cipher Diagram

27
 Stream Ciphers
 Typically, process the plaintext byte by byte.
 So, the plaintext is a stream of bytes: P1 , P2 , P3 , 
 Use a key K as the seed to generate a sequence of
pseudorandom bytes (keystream): K1 , K 2 , K 3 , 
 The ciphertext is C1 , C2 , C3 , C4 , , where
Ci  Pi  K i
 Various stream ciphers differ in the way they
generate keystreams.
28
 Stream Ciphers

 For a stream cipher to be secure, the keystream

should have a large period, and
should be as random as possible, each of the 256
values appearing about equally often.
 The same keystream must not be reused. That is,
the input key K must be different for each plaintext
(if the pseudorandom generator is deterministic).

29
 The RC4 Stream Cipher
• Designed by Ron Rivest in 1987 for RSA
Security.
• Kept as a trade secret until leaked out in 1994.
• The most popular stream cipher.
• Simple and fast.
• With a 128 bits key, the period is > 10100 .
• Used in the SSL/TLS standards (for secure Web
communication), IEEE 802.11 wireless LAN
standard, Microsoft Point-to-Point Encryption,
and many others.

30
 RC4
 Two vectors of bytes:
 S [0], S [1], S[2], , S[255]
 T [0], T [1], T [2], , T [255]
 Key: variable length, from 1 to 256 bytes
 Initialization:
1. S [i ]  i, for 0  i  255
2. T [i ]  K [i mod key-length], for 0  i  255
(i.e., fill up T [0..255] with the key K repeatedly.)

31
 RC4: Initial Permutation
 Initial Permutation of S:
j0
for i  0 to 255 do
j  ( j  S [i ]  T [i ] ) mod 256
Swap S [i ], S [ j ]

 This part of RC4 is generally known as the

Key Scheduling Algorithm (KSA).
 After KSA, the input key and the temporary
vector T will no longer be used.
32
RC4: Key Stream Generation
 Key stream generation:
i, j  0
while (true)
i  ( i  1 ) mod 256
j  ( j  S[i] ) mod 256
Swap S[i], S[ j ]
t  ( S[i]  S[ j ] ) mod 256
k  S [t ]
output k
33
 Security of RC4
• The keystream generated by RC4 is biased.
– The second byte is biased toward zero with high
probability.
– The first few bytes are strongly non-random and leak
information about the input key.
• Defense: discard the initial n bytes of the keystream.
– Called “RC4-drop[n-bytes]”.
– Recommended values for n = 256, 768, or 3072 bytes.
• Efforts are underway (e.g. the eSTREAM project) to
develop more secure stream ciphers.

34
 RC4 and WEP
• WEP is a protocol using RC4 to encrypt packets for
transmission over IEEE 802.11 wireless LAN.
• WEP requires each packet to be encrypted with a
separate RC4 key.
• The RC4 key for each packet is a concatenation of a
24-bit IV (initialization vector) and a 40 or 104-bit long-
term key.

RC4 key: IV (24) Long-term lkey (40 or 104 bits)

35
 802.11 frames using WEP

Header IV l
Packet ICV FCS

encrypted

• ICV: integrity check value (for data integrity)

• FCS: frame check sequence (for error detection)
• Both use CRC32

36
• WEP has been shown to be insecure.
• There is an article, “Breaking 104 bit WEP
in less than 60 seconds,” discussing how
to discover the RC4 key by analyzing
encrypted ARP packets.

37