Professional Documents
Culture Documents
4 Modes Operations RC4
4 Modes Operations RC4
2
Modes of Operations
How to use a block cipher?
• Block ciphers encrypt fixed-size blocks
– e.g. DES encrypts 64-bit blocks
• We need some way to encrypt a message of
arbitrary length
– e.g. a message of 1000 bytes
• NIST defines several ways to do it
– called modes of operation
4
Five Modes of Operation
– Electronic codebook mode (ECB)
5
Message Padding
• The plaintext message is broken into
blocks, P1, P2, P3, ...
• The last block may be short of a whole
block and needs padding.
• Possible padding:
– Known non-data values (e.g. nulls)
– Or a number indicating the size of the pad
– Or a number indicating the size of the plaintext
– The last two schemes may require an extra block.
6
Electronic Code Book (ECB)
• The plaintext is broken into blocks, P1, P2, P3, ...
• Each block is encrypted independently:
Ci = EK(Pi)
• For a given key, this mode behaves like we have a
gigantic codebook, in which each plaintext block has
an entry, hence the name Electronic Code Book
7
Remarks on ECB
Ci E K Ci 1 Pi
C0 IV
10
Remarks on CBC
11
Without knowing the key k , for any data block x,
Ek ( x ) is unknown to the adversary.
12
Cipher feedback mode (basic version)
• Plaintext blocks: p1, p2, …
• Key: k
• Basic idea: construct key stream k1, k2, k3, …
• Encryption:
c0 IV
ki Ek (ci 1 ), for i 1
ci pi ki , for i 1
13
Cipher Feedback (CFB) Mode
The plaintext is a sequence of segments of s bits
(where s block-size): P1 , P2 , P3 , P4 ,
Encryption is used to generate a sequence of keys,
each of s bits: K1 , K 2 , K3 , K 4 ,
The ciphertext is C1 , C2 , C3 , C4 , , where
Ci Pi Ki
How to generate the key stream?
14
Generating Key Stream for CFB
The input to the block cipher is a shift register x;
its value at stage i is denoted as xi .
15
Encryption in CFB Mode
16
Decryption in CFB Mode
Generate key stream K1 , K 2 , K3 , K 4 ,
the same way as for encryption.
Then decrypt each ciphertext segment as:
Pi Ci Ki
17
Remark on CFB
• The block cipher is used as a stream cipher.
• Appropriate when data arrives in bits/bytes.
• s can be any value; a common value is s = 8.
• A ciphertext segment depends on the current and
all preceding plaintext segments.
• A corrupted ciphertext segment during
transmission will affect the current and next
several plaintext segments.
– How many plaintext segments will be affected?
18
Output feedback mode (basic version)
• Plaintext blocks: p1, p2, …
• Key: k
• Basic idea: construct key stream k1, k2, k3, …
• Encryption:
k0 IV
ki Ek (ki 1 ), for i 1
ci pi ki , for i 1
19
Output Feedback (OFB) Mode
Very similar to Cipher Feedback in structure.
But K i 1 rather than Ci 1 is fed back to the next stage.
Output Feedback
21
Remark on OFB
• The block cipher is used as a stream cipher.
• Appropriate when data arrives in bits/bytes.
• Advantage:
– more resistant to transmission errors; a bit error in a ciphertext
segment affects only the decryption of that segment.
• Disadvantage:
– Cannot recover from lost ciphertext segments; if a ciphertext
segment is lost, all following segments will be decrypted
incorrectly (if the receiver is not aware of the segment loss).
• IV should be generated randomly each time and sent with
the ciphertext.
22
Counter Mode (CTR)
• Plaintext blocks: p1, p2, p3, …
• Key: k
• Basic idea: construct key stream k1, k2, k3, …
• Encryption:
T1 = IV (random)
Ti = IV + i - 1
Ci = Pi ♁ EK(Ti)
C = (IV, C1, C2, C3, ...)
23
Remark on CTR
• Strengthes:
– Needs only the encryption algorithm
– Fast encryption/decryption; blocks can be processed
(encrypted or decrypted) in parallel; good for high
speed links
– Random access to encrypted data blocks
• IV should not be reused.
24
Stream Ciphers
Vernam’s one-time pad cipher
Key = k1k2k3k4 (random, used one-time only)
Plaintext = m1m2m3m4
Ciphertext = c1c2c3c4
where ci mi ki
26
Stream Cipher Diagram
27
Stream Ciphers
Typically, process the plaintext byte by byte.
So, the plaintext is a stream of bytes: P1 , P2 , P3 ,
Use a key K as the seed to generate a sequence of
pseudorandom bytes (keystream): K1 , K 2 , K 3 ,
The ciphertext is C1 , C2 , C3 , C4 , , where
Ci Pi K i
Various stream ciphers differ in the way they
generate keystreams.
28
Stream Ciphers
29
The RC4 Stream Cipher
• Designed by Ron Rivest in 1987 for RSA
Security.
• Kept as a trade secret until leaked out in 1994.
• The most popular stream cipher.
• Simple and fast.
• With a 128 bits key, the period is > 10100 .
• Used in the SSL/TLS standards (for secure Web
communication), IEEE 802.11 wireless LAN
standard, Microsoft Point-to-Point Encryption,
and many others.
30
RC4
Two vectors of bytes:
S [0], S [1], S[2], , S[255]
T [0], T [1], T [2], , T [255]
Key: variable length, from 1 to 256 bytes
Initialization:
1. S [i ] i, for 0 i 255
2. T [i ] K [i mod key-length], for 0 i 255
(i.e., fill up T [0..255] with the key K repeatedly.)
31
RC4: Initial Permutation
Initial Permutation of S:
j0
for i 0 to 255 do
j ( j S [i ] T [i ] ) mod 256
Swap S [i ], S [ j ]
34
RC4 and WEP
• WEP is a protocol using RC4 to encrypt packets for
transmission over IEEE 802.11 wireless LAN.
• WEP requires each packet to be encrypted with a
separate RC4 key.
• The RC4 key for each packet is a concatenation of a
24-bit IV (initialization vector) and a 40 or 104-bit long-
term key.
35
802.11 frames using WEP
Header IV l
Packet ICV FCS
encrypted
36
• WEP has been shown to be insecure.
• There is an article, “Breaking 104 bit WEP
in less than 60 seconds,” discussing how
to discover the RC4 key by analyzing
encrypted ARP packets.
37