Modes of Operations

How to use a block cipher?

• Block ciphers encrypt fixed size blocks
– E.g. DES encrypts 64-bit blocks
• We need some way to encrypt arbitrary
amounts of data
– E.g. a message of 1000 bytes
• NIST defines five ways to do it
– Called modes of operations
– Including block and stream modes
2
 Five Modes of Operation

– Electronic codebook mode (ECB)

– Cipher block chaining mode (CBC) – most

popular
– Output feedback mode (OFB)

– Cipher feedback mode (CFB)

– Counter mode (CTR)

3
 Electronic Code Book (ECB)
• The plaintext is broken into blocks, P1, P2, P3, ...
• Each block is encrypted independently of the other
blocks
Ci = EK(Pi)
• For a given key, this mode behaves like we have a
gigantic codebook, in which each plaintext block has
an entry, hence the name Electronic Code Book

4
Electronic Code Book (ECB)

5
 Remarks on ECB

• Strength: it’s simple.

• Weakness:
– Repetitive information contained in the
plaintext may show in the ciphertext, if aligned
with blocks.
– If the same message (e.g., your SSN) is
encrypted (with the same key) and sent twice,
their ciphertexts are the same.
• Typical application: secure transmission of short
pieces of information (e.g. an encryption key)

6
 Cipher Block Chaining (CBC)
 The plaintext is broken into blocks: P1 , P2 , P3 , ...
 Each plaintext block is XORed chained  with the previous
ciphertext block before encryption (hence the name):

Ci  E K Ci 1  Pi 

C0  IV

 Use  an Initial Vector  IV  to start the process.

 Decryption :  Pi  Ci 1  D K (Ci )
 Application : general block-oriented transmission.
7
Cipher Block Chaining (CBC)

8
 Remarks on CBC
• The same key is used for all blocks.
• A ciphertext block depends on all blocks before it.
• So, repeated plaintext blocks are encrypted
differently.
• Initialization Vector (IV)
– Must be known to both the sender & receiver
– Typically, IV is either a fixed value
– Or is sent encrypted in ECB mode before the rest of
message.

9
 Message Padding
• The last plaintext block may be short of a
whole block and needs padding:
• Possible padding:
– Known non-data values (e.g. nulls)
– Or a number indicating the size of the pad
– Or a number indicating the size of the plaintext
– The last two schemes may require an extra block.

10
 Cipher feedback mode (basic version)
• Plaintext blocks: p1, p2, …
• Key: k
• Basic idea: construct key stream k1, k2, k3, …
• Encryption:
c0  IV

ki  Ek (ci 1 ), for i  1

ci  pi  ki , for i  1

11
Cipher Feedback (CFB) Mode
 The plaintext is divided into segments of s bits
(where s  block-size): P1 , P2 , P3 , P4 , 
 Encryption is used to generate a sequence of keys,
each of s bits: K1 , K 2 , K 3 , K 4 , 
 The ciphertext is C1 , C2 , C3 , C4 , , where
Ci  Pi  K i
 How to generate the key stream?

12
Generating Key Stream for CFB
 The input to the block cipher is a shift register x;
its value at stage i is denoted as xi .

 Initially, x1  an initial vector (IV).

For i  1, xi  shift-left-s-bits(xi 1 ) Ci 1.

 Then, K i  s-most-significant-bits(E K ( xi )).

13
Encryption in CFB Mode

14
 Decryption in CFB Mode
 Generate key stream K1 , K 2 , K 3 , K 4 , 
the same way as for encryption.
 Then decrypt each ciphertext segment as:
Pi  Ci  Ki

15
 Remark on CFB
• The block cipher is used as a stream cipher.
• Appropriate when data arrives in bits/bytes.
• s can be any value; a common value is s = 8.
• A ciphertext segment depends on the current and
all preceding plaintext segments.
• A corrupted ciphertext segment during
transmission will affect the current and next
several plaintext segments.
– How many plaintext segments will be affected?

16
 Output Feedback (OFB) Mode
 Very similar to Cipher Feedback in structure.
 But K i 1 rather than Ci 1 is fed back to the next stage.

 As in CFB, the input to the block cipher is a shift

register x; its value at stage i is denoted as xi .

 Initially, x1  an initial vector (IV).

For i  1, xi  shift-left-s-bits(xi 1 )  K i 1.

 Then, K i  s-most-significant-bits(E K ( xi )).

17
Cipher Feedback

Output Feedback

18
 Remark on OFB
• The block cipher is used as a stream cipher.
• Appropriate when data arrives in bits/bytes.
• Advantage:
– more resistant to transmission errors; a bit error in a ciphertext
segment affects only the decryption of that segment.
• Disadvantage:
– Cannot recover from lost ciphertext segments; if a ciphertext
segment is lost, all following segments will be decrypted
incorrectly.
• IV should be generated randomly each time and sent with
the ciphertext.

19
 Counter Mode (CTR)
• A counter T is initialized to some IV and then
incremented by 1 for each subsequent plaintext
block.

• Encryption:
T1 = IV
Ti = Ti-1 + 1
Ci = Pi XOR EK(Ti)

20
 Remark on CTR
• Strengthes:
– Needs only the encryption algorithm (so do CFB and
OFB)
– Fast encryption/decryption; blocks can be processed
(encrypted or decrypted) in parallel; good for high
speed links
– Random access to encrypted data blocks
• As in OFB, IV should not be reused.

21
Stream Ciphers
Stream Cipher Diagram

23
 Stream Ciphers
 Typically, process the plaintext byte by byte.
 So, the plaintext is a stream of bytes: P1 , P2 , P3 , 
 Use a key K as the seed to generate a sequence of
pseudorandom bytes (keystream): K1 , K 2 , K 3 , 
 The ciphertext is C1 , C2 , C3 , C4 , , where
Ci  Pi  K i
 Various stream ciphers differ in the way they
generate keystreams.
24
 Stream Ciphers

 For a stream cipher to be secure, the keystream

 should have a large period, and
 should be as random as possible, each of the 256
values appearing about equally often.
 The same keystream must not be reused. That is,
the input key K must be different for each plaintext.

25
 The RC4 Stream Cipher
• Designed by Ron Rivest in 1987 for RSA
Security.
• Kept as a trade secret until leaked out in 1994.
• The most popular stream cipher.
• Simple and fast.
• With a 128 bits key, the period is > 10100 .
• Used in the SSL/TLS standards (for secure Web
communication), IEEE 802.11 wireless LAN
standard, Microsoft Point-to-Point Encryption,
and many others.

26
 RC4
 Two vectors of bytes:
 S [0], S[1], S[2],  , S[255]
 T [0], T [1], T [2],  , T [255]
 Key: variable length, from 1 to 256 bytes
 Initialization:
1. S [i ]  i, for 0  i  255
2. T [i ]  K [i mod key-length], for 0  i  255
(i.e., fill up T [0..255] with the key K repeatedly.)

27
 RC4: Initial Permutation
 Initial Permutation of S:
j0
for i  0 to 255 do
j  ( j  S[i ]  T [i] ) mod 256
Swap S[i ], S [ j ]
 This part of RC4 is generally known as the
Key Scheduling Algorithm (KSA).
 After KSA, the input key and the temporary
vector T will no longer be used.
28
RC4: Key Stream Generation
 Key stream generation:
i, j  0
while (true)
i  ( i  1 ) mod 256
j  ( j  S[i] ) mod 256
Swap S[i], S[ j ]
t  ( S[i]  S[ j ] ) mod 256
k  S [t ]
output k
29
 Security of RC4
• The keystream generated by RC4 is biased.
– The second byte is biased toward zero with high
probability.
– The first few bytes are strongly non-random and leak
information about the input key.
• Defense: discard the initial n bytes of the keystream.
– Called “RC4-drop[n-bytes]”.
– Recommended values for n = 256, 768, or 3072 bytes.
• Efforts are underway (e.g. the eSTREAM project) to
develop more secure stream ciphers.
30