Professional Documents
Culture Documents
3
Electronic Code Book (ECB)
• The plaintext is broken into blocks, P1, P2, P3, ...
• Each block is encrypted independently of the other
blocks
Ci = EK(Pi)
• For a given key, this mode behaves like we have a
gigantic codebook, in which each plaintext block has
an entry, hence the name Electronic Code Book
4
Electronic Code Book (ECB)
5
Remarks on ECB
6
Cipher Block Chaining (CBC)
The plaintext is broken into blocks: P1 , P2 , P3 , ...
Each plaintext block is XORed chained with the previous
ciphertext block before encryption (hence the name):
Ci E K Ci 1 Pi
C0 IV
8
Remarks on CBC
• The same key is used for all blocks.
• A ciphertext block depends on all blocks before it.
• So, repeated plaintext blocks are encrypted
differently.
• Initialization Vector (IV)
– Must be known to both the sender & receiver
– Typically, IV is either a fixed value
– Or is sent encrypted in ECB mode before the rest of
message.
9
Message Padding
• The last plaintext block may be short of a
whole block and needs padding:
• Possible padding:
– Known non-data values (e.g. nulls)
– Or a number indicating the size of the pad
– Or a number indicating the size of the plaintext
– The last two schemes may require an extra block.
10
Cipher feedback mode (basic version)
• Plaintext blocks: p1, p2, …
• Key: k
• Basic idea: construct key stream k1, k2, k3, …
• Encryption:
c0 IV
ki Ek (ci 1 ), for i 1
ci pi ki , for i 1
11
Cipher Feedback (CFB) Mode
The plaintext is divided into segments of s bits
(where s block-size): P1 , P2 , P3 , P4 ,
Encryption is used to generate a sequence of keys,
each of s bits: K1 , K 2 , K 3 , K 4 ,
The ciphertext is C1 , C2 , C3 , C4 , , where
Ci Pi K i
How to generate the key stream?
12
Generating Key Stream for CFB
The input to the block cipher is a shift register x;
its value at stage i is denoted as xi .
13
Encryption in CFB Mode
14
Decryption in CFB Mode
Generate key stream K1 , K 2 , K 3 , K 4 ,
the same way as for encryption.
Then decrypt each ciphertext segment as:
Pi Ci Ki
15
Remark on CFB
• The block cipher is used as a stream cipher.
• Appropriate when data arrives in bits/bytes.
• s can be any value; a common value is s = 8.
• A ciphertext segment depends on the current and
all preceding plaintext segments.
• A corrupted ciphertext segment during
transmission will affect the current and next
several plaintext segments.
– How many plaintext segments will be affected?
16
Output Feedback (OFB) Mode
Very similar to Cipher Feedback in structure.
But K i 1 rather than Ci 1 is fed back to the next stage.
Output Feedback
18
Remark on OFB
• The block cipher is used as a stream cipher.
• Appropriate when data arrives in bits/bytes.
• Advantage:
– more resistant to transmission errors; a bit error in a ciphertext
segment affects only the decryption of that segment.
• Disadvantage:
– Cannot recover from lost ciphertext segments; if a ciphertext
segment is lost, all following segments will be decrypted
incorrectly.
• IV should be generated randomly each time and sent with
the ciphertext.
19
Counter Mode (CTR)
• A counter T is initialized to some IV and then
incremented by 1 for each subsequent plaintext
block.
• Encryption:
T1 = IV
Ti = Ti-1 + 1
Ci = Pi XOR EK(Ti)
20
Remark on CTR
• Strengthes:
– Needs only the encryption algorithm (so do CFB and
OFB)
– Fast encryption/decryption; blocks can be processed
(encrypted or decrypted) in parallel; good for high
speed links
– Random access to encrypted data blocks
• As in OFB, IV should not be reused.
21
Stream Ciphers
Stream Cipher Diagram
23
Stream Ciphers
Typically, process the plaintext byte by byte.
So, the plaintext is a stream of bytes: P1 , P2 , P3 ,
Use a key K as the seed to generate a sequence of
pseudorandom bytes (keystream): K1 , K 2 , K 3 ,
The ciphertext is C1 , C2 , C3 , C4 , , where
Ci Pi K i
Various stream ciphers differ in the way they
generate keystreams.
24
Stream Ciphers
25
The RC4 Stream Cipher
• Designed by Ron Rivest in 1987 for RSA
Security.
• Kept as a trade secret until leaked out in 1994.
• The most popular stream cipher.
• Simple and fast.
• With a 128 bits key, the period is > 10100 .
• Used in the SSL/TLS standards (for secure Web
communication), IEEE 802.11 wireless LAN
standard, Microsoft Point-to-Point Encryption,
and many others.
26
RC4
Two vectors of bytes:
S [0], S[1], S[2], , S[255]
T [0], T [1], T [2], , T [255]
Key: variable length, from 1 to 256 bytes
Initialization:
1. S [i ] i, for 0 i 255
2. T [i ] K [i mod key-length], for 0 i 255
(i.e., fill up T [0..255] with the key K repeatedly.)
27
RC4: Initial Permutation
Initial Permutation of S:
j0
for i 0 to 255 do
j ( j S[i ] T [i] ) mod 256
Swap S[i ], S [ j ]
This part of RC4 is generally known as the
Key Scheduling Algorithm (KSA).
After KSA, the input key and the temporary
vector T will no longer be used.
28
RC4: Key Stream Generation
Key stream generation:
i, j 0
while (true)
i ( i 1 ) mod 256
j ( j S[i] ) mod 256
Swap S[i], S[ j ]
t ( S[i] S[ j ] ) mod 256
k S [t ]
output k
29
Security of RC4
• The keystream generated by RC4 is biased.
– The second byte is biased toward zero with high
probability.
– The first few bytes are strongly non-random and leak
information about the input key.
• Defense: discard the initial n bytes of the keystream.
– Called “RC4-drop[n-bytes]”.
– Recommended values for n = 256, 768, or 3072 bytes.
• Efforts are underway (e.g. the eSTREAM project) to
develop more secure stream ciphers.
30