Block Cipher Modes of Operation and Stream Ciphers

CSE 651: Introduction to Network Security

Abstract
• We will discuss
– How to use block ciphers? – RC4: a widely used stream cipher – Problems with WEP’s use of RC4

2

Modes of Operations

a message of 1000 bytes • NIST defines several ways to do it – called modes of operation 4 .g. DES encrypts 64-bit blocks • We need some way to encrypt a message of arbitrary length – e.g.How to use a block cipher? • Block ciphers encrypt fixed-size blocks – e.

Five Modes of Operation – Electronic codebook mode (ECB) – Cipher block chaining mode (CBC) – most popular – Output feedback mode (OFB) – Cipher feedback mode (CFB) – Counter mode (CTR) 5 .

• Possible padding: – – – – Known non-data values (e. 6 .. nulls) Or a number indicating the size of the pad Or a number indicating the size of the plaintext The last two schemes may require an extra block. P1. .g. P3. • The last block may be short of a whole block and needs padding.Message Padding • The plaintext message is broken into blocks.. P2.

P3.Electronic Code Book (ECB) • The plaintext is broken into blocks... this mode behaves like we have a gigantic codebook. hence the name Electronic Code Book 7 . . • Each block is encrypted independently: Ci = EK(Pi) • For a given key. P1. P2. in which each plaintext block has an entry.

g.Remarks on ECB • Strength: it’s simple. a temporary encryption key) 8 . if aligned with blocks. • Weakness: – Repetitive information contained in the plaintext may show in the ciphertext. an SSN) is encrypted (with the same key) and sent twice. • Typical application: secure transmission of short pieces of information (e. – If the same message (e.g. their ciphertexts are the same..

P2 .Cipher Block Chaining (CBC) • The plaintext is broken into blocks: P . 9 . • Decryption : Pi = Ci −1 ⊕ D K (Ci ) • Application : general block-oriented transmission.. P3 . .. 1 • Each plaintext block is XORed ( chained ) with the previous ciphertext block before encryption (hence the name): Ci = E K ( Ci −1 ⊕ Pi ) C0 = IV • Use an Initial Vector ( IV ) to start the process.

Cipher Block Chaining (CBC) 10 .

• So. • Initialization Vector (IV) – Must be known to both the sender & receiver – Typically.Remarks on CBC • The encryption of a block depends on the current and all blocks before it. repeated plaintext blocks are encrypted differently. 11 . IV is either a fixed value or is sent encrypted in ECB mode before the rest of ciphertext.

.. and encrypt Pi as Ci = Pi ⊕ Ki .. 12 . K 2 .. K 2 .. K3 .... Ek ( x ) is unknown to the adversary. K3 . we may use Ek to generate 1 a key stream (a sequence of "masks") K1 . • Three different ways to generate K1 . P2 ..• Without knowing the key k .. P3 . for any data block x. • To encrypt P ..

… • Key: k • Basic idea: construct key stream k1. for i ≥ 1  ci = pi ⊕ ki . for i ≥ 1  13 . k2. k3.Cipher feedback mode (basic version) • Plaintext blocks: p1. … • Encryption: c0 = IV   ki = Ek (ci −1 ). p2.

K 3 . …. K 4 . where Ci = Pi ⊕ K i • How to generate the key stream? 14 . P4 .Cipher Feedback (CFB) Mode • The plaintext is a sequence of segments of s bits (where s ≤ block-size): P . … 1 • Encryption is used to generate a sequence of keys. C2 . C3 . … • The ciphertext is C1 . P3 . K 2 . each of s bits: K1 . P2 . C4 .

• Then. its value at stage i is denoted as xi . • Initially. x1 = an initial vector (IV). xi = shift-left-s -bits(xi −1 ) PCi −1 . For i > 1. 15 . K i = s -most-significant-bits(E K ( xi )).Generating Key Stream for CFB • The input to the block cipher is a shift register x.

Encryption in CFB Mode 16 .

K 2 . K 3 .Decryption in CFB Mode • Generate key stream K1 . • Then decrypt each ciphertext segment as: Pi = Ci ⊕ K i 17 . K 4 . … the same way as for encryption.

a common value is s = 8. • A corrupted ciphertext segment during transmission will affect the current and next several plaintext segments.Remark on CFB • • • • The block cipher is used as a stream cipher. – How many plaintext segments will be affected? 18 . A ciphertext segment depends on the current and all preceding plaintext segments. s can be any value. Appropriate when data arrives in bits/bytes.

… • Key: k • Basic idea: construct key stream k1. … • Encryption:  k0 = IV    ki = Ek (ki −1 ). k2. for i ≥ 1   ci = pi ⊕ ki . for i ≥ 1  19 . p2.Output feedback mode (basic version) • Plaintext blocks: p1. k3.

Output Feedback (OFB) Mode • Very similar to Cipher Feedback in structure. its value at stage i is denoted as xi . K i = s -most-significant-bits(E K ( xi )). • But K i −1 rather than Ci −1 is fed back to the next stage. • As in CFB. For i > 1. 20 . • Initially. the input to the block cipher is a shift register x. x1 = an initial vector (IV). xi = shift-left-s -bits(xi −1 ) P Ki −1. • Then.

Cipher Feedback Output Feedback 21 .

• IV should be generated randomly each time and sent with the ciphertext. all following segments will be decrypted incorrectly (if the receiver is not aware of the segment loss). • Advantage: – more resistant to transmission errors. 22 . if a ciphertext segment is lost.Remark on OFB • The block cipher is used as a stream cipher. • Appropriate when data arrives in bits/bytes. • Disadvantage: – Cannot recover from lost ciphertext segments. a bit error in a ciphertext segment affects only the decryption of that segment.

. . C2.. k3. C1. … • Encryption: T1 = IV (random) Ti = IV + i . k2.1 Ci = Pi ♁ EK(Ti) C = (IV. p2. C3. p3. … • Key: k • Basic idea: construct key stream k1.) 23 .Counter Mode (CTR) • Plaintext blocks: p1.

Remark on CTR • Strengthes: – Needs only the encryption algorithm – Fast encryption/decryption. good for high speed links – Random access to encrypted data blocks • IV should not be reused. blocks can be processed (encrypted or decrypted) in parallel. 24 .

Stream Ciphers .

Vernam’s one-time pad cipher • Key = k1k2k3k4 K (random. used one-time only) • Plaintext = m1m2 m3m4 K • Ciphertext = c1c2c3c4 K where ci = mi ⊕ ki • Can be proved to be unconditionally secure. 26 .

Stream Cipher Diagram 27 .

• So. process the plaintext byte by byte. C2 . … • The ciphertext is C1 .Stream Ciphers • Typically. C4 . P3 . K 2 . 28 . the plaintext is a stream of bytes: P . where Ci = Pi ⊕ Ki • Various stream ciphers differ in the way they generate keystreams. P2 . K 3 . C3 . …. … 1 • Use a key K as the seed to generate a sequence of pseudorandom bytes (keystream): K1 .

the keystream g should have a large period.Stream Ciphers • For a stream cipher to be secure. and g should be as random as possible. the input key K must be different for each plaintext (if the pseudorandom generator is deterministic). • The same keystream must not be reused. each of the 256 values appearing about equally often. 29 . That is.

11 wireless LAN standard. • Kept as a trade secret until leaked out in 1994. • Used in the SSL/TLS standards (for secure Web communication). • The most popular stream cipher. • With a 128 bits key.The RC4 Stream Cipher • Designed by Ron Rivest in 1987 for RSA Security. IEEE 802. Microsoft Point-to-Point Encryption. the period is > 10100 . and many others. • Simple and fast. 30 .

) 31 . K . S [2]. T [255] • Key: variable length. K . T [2]..RC4 • Two vectors of bytes: − S [0]. for 0 ≤ i ≤ 255 (i.. S [255] − T [0]. fill up T [0. from 1 to 256 bytes • Initialization: 1. S [i ] ← i. T [i ] ← K [i mod key-length]. T [1].255] with the key K repeatedly.e. for 0 ≤ i ≤ 255 2. S [1].

the input key and the temporary vector T will no longer be used. • After KSA. S [ j ] • This part of RC4 is generally known as the Key Scheduling Algorithm (KSA).RC4: Initial Permutation • Initial Permutation of S : j←0 for i ← 0 to 255 do j ← ( j + S [i ] + T [i ] ) mod 256 Swap S [i ]. 32 .

RC4: Key Stream Generation • Key stream generation: i. S [ j ] t ← ( S [i ] + S [ j ] ) mod 256 k ← S [t ] output k 33 . j ← 0 while (true) i ← ( i + 1 ) mod 256 j ← ( j + S [i ] ) mod 256 Swap S [i ].

the eSTREAM project) to develop more secure stream ciphers. – The first few bytes are strongly non-random and leak information about the input key. 34 . – Recommended values for n = 256. • Defense: discard the initial n bytes of the keystream. or 3072 bytes. • Efforts are underway (e. – Called “RC4-drop[n-bytes]”.g. – The second byte is biased toward zero with high probability. 768.Security of RC4 • The keystream generated by RC4 is biased.

RC4 and WEP • WEP is a protocol using RC4 to encrypt packets for transmission over IEEE 802. • WEP requires each packet to be encrypted with a separate RC4 key. l RC4 key: IV (24) Long-term key (40 or 104 bits) 35 .11 wireless LAN. • The RC4 key for each packet is a concatenation of a 24-bit IV (initialization vector) and a 40 or 104-bit longterm key.

11 frames using WEP Header IV l Packet ICV FCS encrypted • ICV: integrity check value (for data integrity) • FCS: frame check sequence (for error detection) • Both use CRC32 36 .802.

• There is an article.• WEP has been shown to be insecure.” discussing how to discover the RC4 key by analyzing encrypted ARP packets. 37 . “Breaking 104 bit WEP in less than 60 seconds.

Sign up to vote on this title
UsefulNot useful