Top Banner
Block Cipher Modes of Operation and Stream Ciphers CSE 651: Introduction to Network Security
37

Block Cipher Modes of Operation and Stream Ciphers CSE 651: Introduction to Network Security.

Mar 29, 2015

Download

Documents

Ezekiel Legan
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Block Cipher Modes of Operation and Stream Ciphers CSE 651: Introduction to Network Security.

Block Cipher Modes of Operationand Stream Ciphers

CSE 651: Introduction to Network Security

Page 2: Block Cipher Modes of Operation and Stream Ciphers CSE 651: Introduction to Network Security.

Abstract

• We will discuss

– How to use block ciphers?

– RC4: a widely used stream cipher

– Problems with WEP’s use of RC4

2

Page 3: Block Cipher Modes of Operation and Stream Ciphers CSE 651: Introduction to Network Security.

Modes of Operations

Page 4: Block Cipher Modes of Operation and Stream Ciphers CSE 651: Introduction to Network Security.

How to use a block cipher?

• Block ciphers encrypt fixed-size blocks

– e.g. DES encrypts 64-bit blocks

• We need some way to encrypt a message of arbitrary length

– e.g. a message of 1000 bytes

• NIST defines several ways to do it

– called modes of operation

4

Page 5: Block Cipher Modes of Operation and Stream Ciphers CSE 651: Introduction to Network Security.

Five Modes of Operation

– Electronic codebook mode (ECB)

– Cipher block chaining mode (CBC) – most

popular

– Output feedback mode (OFB)

– Cipher feedback mode (CFB)

– Counter mode (CTR)

5

Page 6: Block Cipher Modes of Operation and Stream Ciphers CSE 651: Introduction to Network Security.

Message Padding

• The plaintext message is broken into blocks, P1, P2, P3, ...

• The last block may be short of a whole block and needs padding.

• Possible padding:– Known non-data values (e.g. nulls)– Or a number indicating the size of the pad– Or a number indicating the size of the plaintext– The last two schemes may require an extra block.

6

Page 7: Block Cipher Modes of Operation and Stream Ciphers CSE 651: Introduction to Network Security.

Electronic Code Book (ECB)

• The plaintext is broken into blocks, P1, P2, P3, ...

• Each block is encrypted independently:

Ci = EK(Pi)

• For a given key, this mode behaves like we have a gigantic codebook, in which each plaintext block has an entry, hence the name Electronic Code Book

7

Page 8: Block Cipher Modes of Operation and Stream Ciphers CSE 651: Introduction to Network Security.

Remarks on ECB

• Strength: it’s simple.• Weakness:

– Repetitive information contained in the plaintext may show in the ciphertext, if aligned with blocks.

– If the same message (e.g., an SSN) is encrypted (with the same key) and sent twice, their ciphertexts are the same.

• Typical application: secure transmission of short pieces of information (e.g. a temporary encryption key)

8

Page 9: Block Cipher Modes of Operation and Stream Ciphers CSE 651: Introduction to Network Security.

Cipher Block Chaining (CBC)

1 2 3

1

The plaintext is broken into blocks: , , , ...

Each plaintext block is XORed chained with the previous

ciphertext block before encryption (hence the name):

E

i K i i

P P P

C C P

0

1

IV

Use  an Initial Vector IV to start the process.

Decryption :  D ( )

Application : general block-oriented transmission.i i K i

C

P C C

9

Page 10: Block Cipher Modes of Operation and Stream Ciphers CSE 651: Introduction to Network Security.

Cipher Block Chaining (CBC)

10

Page 11: Block Cipher Modes of Operation and Stream Ciphers CSE 651: Introduction to Network Security.

Remarks on CBC

• The encryption of a block depends on the current and all blocks before it.

• So, repeated plaintext blocks are encrypted differently.

• Initialization Vector (IV)– Must be known to both the sender & receiver– Typically, IV is either a fixed value or is sent

encrypted in ECB mode before the rest of ciphertext.

11

Page 12: Block Cipher Modes of Operation and Stream Ciphers CSE 651: Introduction to Network Security.

12

1 2 3

1 2 3

Without knowing the key , for any data block ,

( ) is unknown to the adversary.

To encrypt , , ,..., we may use to generate

a key stream (a sequence of "masks")

, , ,...,

k

k

k x

E x

P P P E

K K K

1 2 3

and encrypt as .

Three different ways to generate , , ,...

i i i iP C P K

K K K

Page 13: Block Cipher Modes of Operation and Stream Ciphers CSE 651: Introduction to Network Security.

13

Cipher feedback mode (basic version)

• Plaintext blocks: p1, p2, …

• Key: k

• Basic idea: construct key stream k1, k2, k3, …

• Encryption:

0

1

IV

( ), for 1

, for 1

i k i

i i i

c

k E c i

c p k i

Page 14: Block Cipher Modes of Operation and Stream Ciphers CSE 651: Introduction to Network Security.

Cipher Feedback (CFB) Mode

1 2 3 4

1 2 3 4

The plaintext is a sequence of of bits

(where block-size): , , , ,

Encryption is used to generate a sequence of keys,

each of bits: , , , ,

The ci

segments s

s P P P P

s K K K K

1 2 3 4phertext is , , , , , where

How to generate the key stream?i i i

C C C C

C P K

14

Page 15: Block Cipher Modes of Operation and Stream Ciphers CSE 651: Introduction to Network Security.

Generating Key Stream for CFB

1

1 1

The input to the block cipher is a shift register ;

its value at stage is denoted as .

Initially, an initial vector (IV).

For 1, shift-left- -bits( ) .

Then, -mos

i

i i i

i

x

i x

x

i x s x C

K s

t-significant-bits(E ( )).K ix

15

Page 16: Block Cipher Modes of Operation and Stream Ciphers CSE 651: Introduction to Network Security.

Encryption in CFB Mode

16

Page 17: Block Cipher Modes of Operation and Stream Ciphers CSE 651: Introduction to Network Security.

Decryption in CFB Mode

1 2 3 4 Generate key stream , , , ,

the same way as for encryption.

Then decrypt each ciphertext segment as:

i i i

K K K K

P C K

17

Page 18: Block Cipher Modes of Operation and Stream Ciphers CSE 651: Introduction to Network Security.

Remark on CFB

• The block cipher is used as a stream cipher. • Appropriate when data arrives in bits/bytes.• s can be any value; a common value is s = 8.• A ciphertext segment depends on the current and

all preceding plaintext segments.• A corrupted ciphertext segment during

transmission will affect the current and next several plaintext segments.– How many plaintext segments will be affected?

18

Page 19: Block Cipher Modes of Operation and Stream Ciphers CSE 651: Introduction to Network Security.

19

Output feedback mode (basic version)

• Plaintext blocks: p1, p2, …

• Key: k

• Basic idea: construct key stream k1, k2, k3, …

• Encryption:

0

1

IV

( ), for 1

, for 1

i k i

i i i

k

k E k i

c p k i

Page 20: Block Cipher Modes of Operation and Stream Ciphers CSE 651: Introduction to Network Security.

Output Feedback (OFB) Mode

1 1

Very similar to Cipher Feedback in structure.

But rather than is fed back to the next stage.

As in CFB, the input to the block cipher is a shift

register ; its value at stage

i iK C

x i

1

1 1

is denoted as .

Initially, an initial vector (IV).

For 1, shift-left- -bits( ) .

Then, -most-significant-bits(E ( )).

i

i i i

i K i

x

x

i x s x K

K s x

20

Page 21: Block Cipher Modes of Operation and Stream Ciphers CSE 651: Introduction to Network Security.

Cipher Feedback

Output Feedback

21

Page 22: Block Cipher Modes of Operation and Stream Ciphers CSE 651: Introduction to Network Security.

Remark on OFB

• The block cipher is used as a stream cipher. • Appropriate when data arrives in bits/bytes.• Advantage:

– more resistant to transmission errors; a bit error in a ciphertext segment affects only the decryption of that segment.

• Disadvantage: – Cannot recover from lost ciphertext segments; if a ciphertext

segment is lost, all following segments will be decrypted incorrectly (if the receiver is not aware of the segment loss).

• IV should be generated randomly each time and sent with the ciphertext.

22

Page 23: Block Cipher Modes of Operation and Stream Ciphers CSE 651: Introduction to Network Security.

Counter Mode (CTR)

• Plaintext blocks: p1, p2, p3, …

• Key: k

• Basic idea: construct key stream k1, k2, k3, …

• Encryption:

T1 = IV (random)

Ti = IV + i - 1

Ci = Pi E♁ K(Ti)

C = (IV, C1, C2, C3, ...)23

Page 24: Block Cipher Modes of Operation and Stream Ciphers CSE 651: Introduction to Network Security.

Remark on CTR

• Strengthes:

– Needs only the encryption algorithm

– Fast encryption/decryption; blocks can be processed

(encrypted or decrypted) in parallel; good for high

speed links

– Random access to encrypted data blocks

• IV should not be reused.

24

Page 25: Block Cipher Modes of Operation and Stream Ciphers CSE 651: Introduction to Network Security.

Stream Ciphers

Page 26: Block Cipher Modes of Operation and Stream Ciphers CSE 651: Introduction to Network Security.

26

1 2 3 4

1 2 3 4

1 2 3 4

Key = (random, used one-time only)

Plaintext =

Ciphertext

Ver

=

where

Can be proved to be unconditionall

y secu

nam’s

re.

one-time pad cipher

i i i

k k k k

m m m m

c c c c

c m k

Page 27: Block Cipher Modes of Operation and Stream Ciphers CSE 651: Introduction to Network Security.

Stream Cipher Diagram

27

Page 28: Block Cipher Modes of Operation and Stream Ciphers CSE 651: Introduction to Network Security.

Stream Ciphers

1 2 3

1

Typically,process the plaintext byte by byte.

So, the plaintext is a stream of bytes: , , ,

Use a key as the seed to generate a sequence of

pseudorandom bytes (keystream): ,

P P P

K

K

2 3

1 2 3 4

, ,

The ciphertext is , , , , , where

Various stream ciphers differ in the way they

generate keystreams.

i i i

K K

C C C C

C P K

28

Page 29: Block Cipher Modes of Operation and Stream Ciphers CSE 651: Introduction to Network Security.

Stream Ciphers

For a stream cipher to be secure, the keystream

should have a large period, and

should be as random as possible, each of the 256

values appearing about equally often.

The sam

e keystream must not be reused. That is,

the input key must be different for each plaintext

(if the pseudorandom generator is deterministic).

K

29

Page 30: Block Cipher Modes of Operation and Stream Ciphers CSE 651: Introduction to Network Security.

The RC4 Stream Cipher

• Designed by Ron Rivest in 1987 for RSA Security.

• Kept as a trade secret until leaked out in 1994. • The most popular stream cipher.• Simple and fast.• With a 128 bits key, the period is > 10100 .• Used in the SSL/TLS standards (for secure Web

communication), IEEE 802.11 wireless LAN standard, Microsoft Point-to-Point Encryption, and many others.

30

Page 31: Block Cipher Modes of Operation and Stream Ciphers CSE 651: Introduction to Network Security.

RC4

31

Two vectors of :

[0], [1], [2], , [255]

[0], [1], [2], , [255]

Key: variable length, from 1 to 256 bytes

Initialization:

1. [ ] , for 0 255

2. [

bytes

] [

S S S S

T T T T

S i i i

T i K i

mod key-length], for 0 255

(i.e., fill up [0..255] with the key repeatedly.)

i

T K

Page 32: Block Cipher Modes of Operation and Stream Ciphers CSE 651: Introduction to Network Security.

RC4: Initial Permutation

32

Initial Permutation of :

0

for 0 to 255 do

( [ ] [ ] ) mod 256

Swap [ ], [ ]

This part of RC4 is generally known as the

Key Sch

S

j

i

j j S i T i

S i S j

eduling Algorithm (KSA).

After KSA, the input key and the temporary

vector will no longer be used.T

Page 33: Block Cipher Modes of Operation and Stream Ciphers CSE 651: Introduction to Network Security.

RC4: Key Stream Generation

33

Key stream generation:

, 0

while (true)

( 1 ) mod 256

( [ ] ) mod 256

Swap [ ], [ ]

( [ ]

i j

i i

j j S i

S i S j

t S i

[ ] ) mod 256

[ ]

output

S j

k S t

k

Page 34: Block Cipher Modes of Operation and Stream Ciphers CSE 651: Introduction to Network Security.

Security of RC4

• The keystream generated by RC4 is biased. – The second byte is biased toward zero with high

probability.

– The first few bytes are strongly non-random and leak information about the input key.

• Defense: discard the initial n bytes of the keystream. – Called “RC4-drop[n-bytes]”.

– Recommended values for n = 256, 768, or 3072 bytes.

• Efforts are underway (e.g. the eSTREAM project) to develop more secure stream ciphers.

34

Page 35: Block Cipher Modes of Operation and Stream Ciphers CSE 651: Introduction to Network Security.

RC4 and WEP

• WEP is a protocol using RC4 to encrypt packets for

transmission over IEEE 802.11 wireless LAN.

• WEP requires each packet to be encrypted with a

separate RC4 key.

• The RC4 key for each packet is a concatenation of a

24-bit IV (initialization vector) and a 40 or 104-bit long-

term key.

35

lRC4 key: IV (24) Long-term key (40 or 104 bits)

Page 36: Block Cipher Modes of Operation and Stream Ciphers CSE 651: Introduction to Network Security.

802.11 frames using WEP

36

lHeader IV Packet ICV FCS

encrypted

• ICV: integrity check value (for data integrity)• FCS: frame check sequence (for error detection)• Both use CRC32

Page 37: Block Cipher Modes of Operation and Stream Ciphers CSE 651: Introduction to Network Security.

• WEP has been shown to be insecure.

• There is an article, “Breaking 104 bit WEP

in less than 60 seconds,” discussing how

to discover the RC4 key by analyzing

encrypted ARP packets.

37