Block Cipher Modes of Operation and Stream Ciphers CSE 651: Introduction to Network Security
Feb 03, 2016
Block Cipher Modes of Operationand Stream Ciphers
CSE 651: Introduction to Network Security
Abstract
• We will discuss
– How to use block ciphers?
– RC4: a widely used stream cipher
– Problems with WEP’s use of RC4
2
Modes of Operations
How to use a block cipher?
• Block ciphers encrypt fixed-size blocks
– e.g. DES encrypts 64-bit blocks
• We need some way to encrypt a message of arbitrary length
– e.g. a message of 1000 bytes
• NIST defines several ways to do it
– called modes of operation
4
Five Modes of Operation
– Electronic codebook mode (ECB)
– Cipher block chaining mode (CBC) – most
popular
– Output feedback mode (OFB)
– Cipher feedback mode (CFB)
– Counter mode (CTR)
5
Message Padding
• The plaintext message is broken into blocks, P1, P2, P3, ...
• The last block may be short of a whole block and needs padding.
• Possible padding:– Known non-data values (e.g. nulls)– Or a number indicating the size of the pad– Or a number indicating the size of the plaintext– The last two schemes may require an extra block.
6
Electronic Code Book (ECB)
• The plaintext is broken into blocks, P1, P2, P3, ...
• Each block is encrypted independently:
Ci = EK(Pi)
• For a given key, this mode behaves like we have a gigantic codebook, in which each plaintext block has an entry, hence the name Electronic Code Book
7
Remarks on ECB
• Strength: it’s simple.• Weakness:
– Repetitive information contained in the plaintext may show in the ciphertext, if aligned with blocks.
– If the same message (e.g., an SSN) is encrypted (with the same key) and sent twice, their ciphertexts are the same.
• Typical application: secure transmission of short pieces of information (e.g. a temporary encryption key)
8
Cipher Block Chaining (CBC)
1 2 3
1
The plaintext is broken into blocks: , , , ...
Each plaintext block is XORed chained with the previous
ciphertext block before encryption (hence the name):
E
i K i i
P P P
C C P
0
1
IV
Use an Initial Vector IV to start the process.
Decryption : D ( )
Application : general block-oriented transmission.i i K i
C
P C C
9
Cipher Block Chaining (CBC)
10
Remarks on CBC
• The encryption of a block depends on the current and all blocks before it.
• So, repeated plaintext blocks are encrypted differently.
• Initialization Vector (IV)– Must be known to both the sender & receiver– Typically, IV is either a fixed value or is sent
encrypted in ECB mode before the rest of ciphertext.
11
12
1 2 3
1 2 3
Without knowing the key , for any data block ,
( ) is unknown to the adversary.
To encrypt , , ,..., we may use to generate
a key stream (a sequence of "masks")
, , ,...,
k
k
k x
E x
P P P E
K K K
1 2 3
and encrypt as .
Three different ways to generate , , ,...
i i i iP C P K
K K K
13
Cipher feedback mode (basic version)
• Plaintext blocks: p1, p2, …
• Key: k
• Basic idea: construct key stream k1, k2, k3, …
• Encryption:
0
1
IV
( ), for 1
, for 1
i k i
i i i
c
k E c i
c p k i
Cipher Feedback (CFB) Mode
1 2 3 4
1 2 3 4
The plaintext is a sequence of of bits
(where block-size): , , , ,
Encryption is used to generate a sequence of keys,
each of bits: , , , ,
The ci
segments s
s P P P P
s K K K K
1 2 3 4phertext is , , , , , where
How to generate the key stream?i i i
C C C C
C P K
14
Generating Key Stream for CFB
1
1 1
The input to the block cipher is a shift register ;
its value at stage is denoted as .
Initially, an initial vector (IV).
For 1, shift-left- -bits( ) .
Then, -mos
i
i i i
i
x
i x
x
i x s x C
K s
t-significant-bits(E ( )).K ix
15
Encryption in CFB Mode
16
Decryption in CFB Mode
1 2 3 4 Generate key stream , , , ,
the same way as for encryption.
Then decrypt each ciphertext segment as:
i i i
K K K K
P C K
17
Remark on CFB
• The block cipher is used as a stream cipher. • Appropriate when data arrives in bits/bytes.• s can be any value; a common value is s = 8.• A ciphertext segment depends on the current and
all preceding plaintext segments.• A corrupted ciphertext segment during
transmission will affect the current and next several plaintext segments.– How many plaintext segments will be affected?
18
19
Output feedback mode (basic version)
• Plaintext blocks: p1, p2, …
• Key: k
• Basic idea: construct key stream k1, k2, k3, …
• Encryption:
0
1
IV
( ), for 1
, for 1
i k i
i i i
k
k E k i
c p k i
Output Feedback (OFB) Mode
1 1
Very similar to Cipher Feedback in structure.
But rather than is fed back to the next stage.
As in CFB, the input to the block cipher is a shift
register ; its value at stage
i iK C
x i
1
1 1
is denoted as .
Initially, an initial vector (IV).
For 1, shift-left- -bits( ) .
Then, -most-significant-bits(E ( )).
i
i i i
i K i
x
x
i x s x K
K s x
20
Cipher Feedback
Output Feedback
21
Remark on OFB
• The block cipher is used as a stream cipher. • Appropriate when data arrives in bits/bytes.• Advantage:
– more resistant to transmission errors; a bit error in a ciphertext segment affects only the decryption of that segment.
• Disadvantage: – Cannot recover from lost ciphertext segments; if a ciphertext
segment is lost, all following segments will be decrypted incorrectly (if the receiver is not aware of the segment loss).
• IV should be generated randomly each time and sent with the ciphertext.
22
Counter Mode (CTR)
• Plaintext blocks: p1, p2, p3, …
• Key: k
• Basic idea: construct key stream k1, k2, k3, …
• Encryption:
T1 = IV (random)
Ti = IV + i - 1
Ci = Pi E♁ K(Ti)
C = (IV, C1, C2, C3, ...)23
Remark on CTR
• Strengthes:
– Needs only the encryption algorithm
– Fast encryption/decryption; blocks can be processed
(encrypted or decrypted) in parallel; good for high
speed links
– Random access to encrypted data blocks
• IV should not be reused.
24
Stream Ciphers
26
1 2 3 4
1 2 3 4
1 2 3 4
Key = (random, used one-time only)
Plaintext =
Ciphertext
Ver
=
where
Can be proved to be unconditionall
y secu
nam’s
re.
one-time pad cipher
i i i
k k k k
m m m m
c c c c
c m k
Stream Cipher Diagram
27
Stream Ciphers
1 2 3
1
Typically,process the plaintext byte by byte.
So, the plaintext is a stream of bytes: , , ,
Use a key as the seed to generate a sequence of
pseudorandom bytes (keystream): ,
P P P
K
K
2 3
1 2 3 4
, ,
The ciphertext is , , , , , where
Various stream ciphers differ in the way they
generate keystreams.
i i i
K K
C C C C
C P K
28
Stream Ciphers
For a stream cipher to be secure, the keystream
should have a large period, and
should be as random as possible, each of the 256
values appearing about equally often.
The sam
e keystream must not be reused. That is,
the input key must be different for each plaintext
(if the pseudorandom generator is deterministic).
K
29
The RC4 Stream Cipher
• Designed by Ron Rivest in 1987 for RSA Security.
• Kept as a trade secret until leaked out in 1994. • The most popular stream cipher.• Simple and fast.• With a 128 bits key, the period is > 10100 .• Used in the SSL/TLS standards (for secure Web
communication), IEEE 802.11 wireless LAN standard, Microsoft Point-to-Point Encryption, and many others.
30
RC4
31
Two vectors of :
[0], [1], [2], , [255]
[0], [1], [2], , [255]
Key: variable length, from 1 to 256 bytes
Initialization:
1. [ ] , for 0 255
2. [
bytes
] [
S S S S
T T T T
S i i i
T i K i
mod key-length], for 0 255
(i.e., fill up [0..255] with the key repeatedly.)
i
T K
RC4: Initial Permutation
32
Initial Permutation of :
0
for 0 to 255 do
( [ ] [ ] ) mod 256
Swap [ ], [ ]
This part of RC4 is generally known as the
Key Sch
S
j
i
j j S i T i
S i S j
eduling Algorithm (KSA).
After KSA, the input key and the temporary
vector will no longer be used.T
RC4: Key Stream Generation
33
Key stream generation:
, 0
while (true)
( 1 ) mod 256
( [ ] ) mod 256
Swap [ ], [ ]
( [ ]
i j
i i
j j S i
S i S j
t S i
[ ] ) mod 256
[ ]
output
S j
k S t
k
Security of RC4
• The keystream generated by RC4 is biased. – The second byte is biased toward zero with high
probability.
– The first few bytes are strongly non-random and leak information about the input key.
• Defense: discard the initial n bytes of the keystream. – Called “RC4-drop[n-bytes]”.
– Recommended values for n = 256, 768, or 3072 bytes.
• Efforts are underway (e.g. the eSTREAM project) to develop more secure stream ciphers.
34
RC4 and WEP
• WEP is a protocol using RC4 to encrypt packets for
transmission over IEEE 802.11 wireless LAN.
• WEP requires each packet to be encrypted with a
separate RC4 key.
• The RC4 key for each packet is a concatenation of a
24-bit IV (initialization vector) and a 40 or 104-bit long-
term key.
35
lRC4 key: IV (24) Long-term key (40 or 104 bits)
802.11 frames using WEP
36
lHeader IV Packet ICV FCS
encrypted
• ICV: integrity check value (for data integrity)• FCS: frame check sequence (for error detection)• Both use CRC32
• WEP has been shown to be insecure.
• There is an article, “Breaking 104 bit WEP
in less than 60 seconds,” discussing how
to discover the RC4 key by analyzing
encrypted ARP packets.
37