Properties of new NIST block cipher modes of operation Roman Oliynykov Professor at Information Technologies Security Department Kharkov National University of Radioelectronics Head of Scientific Research Department JSC “Institute of Information Technologies” Ukraine Visiting professor at Samsung Advanced Technology Training Institute Korea [email protected]December 2014
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Properties of new NIST block cipher modes of
operation
Roman Oliynykov
Professor atInformation Technologies Security Department
Kharkov National University of Radioelectronics
Head of Scientific Research Department JSC “Institute of Information Technologies”
Ukraine
Visiting professor at Samsung Advanced Technology Training Institute
A few words about myself Need of block cipher modes of operation and well-
known standard modes Newly developed and NIST adopted modes and
their properties Conclusions
About myself (I)
I’m from Ukraine (Eastern part of Europe), host country of Euro2012 football championship
I live in Kharkov (the second biggest city in the country, population is 1.5 million people), Eastern Ukraine (near Russia),former capital of the Soviet Ukraine (1918-1934)three Nobel prize winners worked at Kharkov University
About myself (II)
Professor at Information Technologies Security Department at Kharkov National University of Radioelectronics courses on computer networks and operation
system security, special mathematics for cryptographic applications
Head of Scientific Research Department at JSC “Institute of Information Technologies” Scientific interests: symmetric cryptographic
primitives synthesis and cryptanalysis
Visiting professor at Samsung Advanced Technology Training Institute courses on computer networks and operation
system security, software security, effective application and implementation of symmetric cryptography
Need for modes of operation
stream cipher: encryption of arbitrary length message no error propagation during decryption (adversary can
selectively change plaintext bits by ciphertext modification) no integrity check same procedure for encryption and decryption
block cipher (ECB mode): encryption of fixed block error propagation during decryption (avalanche effect) no integrity check the same plaintext blocks have the same ciphertext (until
key is changed) different procedures for encryption and decryption
Main block cipher modes of operation: confidentiality only
US National Institute of Standard Special Publications (NIST SP) 800-38ISO/IEC 10116:2006ANSI X9.52
Electronic Codebook Mode (ECB)
ECB advantages
any part of encrypted message could be easily decrypted (or re-encrypted after modification)
error multiplication properties: if ciphertext is modified by attacker, modifications
in plaintext would be random, unpredictable and inside one block only
errors in plaintext cannot be controlled by the attacker (without knowledge of the secret key)
NB: error multiplication may seem as disadvantage on noisy physical channels with error correction codes before encryption
NB: error correction codes should be applied after encryption – there should be no such huge redundancy of plaintext
ECB disadvantages: equal plaintext blocks lead to equal ciphertext blocks: ECB IS NOT RECOMMEDED TO SEPARATE USE
NB: message length must be aligned to the cipher block size
NB: encryption and decryption function must be implemented
Cipher Block Chaining (CBC)
Unique and random (unpredictable) IV must be provided for each message
CBC advantages and disadvantages advantages
equal messages using the same keys will be encrypted to different cryptograms (ciphertexts)
message can be decrypted from any part (but decrypted only) error multiplication properties (single bit + the next block)
disadvantages message length must be aligned to the cipher block size message blocks cannot be re-encrypted after modification (the
rest of message must be re-encrypted) decryption implementation is needed if attacker can insert some parts into message and get ciphertext,
part of user message can be compromised (cookie stealing attack over SSL connection when hacker can sniff traffic and install malicious plug-in to Firefox was demonstrated)
not recommended for the future (CTR is better variant)
Cipher Feedback (CFB)
Unique IV must be provided for each message
CFB advantages and disadvantages advantages
equal messages using the same keys will be encrypted to different cryptograms (ciphertexts)
message length can be arbitrary randomness of IV is not needed error multiplication properties (single bit + several blocks) decryption implementation (ECB) is not needed
disadvantages message blocks cannot be decrypted from any part or re-
encrypted after modification encryption speed is significantly slower
not recommended for the future (CTR is better variant)
Output Feedback (OFB)
Unique IV must be provided for each message
OFB advantages and disadvantages advantages
equal messages using the same keys will be encrypted to different cryptograms (ciphertexts)
message length can be arbitrary randomness of IV is not needed decryption implementation (ECB) is not needed
disadvantages no error multiplication properties message blocks cannot be decrypted from any part or re-
encrypted after modification key sequence period is expected to 2n/2, where n – block size in
bits (but with some probability could be much shorter, so there is security threat)
not recommended for the future (CTR is better variant)
Counter (CTR)
Unique IV must be provided for each message
CTR advantages and disadvantages advantages
equal messages using the same keys will be encrypted to different cryptograms (ciphertexts)
message length can be arbitrary randomness of IV is not needed (IV is encrypted and used as
start counter value), simple counter can be used (e.g., arithmetic addition)
message blocks can be decrypted from any part or re-encrypted after modification
decryption implementation (ECB) is not needed
disadvantages no error multiplication properties
main recommended mode of operation for confidentiality
Additional block cipher modes of operation (NIST SP 800-38)
CMAC (Cipher-based Message Authentication Code)
Galois/Counter Mode (GCM) and GMAC (Galois MAC)
CCM (Counter (CTR) mode and the Cipher Block Chaining-Message Authentication Code (CBC-MAC))