Block Ciphers Modes of Operation

Properties of new NIST block cipher modes of

operation

Roman Oliynykov

Professor atInformation Technologies Security Department

Kharkov National University of Radioelectronics

Head of Scientific Research Department JSC “Institute of Information Technologies”

Ukraine

Visiting professor at Samsung Advanced Technology Training Institute

[email protected]

December 2014

Outline

A few words about myself Need of block cipher modes of operation and well-

known standard modes Newly developed and NIST adopted modes and

their properties Conclusions

About myself (I)

I’m from Ukraine (Eastern part of Europe), host country of Euro2012 football championship

I live in Kharkov (the second biggest city in the country, population is 1.5 million people), Eastern Ukraine (near Russia),former capital of the Soviet Ukraine (1918-1934)three Nobel prize winners worked at Kharkov University

About myself (II)

Professor at Information Technologies Security Department at Kharkov National University of Radioelectronics courses on computer networks and operation

system security, special mathematics for cryptographic applications

Head of Scientific Research Department at JSC “Institute of Information Technologies” Scientific interests: symmetric cryptographic

primitives synthesis and cryptanalysis

Visiting professor at Samsung Advanced Technology Training Institute courses on computer networks and operation

system security, software security, effective application and implementation of symmetric cryptography

Need for modes of operation

stream cipher: encryption of arbitrary length message no error propagation during decryption (adversary can

selectively change plaintext bits by ciphertext modification) no integrity check same procedure for encryption and decryption

block cipher (ECB mode): encryption of fixed block error propagation during decryption (avalanche effect) no integrity check the same plaintext blocks have the same ciphertext (until

key is changed) different procedures for encryption and decryption

Main block cipher modes of operation: confidentiality only

Electronic Codebook Mode (ECB) Cipher Block Chaining (CBC) Cipher Feedback (CFB) Output Feedback (OFB) Counter (CTR)

US National Institute of Standard Special Publications (NIST SP) 800-38ISO/IEC 10116:2006ANSI X9.52

Electronic Codebook Mode (ECB)

ECB advantages

any part of encrypted message could be easily decrypted (or re-encrypted after modification)

error multiplication properties: if ciphertext is modified by attacker, modifications

in plaintext would be random, unpredictable and inside one block only

errors in plaintext cannot be controlled by the attacker (without knowledge of the secret key)

NB: error multiplication may seem as disadvantage on noisy physical channels with error correction codes before encryption

NB: error correction codes should be applied after encryption – there should be no such huge redundancy of plaintext

ECB disadvantages: equal plaintext blocks lead to equal ciphertext blocks: ECB IS NOT RECOMMEDED TO SEPARATE USE

NB: message length must be aligned to the cipher block size

NB: encryption and decryption function must be implemented

Cipher Block Chaining (CBC)

Unique and random (unpredictable) IV must be provided for each message

CBC advantages and disadvantages advantages

equal messages using the same keys will be encrypted to different cryptograms (ciphertexts)

message can be decrypted from any part (but decrypted only) error multiplication properties (single bit + the next block)

disadvantages message length must be aligned to the cipher block size message blocks cannot be re-encrypted after modification (the

rest of message must be re-encrypted) decryption implementation is needed if attacker can insert some parts into message and get ciphertext,

part of user message can be compromised (cookie stealing attack over SSL connection when hacker can sniff traffic and install malicious plug-in to Firefox was demonstrated)

not recommended for the future (CTR is better variant)

Cipher Feedback (CFB)

Unique IV must be provided for each message

CFB advantages and disadvantages advantages

equal messages using the same keys will be encrypted to different cryptograms (ciphertexts)

message length can be arbitrary randomness of IV is not needed error multiplication properties (single bit + several blocks) decryption implementation (ECB) is not needed

disadvantages message blocks cannot be decrypted from any part or re-

encrypted after modification encryption speed is significantly slower

not recommended for the future (CTR is better variant)

Output Feedback (OFB)

Unique IV must be provided for each message

OFB advantages and disadvantages advantages

equal messages using the same keys will be encrypted to different cryptograms (ciphertexts)

message length can be arbitrary randomness of IV is not needed decryption implementation (ECB) is not needed

disadvantages no error multiplication properties message blocks cannot be decrypted from any part or re-

encrypted after modification key sequence period is expected to 2n/2, where n – block size in

bits (but with some probability could be much shorter, so there is security threat)

not recommended for the future (CTR is better variant)

Counter (CTR)

Unique IV must be provided for each message

CTR advantages and disadvantages advantages

equal messages using the same keys will be encrypted to different cryptograms (ciphertexts)

message length can be arbitrary randomness of IV is not needed (IV is encrypted and used as

start counter value), simple counter can be used (e.g., arithmetic addition)

message blocks can be decrypted from any part or re-encrypted after modification

decryption implementation (ECB) is not needed

disadvantages no error multiplication properties

main recommended mode of operation for confidentiality

Additional block cipher modes of operation (NIST SP 800-38)

CMAC (Cipher-based Message Authentication Code)

Galois/Counter Mode (GCM) and GMAC (Galois MAC)

CCM (Counter (CTR) mode and the Cipher Block Chaining-Message Authentication Code (CBC-MAC))

XTS (Xor еncrypt xor Tweakable block Cipher) Key Wrapping FF (Format-Preserving Encryption)

CMAC (Cipher-based Message Authentication Code)

CMAC (Cipher-based Message Authentication Code)

integrity check (not encryption mode) length extensions attack protected no attack published (September 2013)

effective more than to 2Tlen/2 encryptions, where Tlen – integrity check value (ICV) size in bits

Galois/Counter Mode (GCM) and GMAC (Galois MAC):encryption with GCTR

NB: equal to CTR mode with specific given incremental function

Galois/Counter Mode (GCM) and GMAC (Galois MAC):MAC with GMAC

Galois/Counter Mode (GCM) and GMAC (Galois MAC): encryption and ICV generation

Galois/Counter Mode (GCM) and GMAC (Galois MAC): decryption and ICV verification

Galois/Counter Mode (GCM) and GMAC (Galois MAC)

used for confidentiality and integrity there may be present optional not encrypted part

of message (A): e.g., network packet headers computation of integrity check value (ICV) is made

over the ciphertext (not plaintext): effective for network traffic protection with denial-of-service (DoS) attack countermeasures

the fastest mode for confidentiality and integrity special Intel and AMD processor assembler

instruction (PCLMULQDQ) for this mode supports length extensions attack protected small amount of weak keys may exist for integrity

check

CCM (Counter (CTR) mode and the Cipher Block Chaining-Message Authentication Code (CBC-MAC)) advanced mode of combining CMAC and CTR (with

improvement) there may be present optional not encrypted part of

message (A): e.g., network packet headers developed and well suitable for hardware

implementation implemented in IEEE 802.11 (WiFi) networks in

hardware (communication chips)

XTS (Xor еncrypt xor Tweakable block Cipher): encryption

XTS (Xor еncrypt xor Tweakable block Cipher): decryption

XTS (Xor еncrypt xor Tweakable block Cipher)

mode intended to on-the-fly encryption of storage with block access (hard drives, etc.) blocks have equal size no room to save integrity check value

advantages (over ECB and CTR): the same data in the different blocks will give different

ciphertext ciphertext modification will give random plaintext

modification (no predictable data changing for attacker) highly effective (almost like CTR, but gives additional basic

and simple integrity service) may be used with padding if data block length is not aligned

to the cipher block size (but less effective here) disadvantage:

decryption implementation is needed

Key Wrapping mode: encryption

Key Wrapping mode: decryption

Key Wrapping mode

intended to protect key data confidentiality advantages

may be used with padding if data block length is not aligned to the cipher block size (but less effective here)

ciphertext modification will give random plaintext modification (no predictable data changing for attacker)

no IV required

disadvantages much slower comparing to other modes equal messages will have equal cryptograms (no IV in this

mode)

FF (Format-Preserving Encryption) mode

intended to protect specific data (like credit card numbers) in existing IT systems with strong limitation to ciphertext length and presentation

advantage preserves original message alphabet (any, may

be decimal or else, not only binary, hexadecimal, etc.) and length of the message

disadvantage much slower comparing to other modes

FF (Format-Preserving Encryption) mode

Conclusions Block ciphers may provide excellent

cryptographic properties, but for practical application they need modes of operation

Such modes of operation may be used both for confidentiality and integrity

There are many different modes of operation for specific purposes, including network traffic protection, hard drive encryption, etc.

Careful selection of mode is needed, otherwise even a strong block cipher (e.g., AES-256) protection might be broken in some circumstances

Security is a process, not a state