“advanced encryption standard” & “modes of operation”
TRANSCRIPT
““Advanced Encryption Advanced Encryption StandardStandard””
&&“Modes of Operation”“Modes of Operation”
The AES Cipher - Rijndael The AES Cipher - Rijndael
designed by Rijmen-Daemen in Belgium designed by Rijmen-Daemen in Belgium has 128/192/256 bit keys, 128 bit data has 128/192/256 bit keys, 128 bit data an an iterativeiterative rather than rather than feistelfeistel cipher cipher
processes processes data as block of 4 columns of 4 bytesdata as block of 4 columns of 4 bytes operates on entire data block in every roundoperates on entire data block in every round
AES does not use a Feistel structure. Instead, AES does not use a Feistel structure. Instead, each full round consists of four separate each full round consists of four separate functions: byte substitution, permutation, functions: byte substitution, permutation, arithmetic operations over a finite field, and XOR arithmetic operations over a finite field, and XOR with a key.with a key.
AES AES Encryption Encryption
ProcessProcess
How to use a block cipher?How to use a block cipher?
Block ciphers encrypt fixed-size blocksBlock ciphers encrypt fixed-size blocks
e.g. DES encrypts 64-bit & AES 128 bit blockse.g. DES encrypts 64-bit & AES 128 bit blocks We need some way to encrypt a message We need some way to encrypt a message
of arbitrary length of arbitrary length
e.g. a message of 1000 bytese.g. a message of 1000 bytes NIST defines several ways to do it NIST defines several ways to do it have have
blockblock and and streamstream modes modes
called called modes of operationmodes of operation
Five Modes of OperationFive Modes of Operation
Electronic codebook mode (ECB)Electronic codebook mode (ECB) Cipher block chaining mode (CBC) Cipher block chaining mode (CBC)
– – most popularmost popular Output feedback mode (OFB)Output feedback mode (OFB) Cipher feedback mode (CFB)Cipher feedback mode (CFB) Counter mode (CTR)Counter mode (CTR)
55
Message PaddingMessage Padding
The plaintext message is broken into The plaintext message is broken into blocks, Pblocks, P11, P, P22, P, P33, ..., ...
The last block may be short of a whole The last block may be short of a whole block and needs padding.block and needs padding.
Possible padding:Possible padding: Known non-data values (e.g. nulls)Known non-data values (e.g. nulls) Or pad last block along with count of pad sizeOr pad last block along with count of pad size
• eg. [ b1 b2 b3 0 0 0 0 5] eg. [ b1 b2 b3 0 0 0 0 5] • means have 3 data bytes, then 5 bytes pad+countmeans have 3 data bytes, then 5 bytes pad+count
66
Electronic Code Book (ECB)Electronic Code Book (ECB)
The plaintext is broken into blocks, PThe plaintext is broken into blocks, P11, P, P22, P, P33, ..., ...
Each block is encrypted independently with the Each block is encrypted independently with the same key: same key:
CCii = E = EKK(P(Pii))
The term The term codebook is used because, for a given key, codebook is used because, for a given key, there is there is a unique ciphertext for every 64-bit block of a unique ciphertext for every 64-bit block of plaintext.plaintext.
We can imagine a gigantic codebook in which there We can imagine a gigantic codebook in which there is an entry for every possible B-bit plaintext pattern is an entry for every possible B-bit plaintext pattern showing its corresponding ciphertext.showing its corresponding ciphertext.
77
Advantages & Limitation of ECBAdvantages & Limitation of ECB
Strength: it’s simple.Strength: it’s simple. Weakness:Weakness:
Repetitive information contained in the plaintextRepetitive information contained in the plaintext may show in the ciphertext, if aligned with may show in the ciphertext, if aligned with blocks. blocks.
If the same message (e.g., an SSN) is If the same message (e.g., an SSN) is encrypted (with the same key) and sent twice, encrypted (with the same key) and sent twice, their ciphertexts are the same.their ciphertexts are the same.
Can be used for very few blocksCan be used for very few blocks Typical application: secure transmission of short Typical application: secure transmission of short
pieces of information (e.g. Session encryption key)pieces of information (e.g. Session encryption key)88
Cipher Block Chaining (CBC) Cipher Block Chaining (CBC)
99
The plaintext is broken into blocks, P1, P2, The plaintext is broken into blocks, P1, P2, P3, ...P3, ...
Each Plain text is XOR (Chained) with the Each Plain text is XOR (Chained) with the previous cipher block before encryption.previous cipher block before encryption.
CCii = E = EKK(P(Pii XOR C XOR Ci-1i-1)) First block of ciphertext, an initialization vector First block of ciphertext, an initialization vector
(IV)/ nonce is XOR with the first block of (IV)/ nonce is XOR with the first block of plaintext.plaintext.
CC11 = E = EKK(IV(IV XOR PXOR P11)) Decryption: Decryption: PPii = C = Ci-1 i-1 XOR DXOR Dkk(C(Cii)) Uses: bulk data encryption, authentication.Uses: bulk data encryption, authentication.
Cipher Block Chaining (CBC) Cipher Block Chaining (CBC)
1010
Advantages and Limitations of Advantages and Limitations of CBCCBC
A ciphertext block depends on A ciphertext block depends on allall blocks. blocks. Any change to a block affects all following Any change to a block affects all following
ciphertext blocks.ciphertext blocks. Need Need Initialization VectorInitialization Vector (IV) (IV)
Which must be known to sender & receiver Which must be known to sender & receiver If sent in clear, attacker can change bits of first If sent in clear, attacker can change bits of first
block, and change IV to compensate block, and change IV to compensate Hence IV must either be a fixed value or must be Hence IV must either be a fixed value or must be
sent encrypted in ECB mode before rest of sent encrypted in ECB mode before rest of messagemessage
Stream Modes of OperationStream Modes of Operation block modes encrypt entire blockblock modes encrypt entire block may need to operate on smaller unitsmay need to operate on smaller units
real time datareal time data convert block cipher into stream cipherconvert block cipher into stream cipher
cipher feedback (CFB) modecipher feedback (CFB) mode output feedback (OFB) modeoutput feedback (OFB) mode counter (CTR) modecounter (CTR) mode
Use Use pseudo-random number pseudo-random number generatorgenerator
Cipher FeedBack (CFB)Cipher FeedBack (CFB)
message is treated as a stream of bits message is treated as a stream of bits added to the output of the block cipher added to the output of the block cipher result is feed back for next stage (hence name) result is feed back for next stage (hence name) standard allows any number of bit (1,8, 64 or standard allows any number of bit (1,8, 64 or
128 etc) to be feed back 128 etc) to be feed back denoted CFB-1, CFB-8, CFB-64, CFB-128 etc denoted CFB-1, CFB-8, CFB-64, CFB-128 etc
most efficient to use all bits in block (64 or 128)most efficient to use all bits in block (64 or 128)CCii = P = Pii XOR E XOR EKK(C(Ci-1i-1))
CC11 = IV = IV uses: stream data encryption, authenticationuses: stream data encryption, authentication
Encryption in CFB ModeEncryption in CFB Mode
1414
Remark on CFBRemark on CFB
• The block cipher is used as a stream cipher. The block cipher is used as a stream cipher. • Appropriate when data arrives in bits/bytes.Appropriate when data arrives in bits/bytes.• A ciphertext segment depends on the A ciphertext segment depends on the
current and all preceding plaintext segments.current and all preceding plaintext segments.• A corrupted ciphertext segment during A corrupted ciphertext segment during
transmission will affect the current and next transmission will affect the current and next several plaintext segments.several plaintext segments.
1515
Output FeedBack (OFB)Output FeedBack (OFB)message is treated as a stream of message is treated as a stream of
bits bits output of cipher is added to output of cipher is added to
message message output is then feed back (hence output is then feed back (hence
name) name) feedback is independent of feedback is independent of
message message
Cipher Feedback
Output Feedback
1717
Advantages and Limitations of Advantages and Limitations of OFBOFB
needs an IV which is unique for each needs an IV which is unique for each use use
more resistant to transmission errors; a more resistant to transmission errors; a bit error in a ciphertext segment affects bit error in a ciphertext segment affects only the decryption of that segment.only the decryption of that segment.
sender & receiver must remain in syncsender & receiver must remain in sync No padding required.No padding required.
Counter (CTR)Counter (CTR)
a “new” mode, though proposed early ona “new” mode, though proposed early on similar to OFB but encrypts counter value similar to OFB but encrypts counter value
rather than any feedback valuerather than any feedback value must have a different key & counter value must have a different key & counter value
for every plaintext block (never reused)for every plaintext block (never reused)OOii = E = EKK(i)(i)
CCii = P = Pii XOR O XOR Oii
uses: high-speed network encryptionsuses: high-speed network encryptions
Counter Counter (CTR)(CTR)
Remark on CTRRemark on CTR
Strengthes: Strengthes: Needs only the encryption algorithmNeeds only the encryption algorithm
Fast encryption/decryption; blocks can be processed Fast encryption/decryption; blocks can be processed
(encrypted or decrypted) in parallel.(encrypted or decrypted) in parallel.
Good for high speed linksGood for high speed links
Random access to encrypted data blocksRandom access to encrypted data blocks
IV should not be reused.IV should not be reused.
No padding required.No padding required.
2121
Typical Stream CiphersTypical Stream Ciphers
process message bit by bit (as a stream) process message bit by bit (as a stream) have a pseudo random have a pseudo random keystreamkeystream combined (XOR) with plaintext bit by bit combined (XOR) with plaintext bit by bit randomness of randomness of stream keystream key completely completely
destroys statistically properties in message destroys statistically properties in message CCii = M = Mii XOR StreamKey XOR StreamKeyii
but must never reuse stream keybut must never reuse stream key Just like VERNAM CipherJust like VERNAM Cipher
Stream Cipher StructureStream Cipher Structure
Stream Cipher PropertiesStream Cipher Properties
some design considerations are:some design considerations are: long period with no repetitions long period with no repetitions statistically random statistically random depends on large enough keydepends on large enough key large linear complexitylarge linear complexity
properly designed, can be as secure as a properly designed, can be as secure as a block cipher with same size keyblock cipher with same size key
but usually simpler & fasterbut usually simpler & faster