Cipher Block Chaining Mode
To overcome the
security deficiencies of ECB, we would like a technique in which the same
plaintext block, if repeated, produces different ciphertext blocks. A simple way
to satisfy this requirement is the cipher block chaining (CBC) mode (Figure 6.4). In this scheme, the input to
the encryption algorithm is the XOR of the current plaintext block and the
preceding ciphertext block; the same key is used for each block. In effect, we
have chained together the processing of the sequence of plaintext blocks. The
input to the encryption function for each plaintext block bears no fixed
relationship to the plaintext block. Therefore, repeating patterns of b bits are not exposed.
To produce the
first block of ciphertext, an initialization vector (IV) is XORed with the first
block of plaintext. On decryption, the IV is XORed with the output of the
decryption algorithm to recover the first block of plaintext. The IV is a data
block that is that same size as the cipher block.
The IV must be known to both the sender and receiver but be
unpredictable by a third party. For maximum security, the IV should be protected
against unauthorized changes. This could be done by sending the IV using ECB
encryption. One reason for protecting the IV is as follows: If an opponent is
able to fool the receiver into using a different value for IV, then the opponent
is able to invert selected bits in the first block of plaintext. To see this,
consider the following:
C1 = E(K, [IV ![]()
P1])
P1 = IV ![]()
D(K, C1)
Now use the notation that X[i]
denotes the ith bit of the b-bit quantity X. Then
P1[i] = IV[i] ![]()
D(K, C1)[i]
Then, using the properties of XOR, we can state
P1[i]' = IV[i]' ![]()
D(K, C1)[i]
where the prime notation denotes bit complementation. This
means that if an opponent can predictably change bits in IV, the corresponding
bits of the received value of P1 can
be changed.
For other possible attacks based on knowledge of IV, see [VOYD83].
In conclusion, because of the chaining mechanism of CBC, it is
an appropriate mode for encrypting messages of length greater than b bits.
In addition to its use to achieve confidentiality, the CBC mode
can be used for authentication. This use is described in Part Two.
Cipher Feedback Mode
The DES scheme is essentially a block cipher technique that
uses b-bit blocks. However, it is possible to
convert DES into a stream
cipher, using either the cipher feedback (CFB) or the output feedback mode. A stream
cipher eliminates the need to pad a message to be an integral number of blocks.
It also can operate in real time. Thus, if a character stream is being
transmitted, each character can be encrypted and transmitted immediately using a
character-oriented stream cipher.
One desirable property of a stream cipher is that the
ciphertext be of the same length as the plaintext. Thus, if 8-bit characters are
being transmitted, each character should be encrypted to produce a cipher text
output of 8 bits. If more than 8 bits are produced, transmission capacity is
wasted.
Figure 6.5 depicts the
CFB scheme. In the figure, it is assumed that the unit of transmission is s bits; a common value is s = 8. As with CBC, the units of plaintext are chained
together, so that the ciphertext of any plaintext unit is a function of all the
preceding plaintext. In this case, rather than units of b bits, the plaintext is divided into segments of s
bits.
First, consider encryption. The input
to the encryption function is a b-bit shift
register that is initially set to some initialization vector (IV). The leftmost
(most significant) s bits of the output of the
encryption function are XORed with the first segment of plaintext P1 to produce the first unit of ciphertext
C1, which is then transmitted. In
addition, the contents of the shift register are shifted left by s bits and C1
is placed in the rightmost (least significant) s
bits of the shift register. This process continues until all plaintext units
have been encrypted.
For decryption, the same scheme is used, except that the
received ciphertext unit is XORed with the output of the encryption function to
produce the plaintext unit. Note that it is the encryption function that is used, not the
decryption function. This is easily explained. Let Ss(X) be
defined as the most significant s bits of X. Then
C1 = P1 ![]()
Ss[E(K,
IV)]
Therefore,
P1 = C1 ![]()
Ss[E(K,
IV)]
The same reasoning holds for subsequent steps in the
process.
Output Feedback Mode
The output feedback (OFB) mode is similar in structure to that
of CFB, as illustrated in Figure 6.6. As
can be seen, it is the output of the encryption function that is fed back to the
shift register in OFB, whereas in CFB the ciphertext unit is fed back to the
shift register.
Counter Mode
Although interest in the counter mode (CTR) has increased recently, with
applications to ATM (asynchronous transfer mode) network security and IPSec (IP
security), this mode was proposed early on (e.g., [DIFF79]).
Figure 6.7 depicts the
CTR mode. A counter, equal to the plaintext block size is used. The only
requirement stated in SP 800-38A is that the counter value must be different for
each plaintext block that is encrypted. Typically, the counter is initialized to
some value and then incremented by 1 for each subsequent block (modulo
2b where b is the block size). For encryption, the counter is
encrypted and then XORed with the plaintext block
to produce the ciphertext block; there is no chaining. For decryption, the same
sequence of counter values is used, with each encrypted counter XORed with a
ciphertext block to recover the corresponding plaintext block.
No comments:
Post a Comment