Applied Cryptography

Spring 2015

Chaining Modes

What happens when the clear text is longer than the block length k?

Most simple solution — encrypt each block separately.

This mode is called ECB, Electronic Code Book

Clear text

Cipher text

Enc Enc Enc EncKey

Chaining ciphers - ECB

[From Mårten Trolin]

Problems with ECB:

two transmissions of the same plaintext will be identical (i.e. if, you know, that there were 2 identical transmissions, you can guess the ciphertext of these). This could be dealt with timestamps.

block replay. A poptential cure is the use of MAC, however this still remains an unpleasant feature.

ECB still can be used in some cases for transmission of short messages e.g. cipher keys

Chaining ciphers - ECB

Padding

k - block length, n - message length

if n is a multiple of k, there are no problems

what to do with the last block, if n is not a multiple of k?

extra bytes can be added at the end of the last block, however, it ould be useful to know, where the actual message ends...

Chaining ciphers - ECB

Some padding schemes

add padding in all cases (i.e., also when n is a multiple of k)

if m bytes are added, fill each of them with value m (used in e.g. RC5-CBC-PAD)

if m bytes are added, fill each of them with values 1,2,..., m (used in e.g. ESP and IPSec)

Chaining ciphers - ECB

ECB - Example

Original ECB mode "other" mode

A feedback is introduced to link the blocks togetherClear text

Cipher text

Enc Enc Enc EncKey

IV

Cipher Block Chaining

[From Mårten Trolin]

Cipher Block Chaining

Errors

error in plaintext

bit error in ciphertext

syncronisation error in ciphertext?

What should be done with IV?

no need to be secret

should be transmitted

can IV be reused?

CBC - issues

Can be done similarly as in ECB

add padding in all cases (i.e., also when n is a multiple of k)

if m bytes are added, fill each of them with value m (used in e.g. RC5-CBC-PAD)

if m bytes are added, fill each of them with values 1,2,..., m (used in e.g. ESP and IPSec)

CBC - padding

Some problems with padding ....

assume that the same IV is used for all transmissions, as well as one of the 2 padding schemes described above. Also, assume that there is an oracle, that gives an answer, whether a given message ends with a correct padding (available e.g. in e-mail server using SSL/TLS). Is this secure?

try to send to oracle blocks r,Ci ...

CBC - padding

CBC - alternative encryption of the last block

CBC - ciphertext stealingg

Stream and block ciphers - Definition ?

Stream ciphers

Keystream generator

Self synchronizing stream cipher

Ciphertext Auto-Key (CTAK)

Another possibility: Key Auto-Key (KAK)

Stream ciphers - Insertion attack

Key generators - CFB (cipher_feedback) mode

Key generators - LFSR (linear feedback shift registers)

Key generators - A5/1

A5/1 - used in GSM"less than one minute of computations, and a few seconds of known conversation".

A register is clocked if its clocking bit (orange) agrees with the majority of the clocking bits of all three registers.

Key generators - RC4

Ron Rivest (RSA Security) 1987Widely used in SSL, WEP etc104-bit RC4 used in WEP can be cracked in less than a minute

for i=0,…,N-1 S[i]=ij=0for i=0…N-1

j=j+S[i]+Key[i mod l]Swap[S[i], S[j]]

• i=i+1

• j=j+S[i]

• Swap(S[i],S[j])

• Output z =S[S[i]+S[j]]

Key generators - RC4 Easy computation

– Fast

– Can use large bit blocks and keys Stream based encryption Key can be made to change at regular intervals using fancy

programming Implementation in Popular languages (C, perl) well documented.

Vulnerable to brute force attacks Require a large data structure Proven Breakable by researchers at ATT and Rice Univ. (August, 2001)

– “One hour of brute force computation to break standard WEP” Once Key is broken all messages are easily readable.

Quadratic residues and Blum Integers

If p and q are two primes, and both are congruent to 3 modulo 4, then n = p*q is sometimes called a Blum integer.

If n is a Blum integer, each quadratic residue has exactly four square roots.

One of them is also a square - the principal square root.

The function f: Zn* → Zn* defined by f(x) = x2 mod n is a permutation.

The inverse function of f is: f -1(x) = x((p-1)(q-1)+4)/8 mod n.

Quadratic residues and Blum Integers

The function f: Zn* → Zn* defined by f(x) = x2 mod n is a permutation.

The inverse function of f is: f -1(x) = x((p-1)(q-1)+4)/8 mod n.

p,q - primes, n = pq

Guessing the last significant bit of square root of x mod nwith any non-negligible advantage is as hard as factoring n.

Blum, Blum and Shub (BBS) key generator

Let n be a Blum integer. Choose a random quadratic residue x0 (modulo n).

For i 0 let

xi+1 = xi2 mod n, bi = the least significant bit of xi

For each integer i, let BBS n, i (x0) = b0…b i-1

be the first i bits of the pseudo-random sequence generated from the seed x0 by the BBS pseudo-random generator.

Note that bi is the least significant bit of xi =x0(2i )mod(p-1)(q-1)

BBS pseudo-random generator - analysis

Assume that the BBS pseudo-randomize generator with a Blum integer is not unpredictable to the left.

Let y be a quadratic residue from Zn*.

Compute BBS n, i -1 (y) for some i > 1.

Note that the last (i -1) of BBS n, i (x) are also the first (i -1) bits of BBS n, i -1 (y), where x is the principal square root of y.

Hence, if the BBS pseudo-random generator is not unpredictable to the left, then there exists a better method than coin-tossing to determine the least significant bit of x, what is, as mentioned above, impossible.

Choose random x, relatively prime to n, compute

x0 = x 2 mod n

x i+1 = x i2 mod n, b i = the least significant bit of x i

BBS n, i (x0) = b0…b i-1

Key generators - OFB (output feedback) mode

Keystream generator in OFB mode

CFB (cipher_feedback) mode

Chaining in CFB mode

Errors

error in plaintext

bit error in ciphertext

syncronisation error in ciphertext?

What should be done with IV?

no need to be secret

should be transmitted

should be unique!

CFB - issues

OFB (output feedback) mode

Chaining in OFB mode

Chaining in OFB mode

Chaining in OFB mode

Just as with other stream ciphers, flipping a bit in the ciphertextproduces a flipped bit in the plaintext at the same location. This property allows many error correcting codes to function normally even when applied before encryption.

Chaining in counter (CTR) mode

Data integrity and MAC

CBC-MAC

Issues:

- not secure for variable length messages (we can inludemessage length in computation, still it doesn’t help too much...)

- different keys should be used for chaining and MAC (ok, this should always be the case !)

CMAC

Length of MAC?

Birthday paradox:

What should be the size k of a group of people, such thatwith probablity 1/2 at least two persons from the group willhave birthday on the same day?

Length of MAC?

Length of MAC?

Combining chaining and data integrity

CCM Counter with CBC-MAC EAX Authenticated Encryption with Associated Data GCM Galois/Counter ModeOCB Offset Codebook Mode

OCB mode

GCM mode (Galois/Counter Mode)

Combines privacyand data integrityprotection

Defined for 128 bitblocks

multH -multiplication in GF(27)

Disk encryption

Some additional constraints:

• limited length chaining (e.g. at sector level, around 512 bytes)• implementation shall efficiently encrypt and decrypt data in any sector• implementation shall use only constant amount of additional storage for a device of arbitrary size• integrity problem is important

CBC :IV for each sector derived from the sector number etc

LRW (Tweakable Narrow-Block Encryption):

K - key, F - additional key, I - block index (tweak)

ECB - overview

CBC - overview

Probably most useful.Best for encrypting files(usually no synchronizationerrors).

CFB - overview

Recoverable synchronizationerrors.Mainly used in stream mode.

OFB - overview

Recommended for error-proneenvironments.

Some other chaining modes

Counter Mode. Characteristics similar to OFB. Useful, when an instant access to a random part of message is desirable.

Block Chaining Mode (BC). Similar to CBC, but XOR all previous ciphertext block to the next one. No error tolerance.

Propagating Cipher Block Chaining Mode (PCBC). Similar to CBC, but both, previous ciphetext and plaintext blocks are XORed to the next one. Used in Kerberos (before version 5). Swapping of two ciphertext blocks does not affect integrity check!

Output feedback with a non-linear function (OFBNLF). Variant of OFB/ECB with Ki=EK(Ki–1)

Interleaving