Data Encryption Standard (DES)
Dr. Monther AldwairiNew York Institute of
Technology- Amman Campus10/18/2010
INCS 741: Cryptography
10/18/2009 1Dr. Monther Aldwairi
Block Ciphers
10/4/2009 2Dr. Monther Aldwairi
Block Ciphers
Stream ciphers process messages a bit or byte at a time when en/decrypting‒ Vigenère Cipher‒ Caeser Cipher
Block ciphers process messages in blocks‒ Block are en/decrypted like a substitution
on very big characters 64-bits or more ‒Hill Cipher block size 2‒DES block size 64 bits
10/4/2009 3Dr. Monther Aldwairi
Ideal Block Cipher
10/4/2009 4Dr. Monther Aldwairi
Shannon Properties of a Good Cryptosystem
Diffusion– Each plaintext digit affects the values of
many ciphertext digits and visa versa. – Achieved by applying permutation then a
function on data, forcing different plaintext digits to affect a single ciphertext digit
– permutation (P-box) Confusion
– The key doesn’t relate in a simple way to ciphertext.
– Ciphertext statistics cannot give the key up– Achieved by a complex substitution algorithm– substitution (S-box)
10/4/2009 5Dr. Monther Aldwairi
Feistel Cipher
Virtually all conventional block encryption algorithms have a structure described by Horst Feistel of IBM in 1973– partitions input block into two halves– process through multiple rounds– each round performs a substitution on left data
half based on round function of right half & sub key
– then have permutation swapping halves
– Implements Shannon’s S-P net concept10/4/2009 6Dr. Monther Aldwairi
Feistel Cipher Structure
10/4/2009 7Dr. Monther Aldwairi
10/4/2009 8Dr. Monther Aldwairi
Feistel Cipher Design Elements
block size: larger size improves security, but slows cipher
key size: increasing size makes exhaustive key searching harder, but may slow cipher.
number of rounds: increasing number improves security, but slows cipher
sub key generation algorithm: greater complexity can make cryptanalysis harder, but slows cipher
round function: greater complexity can make analysis harder, but slows cipher
fast software en/decryption: concern for practical use
ease of analysis: easier validation & testing of strength
10/4/2009 9Dr. Monther Aldwairi
Feistel Cipher Decryption
10/4/2009 10Dr. Monther Aldwairi
Data Encryption Standard
(DES)
10/4/2009 11Dr. Monther Aldwairi
Data Encryption Standard (DES)
The most widely used block cipher– adopted in 1977 by NBS/NIST as FIPS PUB 46
The plaintext is processed in 64-bit blocks The key is 56-bits in length Controversy over its security
– Choice of 56-bit key (vs Lucifer 128-bit)– DES is public but design criteria were
classified (S-box)– subsequent events and public analysis show in
fact design was appropriate– use of DES has flourished in financial
applications– still standard for legacy application use
10/4/2009 12Dr. Monther Aldwairi
DES Overview- Encryption 64-bit input
Sw
ap left and right halves
Final
Perm
utation
Initial Permutation
56-bit KeyGenerate 16 per-round
keys
48-bit K 1
48-b
it K 16
Round 16
Round 1
10/4/2009 13Dr. Monther Aldwairi
DES Overview- Decryption
64-bit input
Sw
ap left and right halves
Final
Perm
utation
Initial Permutation
56-bit KeyGenerate 16 per-round
keys
48-bit K 16
48-b
it K 1
Round 16
Round 1
10/4/2009 14Dr. Monther Aldwairi
DES Encryption
10/4/2009 15Dr. Monther Aldwairi
Initial Permutation IP IP reorders the input data bits
– Arrange into 8 × 8 table– Permute, even columns into rows followed by odd
columns (write bits from bottom up)– Example
IP(675a6967 5e5a6b5a) =(ffb2194d 004df6fb)
10/4/2009 16Dr. Monther Aldwairi
0 1 1 0 0 1 1 1 0 1 0 1 1 0 1 0 0 1 1 0 1 0 0 1 0 1 1 0 0 1 1 1 0 1 0 1 1 1 1 0 0 1 0 1 1 0 1 0 0 1 1 0 1 0 1 1 0 1 0 1 1 0 1 0
1 1 1 1 1 1 1 1 1 0 1 1 0 0 1 0 0 0 0 1 1 0 0 1 0 1 0 0 1 1 0 1 0 0 0 0 0 0 0 0 0 1 0 0 1 1 0 1 1 1 1 1 0 1 1 0 1 1 1 1 1 0 1 1
10/4/2009 17Dr. Monther Aldwairi
A DES Round64-bit input
32-bit Ln 32-bit Rn
Mangler function
Kn
32-bit Rn+132-bit Ln+1
64-bit output
64-bit input
32-bit Ln 32-bit Rn
32-bit Rn+132-bit Ln+1
64-bit output
Mangler function Kn
10/4/2009 18Dr. Monther Aldwairi
DES Round Details uses two 32-bit L & R halves as for any Feistel cipher can describe as:
Li = Ri–1
Ri = Li–1 xor F(Ri–1, Ki) F takes 32-bit R half and 48-bit subkey:
– expands R to 48-bits using Expansion perm E– adds to subkey using XORE(R) XOR K – we get 48
bits which we split into 8 blocks 6 bits each– Substitute blocks using 8 S-boxes to get 32-bit
result.– Each S-box has 4 rows and 16 columns– First and last bits determine the row, remaining 4
determine column
– finally permutes using 32-bit perm P Confusion10/4/2009 19Dr. Monther Aldwairi
The Mangler Function4444444 4
6666666 6
+ + +++ ++ +
6666666 6
S8S1 S2 S7S3 S4 S5 S6
4444444 4
Permutation
10/4/2009 20Dr. Monther Aldwairi
Calculation of F(R, K)
10/4/2009 21Dr. Monther Aldwairi
Substitution Boxes S
have eight S-boxes which map 6 to 4 bits each S-box is actually 4 little 4 bit boxes
– outer bits 1 & 6 (row bits) select one row of 4 – inner bits 2-5 (col bits) are substituted – result is 8 lots of 4 bits, or 32 bits
row selection depends on both data & key– feature known as autoclaving (autokeying)
ExampleS(18 09 12 3d 11 17 38 39) = 5fd25e03
10/4/2009 22Dr. Monther Aldwairi
DES Sub keys Generation
To forms sub keys used in each round– initial permutation of the key (PC1) which
selects 56-bits in two 28-bit halves – 16 stages consisting of: 1.rotating each half separately either 1 or 2
places depending on the key rotation schedule K
2.selecting 24-bits from each half & permuting them by PC2 for use in round function F
note practical use issues in h/w vs s/w10/4/2009 23Dr. Monther Aldwairi
DES Example
10/4/2009 24Dr. Monther Aldwairi
© Summer 2007 CPE 542 Network Security 25
Generating the Per-Round Keys
56-bit key
C0 D0
Initial Permutation
Rotate left
D1
Rotate left
C1
Permutation with discard
48-bit K1
57 49 41 33 25 17 9
58 58 50 42 34 26 18
10 2 59 51 43 35 19
19 11 3 60 52 44 36
C0
63 55 47 39 31 23 15
64 62 54 46 38 30 22
14 6 61 53 45 37 29
21 13 5 28 20 12 4
D0
14 17 11 24 1 5
15 28 15 6 21 10
23 19 12 4 26 8
16 7 27 20 13 2
Permutation to obtain the left-half of Ki
41 52 31 37 47 55
42 40 51 45 33 48
44 49 39 56 34 53
46 42 50 36 29 32
Permutation to obtain the right-half of Ki
Process the Key
Process the key Get a 64-bit key from the userEvery 8th bit (the least significant bit of
each byte) is considered a parity bit. For a key to have correct parity, each
byte should contain an odd number of "1" bits.)
The parity bits are discarded, reducing the key to 56 bits (8th , 16th ,…, 64th ).
10/4/2009 26Dr. Monther Aldwairi
Key Schedule
Calculate the key schedule.Permuted Choice 1 (PC-1)57 49 41 33 25 17 91 58 50 42 34 26 1810 2 59 51 43 35 2719 11 3 60 52 44 3663 55 47 39 31 23 157 62 54 46 38 30 2214 6 61 53 45 37 2921 13 5 28 20 12 4
Split the permuted key (56 bits) into two halves. The first 28 bits are called C0 and the last 28 bits are called D0.10/4/2009 27Dr. Monther Aldwairi
PC-1M=0000000000000000000000000000000100000000000000000000000000000001
K=1000000000000000000000000000000010000000000000000000000000000000
The first round key is the computed as follows:PC-1(K)= 00010001000000000000000000000000000000000000000000000000
C0= 0001000100000000000000000000
D0= 0000000000000000000000000000
10/4/2009 28Dr. Monther Aldwairi
Calculate Sub keys
Calculate the 16 sub keys. Perform one or two circular left shifts on
both Ci-1 and Di-1 to get Ci and Di, respectively.
The number of shifts per iteration are given in the table below.
Round # 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16Left Shifts 1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1
10/4/2009 29Dr. Monther Aldwairi
PC-2
Calculate the key schedule. Permuted Choice 2 (PC-2) contraction to 28 bit round key
14 17 11 24 1 53 28 15 6 21 1023 19 12 4 26 816 7 27 20 13 241 52 31 37 47 5530 40 51 45 33 4844 49 39 56 34 5346 42 50 36 29 32
Loop back to slide 24 until K16 has been calculated10/4/2009 30Dr. Monther Aldwairi
PC-2M=0000000000000000000000000000000100000000000000000000000000000001
K=1000000000000000000000000000000010000000000000000000000000000000
The first round key is the computed as follows:PC-1(K)= 00010001000000000000000000000000000000000000000000000000
C1= 1<<C0= 1<<0001000100000000000000000000 = 0010001000000000000000000000
D1= 1<<D0= 1<<0000000000000000000000000000 = 0000000000000000000000000000
PC-2(C1||D1)=PC-2(00100010000000000000000000000000000000000000000000000000)
SK1= 000000100000000000010000000000000000000000000000
10/4/2009 31Dr. Monther Aldwairi
DES Example
10/4/2009 32Dr. Monther Aldwairi
Process Data Block
Initial Permutation (IP) on 64-bit data block
58 50 42 34 26 18 10 260 52 44 36 28 20 12 462 54 46 38 30 22 14 664 56 48 40 32 24 16 857 49 41 33 25 17 9 159 51 43 35 27 19 11 361 53 45 37 29 21 13 563 55 47 39 31 23 15 7
10/4/2009 33Dr. Monther Aldwairi
Round i Split the block into two halves. The first 32 bits
are called L0, and the last 32 bits are called R0. Apply the 16 sub keys to the data block. Start with
SK1
Expand the 32-bit Ri-1(R0) into 48 bits according Expansion Permutation E
32 1 2 3 4 54 5 6 7 8 98 9 10 11 12 1312 13 14 15 16 1716 17 18 19 20 2120 21 22 23 24 2524 25 26 27 28 2928 29 30 31 32 1
Exclusive-or E(Ri-1) with SKi10/4/2009 34Dr. Monther Aldwairi
Round i/S-Boxes
Eight S-boex that accept 6 bit inputs and produce 4 bit outputs
Break E(Ri-1) xor SKi into eight 6-bit input blocks. Bits 1-6 are B1, bits 7-12 are B2, and so on
with bits 43-48 being B8. Take the 1st and 6th bits of Bj together as
a 2-bit value indicating the row in Sj
Take the 2nd through 5th bits of Bj
together as a 4-bit value indicating the column in Sj to find the substitution. 10/4/2009 35Dr. Monther Aldwairi
S-Boxes
10/4/2009 36Dr. Monther Aldwairi
S1
14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 015 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13
S2
15 1 8 14 6 11 3 4 9 7 2 13 12 0 5 10 3 13 4 7 15 2 8 14 12 0 1 10 6 9 11 5 0 14 7 11 10 4 13 1 5 8 12 6 9 3 2 1513 8 10 1 3 15 4 2 11 6 7 12 0 5 14 9
S3
10 0 9 14 6 3 15 5 1 13 12 7 11 4 2 813 7 0 9 3 4 6 10 2 8 5 14 12 11 15 113 6 4 9 8 15 3 0 11 1 2 12 5 10 14 7 1 10 13 0 6 9 8 7 4 15 14 3 11 5 2 12
S4
7 13 14 3 0 6 9 10 1 2 8 5 11 12 4 1513 8 11 5 6 15 0 3 4 7 2 12 1 10 14 910 6 9 0 12 11 7 13 15 1 3 14 5 2 8 4 3 15 0 6 10 1 13 8 9 4 5 11 12 7 2 14
S5
2 12 4 1 7 10 11 6 8 5 3 15 13 0 14 914 11 2 12 4 7 13 1 5 0 15 10 3 9 8 6 4 2 1 11 10 13 7 8 15 9 12 5 6 3 0 1411 8 12 7 1 14 2 13 6 15 0 9 10 4 5 3
S6
12 1 10 15 9 2 6 8 0 13 3 4 14 7 5 1110 15 4 2 7 12 9 5 6 1 13 14 0 11 3 8 9 14 15 5 2 8 12 3 7 0 4 10 1 13 11 6 4 3 2 12 9 5 15 10 11 14 1 7 6 0 8 13
S7
4 11 2 14 15 0 8 13 3 12 9 7 5 10 6 113 0 11 7 4 9 1 10 14 3 5 12 2 15 8 6 1 4 11 13 12 3 7 14 10 15 6 8 0 5 9 2 6 11 13 8 1 4 10 7 9 5 0 15 14 2 3 12
S8
13 2 8 4 6 15 11 1 10 9 3 14 5 0 12 7 1 15 13 8 10 3 7 4 12 5 6 11 0 14 9 2 7 11 4 1 9 12 14 2 0 6 10 13 15 3 5 8 2 1 14 7 4 10 8 13 15 12 9 0 3 5 6 11
Permutation (P) Permute the concatenation of B1 through B8 (32 bits) Permutation P
16 7 20 2129 12 28 171 15 23 265 18 31 102 8 24 1432 27 3 919 13 30 622 11 4 25
Exclusive-or the resulting value with Li-1. Thus, all together, your Ri= Li-1 xor
P(S1(B1)...S8(B8)), where Bj is a 6-bit block of E(Ri-1) xor SKi.
The function for Ri is more concisely written as, Ri-1 = Li-1 xor f(Ri-1, Ki).)10/4/2009 37Dr. Monther Aldwairi
Inverse Initial Permutation IP-1
Loop back to slide 29 - Permutation E until SK16 has been applied
Perform the following permutation on the block R16L116.
Final Permutation (IP-1)
40 8 48 16 56 24 64 3239 7 47 15 55 23 63 3138 6 46 14 54 22 62 3037 5 45 13 53 21 61 2936 4 44 12 52 20 60 2835 3 43 11 51 19 59 2734 2 42 10 50 18 58 2633 1 41 9 49 17 57 25
10/4/2009 38Dr. Monther Aldwairi
DES ExampleDES round 1Round key = 000000100000000000010000000000000000000000000000
L1= 00000000000000000000000000000001 R1= 00000000000000000000000000000001
Apply E: 100000000000000000000000000000000000000000000010
Xor K1: 000000100000000000010000000000000000000000000000⊕ 100000000000000000000000000000000000000000000010 =
100000||100000||000000||010000||000000||000000||000000||000010
S-Box S1: 0100 S-Box S2: 0000 S-Box S3: 1010 S-Box S4: 0001
S-Box S5: 0010 S-Box S6: 1100 S-Box S7: 0100 S-Box S8: 0010
P-Box: 10010000000100101000000110001100
Xor L1: 10010000000100101000000110001100 00000000000000000000000000000001 ⊕ =10010000000100101000000110001101
R1kL1 = 00000000000000000000000000000001k10010000000100101000000110001101
16 round example @http://www.adeptscience.co.uk/products/mathsim/maple/powertools/cryptography/HTML/DES-Example.html
http://www.eventid.net/docs/desexample.asp10/4/2009 39Dr. Monther Aldwairi
DES Decryption
decrypt must unwind steps of data computation
with Feistel design, do encryption steps again using subkeys in reverse order (SK16 … SK1)‒ IP undoes final FP step of encryption
‒ 1st round with SK16 undoes 16th encrypt round
‒ ….‒ 16th round with SK1 undoes 1st encrypt round ‒ then final FP undoes initial encryption IP ‒ thus recovering original data value 10/4/2009 40Dr. Monther Aldwairi
Avalanche Effect
key desirable property of encryption algorithm
where a change of one input or key bit results in changing approx half output bits
making attempts to “home-in” by guessing keys impossible
DES exhibits strong avalanche Permutation E10/4/2009 41Dr. Monther Aldwairi
Strength of DES – Key Size
56-bit keys have 256 = 7.2 x 1016 values
brute force search looks hard recent advances have shown is possible
‒ in 1997 on Internet in a few months ‒ in 1998 on dedicated h/w (EFF) in a few
days ‒ in 1999 above combined in 22hrs!
still must be able to recognize plaintext must now consider alternatives to DES10/4/2009 42Dr. Monther Aldwairi
Average time required for exhaustive key search
10/4/2009 43Dr. Monther Aldwairi
Key Size (bits)
Number of Alternative Keys
Time required at 106 Decryption/µs
32 232 = 4.3 x 109 2.15 milliseconds
56 256 = 7.2 x 1016 10 hours
128 2128 = 3.4 x 1038 5.4 x 1018 years
168 2168 = 3.7 x 1050 5.9 x 1030 years
Taken from Henric Johnson’s slides
Strength of DES – Analytic Attacks
now have several analytic attacks on DES these utilise some deep structure of the
cipher ‒ by gathering information about encryptions ‒ can eventually recover some/all of the sub-key bits ‒ if necessary then exhaustively search for the rest
generally these are statistical attacks‒ differential cryptanalysis ‒ linear cryptanalysis ‒ related key attacks
10/4/2009 44Dr. Monther Aldwairi
Differential Cryptanalysis Murphy, Biham & Shamir published in 90’s powerful method to analyze block ciphers used to analyze most current block ciphers
with varying degrees of success DES reasonably resistant to it
‒ a statistical attack against Feistel ciphers ‒ uses cipher structure not previously used ‒ design of S-P networks has output of function f
influenced by both input & key‒ hence cannot trace values back through cipher
without knowing value of the key ‒ differential cryptanalysis compares two related
pairs of encryptions10/4/2009 45Dr. Monther Aldwairi
Differential Cryptanalysis
have some input difference giving some output difference with probability p
if find instances of some higher probability input / output difference pairs occurring
can infer subkey that was used in round then must iterate process over many
rounds (with decreasing probabilities)
10/4/2009 46Dr. Monther Aldwairi
Compares Pairs of Encryptions
with a known difference in the input searching for a known difference in
output when same subkeys are used
10/4/2009 47Dr. Monther Aldwairi
Differential Cryptanalysis
10/4/2009 48Dr. Monther Aldwairi
Differential Cryptanalysis perform attack by repeatedly encrypting plaintext pairs
with known input XOR until obtain desired output XOR when found
– if intermediate rounds match required XOR have a right pair– if not then have a wrong pair, relative ratio is S/N for attack
can then deduce keys values for the rounds– right pairs suggest same key bits– wrong pairs give random values
for large numbers of rounds, probability is so low that more pairs are required than exist with 64-bit inputs
Biham and Shamir have shown how a 13-round iterated characteristic can break the full 16-round DES
10/4/2009 49Dr. Monther Aldwairi
Linear Cryptanalysis
another recent development also a statistical method must be iterated over rounds, with
decreasing probabilities developed by Matsui et al in early 90's based on finding linear approximations can attack DES with 243 known
plaintexts, easier but still in practise infeasible
10/4/2009 50Dr. Monther Aldwairi
Linear Cryptanalysis
find linear approximations with prob p != ½P[i1,i2,...,ia] C[j1,j2,...,jb] = K[k1,k2,...,kc]
where ia,jb,kc are bit locations in P,C,K
gives linear equation for key bits get one key bit using max likelihood alg using a large number of trial encryptions effectiveness given by: |p–1/2|
10/4/2009 51Dr. Monther Aldwairi
Triple DES
Use three keys and three executions of the DES algorithm (encrypt-decrypt-encrypt)
C = Ek3[ Dk2[ Ek1[P] ] ]C = ciphertextP = PlaintextEk[X] = encryption of X using key K
Dk[Y] = decryption of Y using key K
Effective key length of 168 bits10/4/2009 52Dr. Monther Aldwairi
Other Symmetric Block Ciphers
International Data Encryption Algorithm (IDEA)‒ 128-bit key‒ Used in PGP
Blowfish‒ Easy to implement‒ High execution speed ‒ Run in less than 5K of memory
10/4/2009 53Dr. Monther Aldwairi
Other Symmetric Block Ciphers
RC5‒ Suitable for hardware and software‒ Fast, simple‒ Adaptable to processors of different word
lengths‒ Variable number of rounds‒ Variable-length key‒ Low memory requirement‒ High security‒ Data-dependent rotations
Cast-128‒ Key size from 40 to 128 bits‒ The round function differs from round to round
Blowfish10/4/2009 54Dr. Monther Aldwairi
Modes of Operation
block ciphers encrypt fixed size blocks eg. DES encrypts 64-bit blocks, with 56-bit
key need way to use in practise, given usually
have arbitrary amount of information to encrypt
Four standard modes were defined for DES Extended to five later, and they can be used
with other block ciphers: 3DES and AES.
10/4/2009 55Dr. Monther Aldwairi
Electronic Codebook Book (ECB)
message is broken into independent blocks which are encrypted
each block is a value which is substituted, like a codebook, hence name
each block is encrypted independently from the other blocks Ci = DESK1 (Pi)
uses: secure transmission of single values
10/4/2009 56Dr. Monther Aldwairi
Electronic Codebook Book (ECB)
10/4/2009 57Dr. Monther Aldwairi
Advantages and Limitations of ECB
repetitions in message may show in ciphertext – if aligned with message block – with messages that change very little,
which become a code-book analysis problem
weakness due to encrypted message blocks being independent
main use is sending a few blocks of data
10/4/2009 58Dr. Monther Aldwairi
Cipher Block Chaining (CBC)
message is broken into blocks but these are linked together in the
encryption operation each previous cipher blocks is chained
with current plaintext block, hence name use Initial Vector (IV) to start process
Ci = DESK1(Pi XOR Ci-1)
C-1 = IV uses: bulk data encryption, authentication
10/4/2009 59Dr. Monther Aldwairi
Cipher Block Modes of Operation
Cipher Block Chaining Mode (CBC)‒ The input to the encryption algorithm is
the XOR of the current plaintext block and the preceding ciphertext block.
‒ Repeating pattern of 64-bits are not exposed
10/4/2009 60Dr. Monther Aldwairiιι1ι1ιιΚ1ι
ι1ιιΚ
ι1ιΚΚιΚ
ι1ικι
ΠΠΧΧ][ΧΔΧ
)Π(Χ][ΧΔ
)]Π(Χ[ΕΔ][ΧΔ
]Π[ΧΕΧ
10/4/2009 60Dr. Monther Aldwairi
Advantages and Limitations of CBC
each ciphertext block depends on all message blocks
thus a change in the message affects all ciphertext blocks after the change as well as the original block
need Initial Value (IV) known to sender & receiver – however if IV is sent in the clear, an attacker can
change bits of the first block, and change IV to compensate
– hence either IV must be a fixed value or it must be sent encrypted in ECB mode before rest of message
10/4/2009 61Dr. Monther Aldwairi
Cipher FeedBack (CFB)
message is treated as a stream of bits added to the output of the block cipher result is feed back for next stage (hence
name) standard allows any number of bit (1,8 or 64
or whatever) to be feed back – denoted CFB-1, CFB-8, CFB-64 etc
is most efficient to use all 64 bits (CFB-64)Ci = Pi XOR DESK1(Ci-1)
C-1 = IV
uses: stream data encryption, authentication
10/4/2009 62Dr. Monther Aldwairi
Cipher FeedBack (CFB)
10/4/2009 63Dr. Monther Aldwairi
Advantages and Limitations of CFB
appropriate when data arrives in bits/bytes
most common stream mode limitation is need to stall while do
block encryption after every n-bits errors propagate for several blocks
after the error
10/4/2009 64Dr. Monther Aldwairi
Output FeedBack (OFB)
• message is treated as a stream of bits • output of cipher is added to message • output is then feed back (hence name) • feedback is independent of message • can be computed in advance
Ci = Pi XOR Oi
Oi = DESK1(Oi-1)
O-1 = IV
10/4/2009 65Dr. Monther Aldwairi
Output FeedBack (OFB)
10/4/2009 66Dr. Monther Aldwairi
Advantages and Limitations of OFB
used when error feedback a problem or where need to encryptions before message is available
superficially similar to CFB but feedback is from the output of cipher and is
independent of message sender and receiver must remain in sync, and
some recovery method is needed to ensure this occurs
originally specified with m-bit feedback in the standards
subsequent research has shown that only OFB-64 should ever be used
10/4/2009 67Dr. Monther Aldwairi
Counter (CTR)
a “new” mode, though proposed early on
similar to OFB but encrypts counter value rather than any feedback value
must have a different counter value for every plaintext block (never reused)Ci = Pi XOR Oi
Oi = DESK1(i)
uses: high-speed network encryptions10/4/2009 68Dr. Monther Aldwairi
Counter (CTR)
10/4/2009 69Dr. Monther Aldwairi
Advantages and Limitations of CTR
efficiency– can do parallel encryptions
random access to encrypted data blocks
provable security (good as other modes)
but must ensure never reuse key/counter values, otherwise could break (cf OFB)
10/4/2009 70Dr. Monther Aldwairi