1

Lecture 4: Using Block Ciphers

Outline• encrypting large messages• checking integrity• securing DES

2

Electronic Code Book (ECB)How to use a block cipher to encrypt a large message?

M2

C2

E

M1

C1

E

M4

C4

E

M3

C3

E

break messageinto blocks

encrypt eachblock separatelywith secret key

3

Problems with ECB• same plaintext block produces same ciphertext

– can be analyzed, rearranged

plaintext ECB encrypted ciphertext

4

One-Time Pad

• proven (Shannon): XOR a message with a (truly) random number (never reuse it again) – unbreakable (no information is given away)

• one-time pad – such usage of random numbers• stream cipher – generates one-time pad and XORs it

with the stream of plaintext to generate ciphertext

5

Fixing ECB• consider this: generate random numbers and XOR with blocks before encoding

M1 M2 M3 M4

C1 C2 C3 C4

E E E E

r2r1 r3 r4

transmit r1, c1,r2, c2, r3, c3, r4, c4

problems:• need to send twice as much data• can still rearrange blocks• if two ciphertext blocks equal, know XOR of two plaintext blocks

= XOR of the corresponding two random numbers

6

Cipher Block Chaining (CBC)• randomizes output by using previous ciphertext block• first block is randomized using initialization vector (IV)

IV M1 M2 M3 M4

IV C1 C2 C3 C4

E E E E

• how does CBC do decoding?

7

CBC Decryption & Analysis

• What happens if Ci gets lost or garbled? How much data gets lost?

• assume an attacker knows block Mi and wants to change it, what

does it need to change?• can encryption/decryption be done in parallel?

IV C1 C2 C3 C4

IV M1 M2 M3 M4

D D D D

8

Output Feedback (OFB) Mode• OFB is a stream cipher• IV – based, IV is

transmitted in clear• two versions

– no shifting

• pad1=e(IV, key)

• pad2=e(pad1, key)

• padi=e(padi-1,key)

– k-bit shifting (see pic)• advantages

– the pad can be pre-generated – no costly operations at run-time (good for multimedia or resource-constrained devices)

– how much info is affected if portion of ciphertext is garbled/lost?• problems

– if known plaintext, can be altered– is random access possible?– can encryption/decryption be done in parallel?

k-bit shifting version of OFB

9

Cipher Feedback (CFB) Mode

• similar to OFB• message data is also

used to generatepadding

• advantages– is random access possible?– what if part of ciphertext is garbled/lost/duplicated?

• problems– is OFB-like pad pre-generation possible?– can it be altered if plaintext is known– can encryption/decryption be done in parallel?

10

Counter (CTR) Mode• CTR is another stream cipher• to create pad, IV is incremented

and encrypted

– is random access possible?– what if part of ciphertext is garbled/lost/duplicated?– is pad pre-generation possible– can encryption/decryption be done in parallel?– is known plaintext alteration possible?

11

Integrity checking

• automated integrity checking – computer should be able to detect tampering (a human presence should not be required any “garbage” can pass through)

• message authentication code (MAC) – a cryptographic checksum generated with the help of a key

• CBC, OFB, CFB and CTR – good security, integrity vulnerable

12

CBC Residue• Do CBC encryption on M using key K, throw away all but last block.• send message in clear + the “residue”, • Used in banking• Has property that if you don’t know the key you can’t generate (or verify)

the MAC, or modify the message without (probably) changing the MAC • however, can generate an arbitrary message matching MAC

IV M1 M2 M3 M4

IV C1 C2 C3 residue

E E E E

13

Joint Privacy and Integrity

• concurrently use two CBCs – one for privacy, the other for integrity

• why can’t use only one for both?

14

Securing DES

• purpose: retain the same mechanism, expand key size• why not double DES?

– encrypt with K1 twice. How much more work (over DES) for good guys? Bad guys?

– encrypt with K1 then K2. What is time/memory for bad guys? Good guys?

• subject to subtle known plaintext attack

15

3DES

• Defined as doing EDE with K1, K2, K3, but standardly K1 is set equal to K3.

– reason: because of known-plaintext attack, 3DES is considered to only have time-strength equal to 112 bit key, not 168.

– also, 112 bits considered enough (for now).

• why EDE instead of EEE?

– Initial and final permutations would cancel each other out with EEE (minor advantage to EDE)

– EDE compatible with single DES if K1=K2=K3.

16

3DES and CBC• CBC is defined to be

done on the outside of 3DES

– same integrity problems as with regular CBC

• CBC can potentially be done on the inside of 3DES– more secure against

tampering

but– more work– garbling/loosing/

duplicating of one block garbles the rest of message