applied cryptography spring 2015 chaining modes. what happens when the clear text is longer than the...
TRANSCRIPT
What happens when the clear text is longer than the block length k?
Most simple solution — encrypt each block separately.
This mode is called ECB, Electronic Code Book
Clear text
Cipher text
Enc Enc Enc EncKey
Chaining ciphers - ECB
[From Mårten Trolin]
Problems with ECB:
two transmissions of the same plaintext will be identical (i.e. if, you know, that there were 2 identical transmissions, you can guess the ciphertext of these). This could be dealt with timestamps.
block replay. A poptential cure is the use of MAC, however this still remains an unpleasant feature.
ECB still can be used in some cases for transmission of short messages e.g. cipher keys
Chaining ciphers - ECB
Padding
k - block length, n - message length
if n is a multiple of k, there are no problems
what to do with the last block, if n is not a multiple of k?
extra bytes can be added at the end of the last block, however, it ould be useful to know, where the actual message ends...
Chaining ciphers - ECB
Some padding schemes
add padding in all cases (i.e., also when n is a multiple of k)
if m bytes are added, fill each of them with value m (used in e.g. RC5-CBC-PAD)
if m bytes are added, fill each of them with values 1,2,..., m (used in e.g. ESP and IPSec)
Chaining ciphers - ECB
A feedback is introduced to link the blocks togetherClear text
Cipher text
Enc Enc Enc EncKey
IV
Cipher Block Chaining
[From Mårten Trolin]
Errors
error in plaintext
bit error in ciphertext
syncronisation error in ciphertext?
What should be done with IV?
no need to be secret
should be transmitted
can IV be reused?
CBC - issues
Can be done similarly as in ECB
add padding in all cases (i.e., also when n is a multiple of k)
if m bytes are added, fill each of them with value m (used in e.g. RC5-CBC-PAD)
if m bytes are added, fill each of them with values 1,2,..., m (used in e.g. ESP and IPSec)
CBC - padding
Some problems with padding ....
assume that the same IV is used for all transmissions, as well as one of the 2 padding schemes described above. Also, assume that there is an oracle, that gives an answer, whether a given message ends with a correct padding (available e.g. in e-mail server using SSL/TLS). Is this secure?
try to send to oracle blocks r,Ci ...
CBC - padding
Key generators - A5/1
A5/1 - used in GSM"less than one minute of computations, and a few seconds of known conversation".
A register is clocked if its clocking bit (orange) agrees with the majority of the clocking bits of all three registers.
Key generators - RC4
Ron Rivest (RSA Security) 1987Widely used in SSL, WEP etc104-bit RC4 used in WEP can be cracked in less than a minute
for i=0,…,N-1 S[i]=ij=0for i=0…N-1
j=j+S[i]+Key[i mod l]Swap[S[i], S[j]]
• i=i+1
• j=j+S[i]
• Swap(S[i],S[j])
• Output z =S[S[i]+S[j]]
Key generators - RC4 Easy computation
– Fast
– Can use large bit blocks and keys Stream based encryption Key can be made to change at regular intervals using fancy
programming Implementation in Popular languages (C, perl) well documented.
Vulnerable to brute force attacks Require a large data structure Proven Breakable by researchers at ATT and Rice Univ. (August, 2001)
– “One hour of brute force computation to break standard WEP” Once Key is broken all messages are easily readable.
Quadratic residues and Blum Integers
If p and q are two primes, and both are congruent to 3 modulo 4, then n = p*q is sometimes called a Blum integer.
If n is a Blum integer, each quadratic residue has exactly four square roots.
One of them is also a square - the principal square root.
The function f: Zn* → Zn* defined by f(x) = x2 mod n is a permutation.
The inverse function of f is: f -1(x) = x((p-1)(q-1)+4)/8 mod n.
Quadratic residues and Blum Integers
The function f: Zn* → Zn* defined by f(x) = x2 mod n is a permutation.
The inverse function of f is: f -1(x) = x((p-1)(q-1)+4)/8 mod n.
p,q - primes, n = pq
Guessing the last significant bit of square root of x mod nwith any non-negligible advantage is as hard as factoring n.
Blum, Blum and Shub (BBS) key generator
Let n be a Blum integer. Choose a random quadratic residue x0 (modulo n).
For i 0 let
xi+1 = xi2 mod n, bi = the least significant bit of xi
For each integer i, let BBS n, i (x0) = b0…b i-1
be the first i bits of the pseudo-random sequence generated from the seed x0 by the BBS pseudo-random generator.
Note that bi is the least significant bit of xi =x0(2i )mod(p-1)(q-1)
BBS pseudo-random generator - analysis
Assume that the BBS pseudo-randomize generator with a Blum integer is not unpredictable to the left.
Let y be a quadratic residue from Zn*.
Compute BBS n, i -1 (y) for some i > 1.
Note that the last (i -1) of BBS n, i (x) are also the first (i -1) bits of BBS n, i -1 (y), where x is the principal square root of y.
Hence, if the BBS pseudo-random generator is not unpredictable to the left, then there exists a better method than coin-tossing to determine the least significant bit of x, what is, as mentioned above, impossible.
Choose random x, relatively prime to n, compute
x0 = x 2 mod n
x i+1 = x i2 mod n, b i = the least significant bit of x i
BBS n, i (x0) = b0…b i-1
Errors
error in plaintext
bit error in ciphertext
syncronisation error in ciphertext?
What should be done with IV?
no need to be secret
should be transmitted
should be unique!
CFB - issues
Chaining in OFB mode
Just as with other stream ciphers, flipping a bit in the ciphertextproduces a flipped bit in the plaintext at the same location. This property allows many error correcting codes to function normally even when applied before encryption.
CBC-MAC
Issues:
- not secure for variable length messages (we can inludemessage length in computation, still it doesn’t help too much...)
- different keys should be used for chaining and MAC (ok, this should always be the case !)
Length of MAC?
Birthday paradox:
What should be the size k of a group of people, such thatwith probablity 1/2 at least two persons from the group willhave birthday on the same day?
Combining chaining and data integrity
CCM Counter with CBC-MAC EAX Authenticated Encryption with Associated Data GCM Galois/Counter ModeOCB Offset Codebook Mode
OCB mode
GCM mode (Galois/Counter Mode)
Combines privacyand data integrityprotection
Defined for 128 bitblocks
multH -multiplication in GF(27)
Disk encryption
Some additional constraints:
• limited length chaining (e.g. at sector level, around 512 bytes)• implementation shall efficiently encrypt and decrypt data in any sector• implementation shall use only constant amount of additional storage for a device of arbitrary size• integrity problem is important
CBC :IV for each sector derived from the sector number etc
LRW (Tweakable Narrow-Block Encryption):
K - key, F - additional key, I - block index (tweak)
Some other chaining modes
Counter Mode. Characteristics similar to OFB. Useful, when an instant access to a random part of message is desirable.
Block Chaining Mode (BC). Similar to CBC, but XOR all previous ciphertext block to the next one. No error tolerance.
Propagating Cipher Block Chaining Mode (PCBC). Similar to CBC, but both, previous ciphetext and plaintext blocks are XORed to the next one. Used in Kerberos (before version 5). Swapping of two ciphertext blocks does not affect integrity check!
Output feedback with a non-linear function (OFBNLF). Variant of OFB/ECB with Ki=EK(Ki–1)