block ciphers modes of operation
TRANSCRIPT
Properties of new NIST block cipher modes of
operation
Roman Oliynykov
Professor atInformation Technologies Security Department
Kharkov National University of Radioelectronics
Head of Scientific Research Department JSC “Institute of Information Technologies”
Ukraine
Visiting professor at Samsung Advanced Technology Training Institute
December 2014
Outline
A few words about myself Need of block cipher modes of operation and well-
known standard modes Newly developed and NIST adopted modes and
their properties Conclusions
About myself (I)
I’m from Ukraine (Eastern part of Europe), host country of Euro2012 football championship
I live in Kharkov (the second biggest city in the country, population is 1.5 million people), Eastern Ukraine (near Russia),former capital of the Soviet Ukraine (1918-1934)three Nobel prize winners worked at Kharkov University
About myself (II)
Professor at Information Technologies Security Department at Kharkov National University of Radioelectronics courses on computer networks and operation
system security, special mathematics for cryptographic applications
Head of Scientific Research Department at JSC “Institute of Information Technologies” Scientific interests: symmetric cryptographic
primitives synthesis and cryptanalysis
Visiting professor at Samsung Advanced Technology Training Institute courses on computer networks and operation
system security, software security, effective application and implementation of symmetric cryptography
Need for modes of operation
stream cipher: encryption of arbitrary length message no error propagation during decryption (adversary can
selectively change plaintext bits by ciphertext modification) no integrity check same procedure for encryption and decryption
block cipher (ECB mode): encryption of fixed block error propagation during decryption (avalanche effect) no integrity check the same plaintext blocks have the same ciphertext (until
key is changed) different procedures for encryption and decryption
Main block cipher modes of operation: confidentiality only
Electronic Codebook Mode (ECB) Cipher Block Chaining (CBC) Cipher Feedback (CFB) Output Feedback (OFB) Counter (CTR)
US National Institute of Standard Special Publications (NIST SP) 800-38ISO/IEC 10116:2006ANSI X9.52
ECB advantages
any part of encrypted message could be easily decrypted (or re-encrypted after modification)
error multiplication properties: if ciphertext is modified by attacker, modifications
in plaintext would be random, unpredictable and inside one block only
errors in plaintext cannot be controlled by the attacker (without knowledge of the secret key)
NB: error multiplication may seem as disadvantage on noisy physical channels with error correction codes before encryption
NB: error correction codes should be applied after encryption – there should be no such huge redundancy of plaintext
ECB disadvantages: equal plaintext blocks lead to equal ciphertext blocks: ECB IS NOT RECOMMEDED TO SEPARATE USE
NB: message length must be aligned to the cipher block size
NB: encryption and decryption function must be implemented
CBC advantages and disadvantages advantages
equal messages using the same keys will be encrypted to different cryptograms (ciphertexts)
message can be decrypted from any part (but decrypted only) error multiplication properties (single bit + the next block)
disadvantages message length must be aligned to the cipher block size message blocks cannot be re-encrypted after modification (the
rest of message must be re-encrypted) decryption implementation is needed if attacker can insert some parts into message and get ciphertext,
part of user message can be compromised (cookie stealing attack over SSL connection when hacker can sniff traffic and install malicious plug-in to Firefox was demonstrated)
not recommended for the future (CTR is better variant)
CFB advantages and disadvantages advantages
equal messages using the same keys will be encrypted to different cryptograms (ciphertexts)
message length can be arbitrary randomness of IV is not needed error multiplication properties (single bit + several blocks) decryption implementation (ECB) is not needed
disadvantages message blocks cannot be decrypted from any part or re-
encrypted after modification encryption speed is significantly slower
not recommended for the future (CTR is better variant)
OFB advantages and disadvantages advantages
equal messages using the same keys will be encrypted to different cryptograms (ciphertexts)
message length can be arbitrary randomness of IV is not needed decryption implementation (ECB) is not needed
disadvantages no error multiplication properties message blocks cannot be decrypted from any part or re-
encrypted after modification key sequence period is expected to 2n/2, where n – block size in
bits (but with some probability could be much shorter, so there is security threat)
not recommended for the future (CTR is better variant)
CTR advantages and disadvantages advantages
equal messages using the same keys will be encrypted to different cryptograms (ciphertexts)
message length can be arbitrary randomness of IV is not needed (IV is encrypted and used as
start counter value), simple counter can be used (e.g., arithmetic addition)
message blocks can be decrypted from any part or re-encrypted after modification
decryption implementation (ECB) is not needed
disadvantages no error multiplication properties
main recommended mode of operation for confidentiality
Additional block cipher modes of operation (NIST SP 800-38)
CMAC (Cipher-based Message Authentication Code)
Galois/Counter Mode (GCM) and GMAC (Galois MAC)
CCM (Counter (CTR) mode and the Cipher Block Chaining-Message Authentication Code (CBC-MAC))
XTS (Xor еncrypt xor Tweakable block Cipher) Key Wrapping FF (Format-Preserving Encryption)
CMAC (Cipher-based Message Authentication Code)
integrity check (not encryption mode) length extensions attack protected no attack published (September 2013)
effective more than to 2Tlen/2 encryptions, where Tlen – integrity check value (ICV) size in bits
Galois/Counter Mode (GCM) and GMAC (Galois MAC):encryption with GCTR
NB: equal to CTR mode with specific given incremental function
Galois/Counter Mode (GCM) and GMAC (Galois MAC)
used for confidentiality and integrity there may be present optional not encrypted part
of message (A): e.g., network packet headers computation of integrity check value (ICV) is made
over the ciphertext (not plaintext): effective for network traffic protection with denial-of-service (DoS) attack countermeasures
the fastest mode for confidentiality and integrity special Intel and AMD processor assembler
instruction (PCLMULQDQ) for this mode supports length extensions attack protected small amount of weak keys may exist for integrity
check
CCM (Counter (CTR) mode and the Cipher Block Chaining-Message Authentication Code (CBC-MAC)) advanced mode of combining CMAC and CTR (with
improvement) there may be present optional not encrypted part of
message (A): e.g., network packet headers developed and well suitable for hardware
implementation implemented in IEEE 802.11 (WiFi) networks in
hardware (communication chips)
XTS (Xor еncrypt xor Tweakable block Cipher)
mode intended to on-the-fly encryption of storage with block access (hard drives, etc.) blocks have equal size no room to save integrity check value
advantages (over ECB and CTR): the same data in the different blocks will give different
ciphertext ciphertext modification will give random plaintext
modification (no predictable data changing for attacker) highly effective (almost like CTR, but gives additional basic
and simple integrity service) may be used with padding if data block length is not aligned
to the cipher block size (but less effective here) disadvantage:
decryption implementation is needed
Key Wrapping mode
intended to protect key data confidentiality advantages
may be used with padding if data block length is not aligned to the cipher block size (but less effective here)
ciphertext modification will give random plaintext modification (no predictable data changing for attacker)
no IV required
disadvantages much slower comparing to other modes equal messages will have equal cryptograms (no IV in this
mode)
FF (Format-Preserving Encryption) mode
intended to protect specific data (like credit card numbers) in existing IT systems with strong limitation to ciphertext length and presentation
advantage preserves original message alphabet (any, may
be decimal or else, not only binary, hexadecimal, etc.) and length of the message
disadvantage much slower comparing to other modes
Conclusions Block ciphers may provide excellent
cryptographic properties, but for practical application they need modes of operation
Such modes of operation may be used both for confidentiality and integrity
There are many different modes of operation for specific purposes, including network traffic protection, hard drive encryption, etc.
Careful selection of mode is needed, otherwise even a strong block cipher (e.g., AES-256) protection might be broken in some circumstances
Security is a process, not a state