[slides] Block Cipher Modes of Operation and CMAC for Authentication

Block Cipher Modes of Operation Alberto Grand

Politecnico di Torino Computer Systems Security – prof. Antonio Lioy

What are modes of operation?



Block ciphers only allow to encrypt entire blocks. What if our message is longer/shorter than the block size? We use modes of operation!








Algorithms that exploit a block cipher to provide a service (e.g. confidentiality, authentication) 5 NIST-recommended modes providing confidentiality: ECB, CBC, CFB, OFB, CTR CMAC may be considered a block cipher mode of operation providing authentication.

2

Electronic Codebook (ECB)


Associates each possible plaintext block to a ciphertext block, like a codebook.

Hello world!






aY1\:?§h24(r

Requires padding Encryption/decryption of multiple blocks in parallel A 1-bit error in a ciphertext block garbles the corresponding decrypted block.

3

Deficiencies of ECB






Problems when the original message contains regular data patterns, because always encrypted in the same way.

Only suitable for 1-block-sized data (e.g. a key) “The securest thing you can do with ECB is not use it!” 4

Cipher Block Chaining (CBC)






Allows the same plaintext blocks to be encrypted to different ciphertext blocks. Encrypted blocks are “chained” through XORing. Requires an initialisation vector (IV) Hello

world

IV CIPHER

CIPHER

q%1aX

l’3z1$

q%1aX

l’3z1$

CIPHER-1

CIPHER-1

Hello

world

IV

5

Features of CBC





No parallel encrypting , while parallel decrypting is possible. A 1-bit error affects two blocks:









the corresponding block is garbled the corresponding bit is flipped in the next block

Problem with the IV: 1-bit error only flips 1 bit in the 1st block, no garbled block. Hard to detect! Solutions:




encipher the IV don’t transmit the IV, but compute it from a known value use authentication! 6

Propagating CBC (PCBC)






It’s a variation of CBC designed to propagate errors. It also involves the previous plaintext block in the XOR operation. Is error propagation desirable? It depends!






NO if transmission errors YES if intentional, malicious changes

Used in Kerberos v.4, but abandoned starting from v.5 because inversion of two adjacent blocks does not affect subsequent blocks.

7

Cipher Feedback (CFB)





Turns a block cipher into a stream cipher, message size need not be multiple of block size. Very similar to CBC (ciphering and XORing are swapped). IV

IV

CIPHER Hello

CIPHER

CIPHER

world q%1aX

CIPHER q%1aX

l’3z1$

Hello

l’3z1$ world 8

Features of CFB







No parallel encrypting of multiple blocks – although some form of pipelining is possible. Parallel decryption is possible Only the forward function is used. A 1-bit error :






flips corresponding bit in current segment may garble the next ⌈b/s⌉ segments

This is highly noticeable, so CFB is less exposed to the risk of deliberate bit changes.

9

OpenPGP with CFB





Widespread standard for exchanging encrypted email messages. A variant of CFB is used for symmetric cryptography:









a random block R is enciphered and used as an IV the first 2 bytes of R are replicated in the 2nd block for integrity checks

Leak of information! About 215 set-up attempts + about 215 attempts per block enable an attacker to discover the first 2 bytes of any block. PGP stands for “Pretty Good Privacy”! 10

Output Feedback (OFB)



Turns a block cipher into a stream cipher. It features the iteration of the forward cipher on an IV. IV

IV

CIPHER

CIPHER q%1aX

world

Hello q%1aX

CIPHER

l’3z1$

CIPHER l’3z1$

Hello

world 11

Features of OFB (i)








Neither encryption nor decryption can be performed in parallel due to block chaining. If IV available prior to ciphertext, keystream blocks can be pre-computed. IV needs to be a nonce, otherwise know-plaintext attack is possible (under same key):





an attacker who knows the ith plaintext block can easily reconstruct the ith keystream block he can then understand the ith block of every message 12

Features of OFB (ii)


A 1-bit error in a ciphertext block only produces a bit-specific error in the corresponding block:








good for error correcting codes, which work even when applied before encryption bad because it’s hardly noticeable!

A 1-bit error in the IV causes all blocks to be garbled.

13

Counter (CTR)



Turns a block cipher into a stream cipher. Keystreams blocks are generated by encrypting a set of counter blocks.

CTR block #1

CTR block #2

CTR block #1

CTR block #2

CIPHER

CIPHER

CIPHER

CIPHER

q%1aX

world

Hello q%1aX

l’3z1$

l’3z1$ Hello

world 14

Features of CTR (i)









Both encryption and decryption can be performed fully in parallel on multiple blocks. Provides true random access to ciphertext blocks. If the initial counter block is available, keystream blocks may be computed prior to receiving the ciphertext . It’s simple!





No inverse cipher function is required for decryption.

It is becoming increasingly used.

15

Features of CTR (ii)


Assurance is required that:










counters do not repeat within a single message counters do not repeat across all messages under a given key

Done through an incrementing function. Usually, first b-m bits are a message nonce, following m bits are incremented (message length < 2m blocks). Alternatively, counters are concatenated (total length of all messages < 2m blocks) 16

Padding: pros and cons








Increases amount of data to be sent with no increase of transmitted information. With regular data pattern, padding with random values makes cryptanalysis more difficult. When padding scheme in known, it may expose exchange of messages to timing attacks.





OpenSSL prior to v.0.9.6c with CBC-MAC MAC is located at the end, padding is needed Message only evaluated if padding is correct Attacker may systematically find out bits starting from second-to-last block. 17

Ciphertext Stealing (CTS)


Sometimes padding is unacceptable









We want to avoid extra data, but cipher blocks need entire blocks! Solution: use CTS!









limited bandwidth exchange of many messages that would require padding

by accomplishing some extra operations, enables to produce as many output data as given in input we pay in terms of complexity and execution time we still cannot encyrpt very short messages (< 1 block).

Usually not worth it! 18

Related-mode attacks (i)




Attacks against a given block cipher mode of operation:



we must know which mode is being used we need an oracle of another mode, but with the same underlying cipher

19

Related-mode attacks (ii) Using ECB against CTR
MU intercepted Ci and C0
He chooses P’i = C0 + i
C’i = CIPHk(P’i)
Since Ci = CIPHk(C0 + i) ⊕ Pi he can compute Pi = Ci ⊕ C’i.
Only one chosen plaintext query is required.

20

The CMAC Mode for Authentication

What is CMAC?





The 5 modes of operation provide confidentiality, but we need authentication and integrity. We must use a mode for authentication!








it implies integrity

A MAC algorithm provides stronger assurance of data integrity than a checksum. CMAC exploits the CBC mode of operation to chain cipherblocks and obtain a value which depends on all previous blocks.

22

Once upon time…


…there was an insecure mode for authentication named CBC-MAC:











only provided security for messages whose length was a multiple of the block size attacker could change the whole message (except last block) without notice when CBC was used for encryption with the same key.

Black & Rogaway made it secure for arbitrary-length messages using 2 extra keys (XCBC). Iwata & Kurosawa derived the extra keys from the shared secret (OMAC, OMAC1 = CMAC). 23

Subkey generation




2 subkeys K1, K2 are generated from the key Can be computed once and stored (must be secret!) Rb is a value related to the block size



Rb = 012010000111 when b = 128 Rb = 05911011 when b = 64 L ⃪ CIPHk (0b) if MSB1(L) = 0 then K1 ⃪ L