Block Cipher Modes 6.2 Flashcards
Block Cipher Mode of Operation
Encrypt one fixed-length group of bits at a time, otherwise known as a block. Can provide a method of authentication. The block size is fixed, and not all data will fit perfectly into it. Thus, some mode sill require padding before encryption.
What is padding?
Block cipher algorithms like AES and Triple DES in Electronic Code Book (ECB) and Cipher Block Chaining (CBC) mode require their input to be an exact multiple of the block size. If the plaintext to be encrypted is not an exact size, you need to pad before encrypting by adding a padding string. When decrypting, the receiving party needs to know how to remove the padding.
Padding Methods
We need to pad the block with padding bytes to make it up to the required length. There are at least five common conventions:-
Pad with bytes all of the same value as the number of padding bytes
Pad with 0x80 followed by zero bytes
Pad with zeroes except make the last byte equal to the number of padding bytes
Pad with zero (null) characters
Pad with space characters
Electronic Codebook (ECB)
The simplest encryption mode. Too simple for most use cases.
Plaintext > Encryption > Ciphertext. Rinse, repeat.
It’s very easy to see what was trying to be encrypted.
Cipher Block Chaining (CBC)
Each plaintext block is XORed with the previous ciphertext block. It adds additional randomization using an Initialization Vector (IV) only for the first block.
Counter (CTR)
Block cipher mode / acts like a stream cipher. Encrypts successive values of a “counter”. Plaintext can be any size, since it’s part of the XOR.
Counter1 > Encryption > Plaintext > Ciphertext
Counter2 > Encryption > Plaintext > Ciphertext
Counter3 > Encryption > Plaintext > Ciphertext
Galois/Counter Mode (GCM)
Encryption with authentication. Authentication is part of the block mode, combines Counter Mode with Galois Authentication. It has minimum latency, minimum overhead. It is very efficient encryption and authentication. Commonly used in packetized data such as network traffic security (wireless, IPsec, SSH, TLS).