Lecture 8: Block Cipher Modes of Operation (features, standards, confidentiality modes, ECB, CBC, CTR, CMAC, HMAC) Flashcards
What type of blocks of data do block ciphers encrypt?
Single
Is breaking plaintext into blocks and encrypting each separately secure or insecure?
insecure
Why do block ciphers have different modes of operation?
Different modes have different efficiency and communication properties → trade-off between security and efficiency
What is the general reason that different modes were designed?
Designed to provide confidentiality and/or authentication (and integrity)
What do all modes that provided confidentiality include?
randomisation
What is the problem with having the same plaintext is encrypted to same ciphertext every time?
allowing patterns to be found in long ciphertext
How can we prevent the following problem?
same plaintext is encrypted to same ciphertext every time
use randomise encryption schemes
OR
vary encryption by including variable state which is updated with each block → update state each time
What is used in randomised encryption schemes?
- Using initialization vector V which propagates through entire ciphertext
- IV may be random or unique
What impact efficiency for practical usage?
Parallel processing and error propagation
Explain parallel processing
multiple plaintext blocks encrypted in parallel, multiple ciphertext blocks are decrypted in parallel
Explain error propagation
bit error occurs in ciphertext results in multiple bit errors in plaintext after decryption
When is padding used?
When requiring plaintext to consist of complete blocks
What is NIST’s suggestion for padding?
1) append ‘1’ bit to data string, 2) pad resulting string by as few ‘0’ bits to complete block
Explain what is meant by “padding bits remove ambiguity if known”
1) removing all trailing ‘0’ after last ‘1’ bit, 2) remove ‘1’ bit
Small probability of getting wrong → ½ chance per bit
What is the notation for the plaintext message i.t.o modes?
Plaintext message P (n blocks in length)
What is the notation for the t-th plaintext block i.t.o modes?
Pt, for 1 <= t <= n
What is the notation for the ciphertext message i.t.o modes?
C
What is the notiation for the T-th ciphertext block i.t.o modes?
Ct, for 1 <= t <= n
What is the notation for the key i.t.o modes?
K
What is the notation for the initialisation vector i.t.o modes?
V
Can any mode apply to any block cipher?
yes
What does ECB mode stand for?
Electronic code block
What is the formula for ECD mode’s encryption? What does it imply?
Ct = E(Pt ,K)
Implies that ECD mode is a basic mode for block ciphers as there is no chaining.
What is the decryption formula for ECB mode?
Pt = D(Ct,K)
Give the diagram for ECB encryption
see slides –> add to cheat sheet
Give the diagram for ECB decryption
see slides –> add to cheat sheet
Briefly explain ECB mode encryption
Plaintext block Pt encrypted with key K to produce ciphertext block Ct
Briefly explain ECB mode decryption
Ciphertext block Ct decrypted with key K to produce plaintext block Pt
Is ECD mode randomised?
no
Is padding required for ECD mode?
yes
Comment on the error propagation for ECD mode.
Errors propagate within blocks
Does ECB mode have an IV?
no
Is parallel encryption or decryption possible for ECB mode? Why?
Both possible since no chaining for either encryption or decryption
Is ECB mode deterministic? What does this imply?
Yes
Not normally used for bulk encryption since deterministic encryption schemes always produces the same ciphertext for a given plaintext and key, even over separate executions of the encryption algorithm
Is ECB a confidentiality or authentication mode?
confidentiality
Is CBC a confidentiality or authentication mode?
confidentiality
Is CTR a confidentiality or authentication mode?
confidentiality
Is MAC a confidentiality or authentication mode?
authentication
Is CDC-MAC a confidentiality or authentication mode?
authentication
Is CMAC a confidentiality or authentication mode?
authentication
Are blocks chained together in CBC mode encryption?
yes
What is the formula for determining Ct in CBC mode encryption?
Ct = E(Pt ⊕ Ct-1, K) s.t. C0 = IV
What role does IV play in CBC mode encryption?
IV chosen randomly and sent with ciphertext blocks
Briefly outline CBC mode encryption
Pt XORed with previous ciphertext block Ct-1 and encrypted with key K to produce Ct
Give the diagram for CBC mode encryption
see slides –> add to cheat sheet
What is the formula for determining Pt in CBC mode decryption
Pt = D(Ct,K) ⊕ Ct-1 s.t. C0 = IV
Briefly outline CBC mode decryption
Ct decrypted with key K and XORed with previous ciphertext block Ct-1 to produce Pt
Give the diagram for CBC mode decryption
see slides –> add to cheat sheet
Discuss error propagation in CBC mode decryption
Two blocks affected with 1 bit error → block itself and next plaintext block
Give the diagram for CBC mode decryption’s error propagation
see slides –> add to cheat sheet
Is CBC mode randomised?
no
Is padding required for CBC mode?
yes
Comment on the error propagation for CBC mode
Errors propagate within blocks and into specific bits of next block
Comment on the IV for CBC mode
IV must be random
Is parallel encryption possible for CBC mode? What does this mean?
no, have to wait for previous output
CBC used for bulk encryption
Is parallel decryption possible for CBC mode?
yes, don’t have to wait for previous output
What sort of mode is CTR?
a synchronous stream cipher mode
What does CTR in CTR mode stand for?
counter
What additional things does CTR mode need?
Counter and nounce used, initialized using randomly chosen value N
What is Tt in CTR mode?
Tt = N || t → concatenation of nonce N and block t
What is the formula for Ot?
Ot = E(Tt,K)
Comment on the propagation of channel errors in CTR mode
one-bit change in ciphertext produces a one bit change in plaintext at same location
What is the formula for encryption for CTR mode?
Ct = Ot ⊕ Pt
Briefly outline CTR mode encryption
Plaintext block Pt XORed with Ot
Give the diagram for CTR mode encryption
see slides –> add to cheat sheet
Give the diagram for CTR mode decryption
see slides –> add to cheat sheet
What is the formula for decryption for CTR mode?
Pt = Ot ⊕ Ct
Briefly outline CTR mode decryption
Ciphertext block Ct XORed with Ot
Is CTR mode randomised?
yes
Does CTR mode require padding?
No, empty is fine at end since same length (fixed)
Comment on error propagation in CTR mode
Errors occur in specific bits of current block
Does CTR mode use an IV?
yes
Does the nonce have to be unique for IV for CTR mode?
yes
Can CTR mode do parallel encryption?
Yes since no chaining
Can CTR mode do parallel decryption?
Yes since no chaining
What is CTR mode good for?
access to specific plaintext blocks without decrypting whole stream
What is message integrity?
Ensuring messages are not altered in transmission
Should we treat message integrity and message authentication differently or as the same?
the same
What does message integrity prevent?
adversary from reordering, replacing, replicating and deleting message blocks to alter received message
Is providing message integrity independent from using encryption for confidentiality?
yes, independent
What does MAC stand for?
Message Authentication Code
Briefly outline the purpose of MAC
Cryptographic mechanism to ensure message integrity
What it T i.t.o MAC?
A MAC tag
How do we calculate T for MAC?
T = MAC(M,K)
Inputs → arbitrarily-length message M and secret key K
Output → short fixed-length tag T
I.t.o MAC, do Alice and Bob share a common key K?
yes
Explain the process of Alice sending a message M to Bob using MAC
Alice computers T = MAC(M,K)
Alice sends message M and adjoins its tag T
Bob computes T’ = MAC(M’, K) on received message M’ and checks that T’ = T
What does MAC provide?
sender authentication to message
Who can produce T from M i.t.o MAC?
Only Alice and Bob
If T’=T, what does Bob know i.t.o MAC?
message received was sent by Alice and not modified in transit
If T ≠ T, what does Bob know?
(M’,T) not sent by Alice
What is unforgeability i.t.o MAC?
Basic security property
infeasible to produce M and T s.t. T = MAC(M,K) without knowing K
Briefly outline basic CDC-MAC
Using block cipher to create MAC providing message integrity (but not confidentiality)
Comment on IV for basic CDC-MAC
IV must be fixed and public and can set to all zeros
CBC-MAC without IV is not secure!
What is P i.t.o basic CDC-MAC?
message with n blocks
What is the formula for T i.t.o basic CDC-MAC?
T = CBC-MAC(P,K)
What is the formula for Ct i.t.o basic CDC-MAC?
Ct = E(Pt ⊕ Ct-1, K) for 1 <= t <= n s.t. C0 = IV
What is the formula for T i.t.o basic CDC-MAC?
T = Cn
Is T Unforgeable for basic CDC-MAC?
Yes, provided message length fixed
What is Cipher-based MAC (CMAC) a standardised version of?
NIST secure version of CBC-MAC
Explain the CMAC process
2 keys K1, K2 derived from original key K
K1 or K2 XORed with Mn (padding as needed)
IV set to all 0 block
CBC encryption on message M
What is T i.t.o CMAC?
T = some number of MSB bits of final block
Give the diagram for computing T i.t.o CMAC?
see slides –> add to cheat sheet
What does the NIST standard of CMAC allow for? Why?
any number of |T| chosen for tag T → recommended 64 bits to avoid guessing
What does the NIST standard of CMAC require the length of tag T to be?
at least length of log2(lim/R) with:
1) lim → limit on how many invalid messages detected before K changed
2) R → acceptable probability (risk) that false message is accepted
What are the two types of input data for authentication encryption mode?
1) payload → both encrypted and authenticated
2) associated data → only authenticated
What are the two modes specified for authentication encryption mode?
1) NIST 2004 for Counter with CBC-MAC (CCM) Mode
2) NIST 2007 for Galois/Counter (GCM) Mode
What modes do CCM and GCM modes both use? Do they add integrity in the same way?
Both use CTR mode for confidentiality but add integrity differently
What versions of TLS are CCM and GCM modes used in?
Both used in TLS 1.2 and 1.3
Briefly outline CCM
Combining CBC-MAC for authentication of ALL data (payload and associated data) and CTR mode encryption for payload
What does CCM in CCM mode stand for?
Counter with CBC-MAC Mode
What are the inputs for CCM?
Inputs → nonce N for CTR mode, payload P of |P| bits and associated data A
I.t.o CCM, what are formated to produce block sets?
N, A, P
What sort of tag is computed for CCM and what are the length of the blocks they correspond to?
Compute CBC-MAC tag T for blocks with length Tlen
What mode is used to compete blocks of key stream S0, S1, … , Sm?
CTR mode
What is m in the key stream S0, S1, … , Sm for CCM mode?
m = [Plen/128]
P is plaintext
What are the outputs of CCM mode?
C = (P ⊕ MSBPlen(S))||(T ⊕ MSBTlen(S0)) where S = S1, …, Sm
Briefly outline the CCM mode format
Complex format with restrictions w.r.t. different standards
Length of N, P include in 1st block
What happens if A is non-zero for the CCM mode format?
formatted from 2nd block onwards including its length
What is the size of tag T, the nonce N and the max payload size for TLS 1.2?
tag T is 8 bytes, CTR mode nonce N is 12 octets, max payload size is 2^(24 - 1) bytes
