Lecture 8: Block Cipher Modes of Operation (features, standards, confidentiality modes, ECB, CBC, CTR, CMAC, HMAC)

Question 1

What type of blocks of data do block ciphers encrypt?

Answer 1

Single

Question 2

Is breaking plaintext into blocks and encrypting each separately secure or insecure?

Answer 2

insecure

Question 3

Why do block ciphers have different modes of operation?

Answer 3

Different modes have different efficiency and communication properties → trade-off between security and efficiency

Question 4

What is the general reason that different modes were designed?

Answer 4

Designed to provide confidentiality and/or authentication (and integrity)

Question 5

What do all modes that provided confidentiality include?

Answer 5

randomisation

Question 6

What is the problem with having the same plaintext is encrypted to same ciphertext every time?

Answer 6

allowing patterns to be found in long ciphertext

Question 7

How can we prevent the following problem?

same plaintext is encrypted to same ciphertext every time

Answer 7

use randomise encryption schemes

OR

vary encryption by including variable state which is updated with each block → update state each time

Question 8

What is used in randomised encryption schemes?

Answer 8

1. Using initialization vector V which propagates through entire ciphertext
2. IV may be random or unique

Question 9

What impact efficiency for practical usage?

Answer 9

Parallel processing and error propagation

Question 10

Explain parallel processing

Answer 10

multiple plaintext blocks encrypted in parallel, multiple ciphertext blocks are decrypted in parallel

Question 11

Explain error propagation

Answer 11

bit error occurs in ciphertext results in multiple bit errors in plaintext after decryption

Question 12

When is padding used?

Answer 12

When requiring plaintext to consist of complete blocks

Question 13

What is NIST’s suggestion for padding?

Answer 13

1) append ‘1’ bit to data string, 2) pad resulting string by as few ‘0’ bits to complete block

Question 14

Explain what is meant by “padding bits remove ambiguity if known”

Answer 14

1) removing all trailing ‘0’ after last ‘1’ bit, 2) remove ‘1’ bit

Small probability of getting wrong → ½ chance per bit

Question 15

What is the notation for the plaintext message i.t.o modes?

Answer 15

Plaintext message P (n blocks in length)

Question 16

What is the notation for the t-th plaintext block i.t.o modes?

Answer 16

Pt, for 1 <= t <= n

Question 17

What is the notation for the ciphertext message i.t.o modes?

Answer 17

C

Question 18

What is the notiation for the T-th ciphertext block i.t.o modes?

Answer 18

Ct, for 1 <= t <= n

Question 19

What is the notation for the key i.t.o modes?

Answer 19

K

Question 20

What is the notation for the initialisation vector i.t.o modes?

Answer 20

V

Question 21

Can any mode apply to any block cipher?

Answer 21

yes

Question 22

What does ECB mode stand for?

Answer 22

Electronic code block

Question 23

What is the formula for ECD mode’s encryption? What does it imply?

Answer 23

Ct = E(Pt ,K)

Implies that ECD mode is a basic mode for block ciphers as there is no chaining.

Question 24

What is the decryption formula for ECB mode?

Answer 24

Pt = D(Ct,K)

Question 25

Give the diagram for ECB encryption

Answer 25

see slides --> add to cheat sheet

Question 26

Give the diagram for ECB decryption

Answer 26

see slides --> add to cheat sheet

Question 27

Briefly explain ECB mode encryption

Answer 27

Plaintext block Pt encrypted with key K to produce ciphertext block Ct

Question 28

Briefly explain ECB mode decryption

Answer 28

Ciphertext block Ct decrypted with key K to produce plaintext block Pt

Question 29

Is ECD mode randomised?

Answer 29

no

Question 30

Is padding required for ECD mode?

Answer 30

yes

Question 31

Comment on the error propagation for ECD mode.

Answer 31

Errors propagate within blocks

Question 32

Does ECB mode have an IV?

Answer 32

no

Question 33

Is parallel encryption or decryption possible for ECB mode? Why?

Answer 33

Both possible since no chaining for either encryption or decryption

Question 34

Is ECB mode deterministic? What does this imply?

Answer 34

Yes Not normally used for bulk encryption since deterministic encryption schemes always produces the same ciphertext for a given plaintext and key, even over separate executions of the encryption algorithm

Question 35

Is ECB a confidentiality or authentication mode?

Answer 35

confidentiality

Question 36

Is CBC a confidentiality or authentication mode?

Answer 36

confidentiality

Question 37

Is CTR a confidentiality or authentication mode?

Answer 37

confidentiality

Question 38

Is MAC a confidentiality or authentication mode?

Answer 38

authentication

Question 39

Is CDC-MAC a confidentiality or authentication mode?

Answer 39

authentication

Question 40

Is CMAC a confidentiality or authentication mode?

Answer 40

authentication

Question 41

Are blocks chained together in CBC mode encryption?

Answer 41

yes

Question 42

What is the formula for determining Ct in CBC mode encryption?

Answer 42

Ct = E(Pt ⊕ Ct-1, K) s.t. C0 = IV

Question 43

What role does IV play in CBC mode encryption?

Answer 43

IV chosen randomly and sent with ciphertext blocks

Question 44

Briefly outline CBC mode encryption

Answer 44

Pt XORed with previous ciphertext block Ct-1 and encrypted with key K to produce Ct

Question 45

Give the diagram for CBC mode encryption

Answer 45

see slides --> add to cheat sheet

Question 46

What is the formula for determining Pt in CBC mode decryption

Answer 46

Pt = D(Ct,K) ⊕ Ct-1 s.t. C0 = IV

Question 47

Briefly outline CBC mode decryption

Answer 47

Ct decrypted with key K and XORed with previous ciphertext block Ct-1 to produce Pt

Question 48

Give the diagram for CBC mode decryption

Answer 48

see slides --> add to cheat sheet

Question 49

Discuss error propagation in CBC mode decryption

Answer 49

Two blocks affected with 1 bit error → block itself and next plaintext block

Question 50

Give the diagram for CBC mode decryption's error propagation

Answer 50

see slides --> add to cheat sheet

Question 51

Is CBC mode randomised?

Answer 51

no

Question 52

Is padding required for CBC mode?

Answer 52

yes

Question 53

Comment on the error propagation for CBC mode

Answer 53

Errors propagate within blocks and into specific bits of next block

Question 54

Comment on the IV for CBC mode

Answer 54

IV must be random

Question 55

Is parallel encryption possible for CBC mode? What does this mean?

Answer 55

no, have to wait for previous output CBC used for bulk encryption

Question 56

Is parallel decryption possible for CBC mode?

Answer 56

yes, don’t have to wait for previous output

Question 57

What sort of mode is CTR?

Answer 57

a synchronous stream cipher mode

Question 58

What does CTR in CTR mode stand for?

Answer 58

counter

Question 59

What additional things does CTR mode need?

Answer 59

Counter and nounce used, initialized using randomly chosen value N

Question 60

What is Tt in CTR mode?

Answer 60

Tt = N || t → concatenation of nonce N and block t

Question 61

What is the formula for Ot?

Answer 61

Ot = E(Tt,K)

Question 62

Comment on the propagation of channel errors in CTR mode

Answer 62

one-bit change in ciphertext produces a one bit change in plaintext at same location

Question 63

What is the formula for encryption for CTR mode?

Answer 63

Ct = Ot ⊕ Pt

Question 64

Briefly outline CTR mode encryption

Answer 64

Plaintext block Pt XORed with Ot

Question 65

Give the diagram for CTR mode encryption

Answer 65

see slides --> add to cheat sheet

Question 66

Give the diagram for CTR mode decryption

Answer 66

see slides --> add to cheat sheet

Question 67

What is the formula for decryption for CTR mode?

Answer 67

Pt = Ot ⊕ Ct

Question 68

Briefly outline CTR mode decryption

Answer 68

Ciphertext block Ct XORed with Ot

Question 69

Is CTR mode randomised?

Answer 69

yes

Question 70

Does CTR mode require padding?

Answer 70

No, empty is fine at end since same length (fixed)

Question 71

Comment on error propagation in CTR mode

Answer 71

Errors occur in specific bits of current block

Question 72

Does CTR mode use an IV?

Answer 72

yes

Question 73

Does the nonce have to be unique for IV for CTR mode?

Answer 73

yes

Question 74

Can CTR mode do parallel encryption?

Answer 74

Yes since no chaining

Question 75

Can CTR mode do parallel decryption?

Answer 75

Yes since no chaining

Question 76

What is CTR mode good for?

Answer 76

access to specific plaintext blocks without decrypting whole stream

Question 77

What is message integrity?

Answer 77

Ensuring messages are not altered in transmission

Question 78

Should we treat message integrity and message authentication differently or as the same?

Answer 78

the same

Question 79

What does message integrity prevent?

Answer 79

adversary from reordering, replacing, replicating and deleting message blocks to alter received message

Question 80

Is providing message integrity independent from using encryption for confidentiality?

Answer 80

yes, independent

Question 81

What does MAC stand for?

Answer 81

Message Authentication Code

Question 82

Briefly outline the purpose of MAC

Answer 82

Cryptographic mechanism to ensure message integrity

Question 83

What it T i.t.o MAC?

Answer 83

A MAC tag

Question 84

How do we calculate T for MAC?

Answer 84

T = MAC(M,K) Inputs → arbitrarily-length message M and secret key K Output → short fixed-length tag T

Question 85

I.t.o MAC, do Alice and Bob share a common key K?

Answer 85

yes

Question 86

Explain the process of Alice sending a message M to Bob using MAC

Answer 86

Alice computers T = MAC(M,K) Alice sends message M and adjoins its tag T Bob computes T’ = MAC(M’, K) on received message M’ and checks that T’ = T

Question 87

What does MAC provide?

Answer 87

sender authentication to message

Question 88

Who can produce T from M i.t.o MAC?

Answer 88

Only Alice and Bob

Question 89

If T’=T, what does Bob know i.t.o MAC?

Answer 89

message received was sent by Alice and not modified in transit

Question 90

If T ≠ T, what does Bob know?

Answer 90

(M’,T) not sent by Alice

Question 91

What is unforgeability i.t.o MAC?

Answer 91

Basic security property infeasible to produce M and T s.t. T = MAC(M,K) without knowing K

Question 92

Briefly outline basic CDC-MAC

Answer 92

Using block cipher to create MAC providing message integrity (but not confidentiality)

Question 93

Comment on IV for basic CDC-MAC

Answer 93

IV must be fixed and public and can set to all zeros CBC-MAC without IV is not secure!

Question 94

What is P i.t.o basic CDC-MAC?

Answer 94

message with n blocks

Question 95

What is the formula for T i.t.o basic CDC-MAC?

Answer 95

T = CBC-MAC(P,K)

Question 96

What is the formula for Ct i.t.o basic CDC-MAC?

Answer 96

Ct = E(Pt ⊕ Ct-1, K) for 1 <= t <= n s.t. C0 = IV

Question 97

What is the formula for T i.t.o basic CDC-MAC?

Answer 97

T = Cn

Question 98

Is T Unforgeable for basic CDC-MAC?

Answer 98

Yes, provided message length fixed

Question 99

What is Cipher-based MAC (CMAC) a standardised version of?

Answer 99

NIST secure version of CBC-MAC

Question 100

Explain the CMAC process

Answer 100

2 keys K1, K2 derived from original key K K1 or K2 XORed with Mn (padding as needed) IV set to all 0 block CBC encryption on message M

Question 101

What is T i.t.o CMAC?

Answer 101

T = some number of MSB bits of final block

Question 102

Give the diagram for computing T i.t.o CMAC?

Answer 102

see slides --> add to cheat sheet

Question 103

What does the NIST standard of CMAC allow for? Why?

Answer 103

any number of |T| chosen for tag T → recommended 64 bits to avoid guessing

Question 104

What does the NIST standard of CMAC require the length of tag T to be?

Answer 104

at least length of log2(lim/R) with: 1) lim → limit on how many invalid messages detected before K changed 2) R → acceptable probability (risk) that false message is accepted

Question 105

What are the two types of input data for authentication encryption mode?

Answer 105

1) payload → both encrypted and authenticated | 2) associated data → only authenticated

Question 106

What are the two modes specified for authentication encryption mode?

Answer 106

1) NIST 2004 for Counter with CBC-MAC (CCM) Mode | 2) NIST 2007 for Galois/Counter (GCM) Mode

Question 107

What modes do CCM and GCM modes both use? Do they add integrity in the same way?

Answer 107

Both use CTR mode for confidentiality but add integrity differently

Question 108

What versions of TLS are CCM and GCM modes used in?

Answer 108

Both used in TLS 1.2 and 1.3

Question 109

Briefly outline CCM

Answer 109

Combining CBC-MAC for authentication of ALL data (payload and associated data) and CTR mode encryption for payload

Question 110

What does CCM in CCM mode stand for?

Answer 110

Counter with CBC-MAC Mode

Question 111

What are the inputs for CCM?

Answer 111

Inputs → nonce N for CTR mode, payload P of |P| bits and associated data A

Question 112

I.t.o CCM, what are formated to produce block sets?

Answer 112

N, A, P

Question 113

What sort of tag is computed for CCM and what are the length of the blocks they correspond to?

Answer 113

Compute CBC-MAC tag T for blocks with length Tlen

Question 114

What mode is used to compete blocks of key stream S0, S1, … , Sm?

Answer 114

CTR mode

Question 115

What is m in the key stream S0, S1, … , Sm for CCM mode?

Answer 115

m = [Plen/128] | P is plaintext

Question 116

What are the outputs of CCM mode?

Answer 116

C = (P ⊕ MSBPlen(S))||(T ⊕ MSBTlen(S0)) where S = S1, …, Sm

Question 117

Briefly outline the CCM mode format

Answer 117

Complex format with restrictions w.r.t. different standards Length of N, P include in 1st block

Question 118

What happens if A is non-zero for the CCM mode format?

Answer 118

formatted from 2nd block onwards including its length

Question 119

What is the size of tag T, the nonce N and the max payload size for TLS 1.2?

Answer 119

tag T is 8 bytes, CTR mode nonce N is 12 octets, max payload size is 2^(24 - 1) bytes