Block cipher: Difference between revisions
imported>Sandy Harris (→Block cipher modes: delete section; becomes new article) |
imported>Sandy Harris (Undo revision 100403315 by Sandy Harris (Talk)) |
||
| Line 1: | Line 1: | ||
== Block cipher modes == | |||
Various '''modes of operation''' for block cipher usage were originally defined for DES in a US [[Federal Information Processing Standard]] (FIPS) <ref>{{cite paper | title = FIPS 81: DES Modes of Operation | date = December 1980 | url = http://www.itl.nist.gov/fipspubs/fip81.htm}}</ref>. The most recent [[NIST]] recommendations are in "Recommendation for Block Cipher Modes of Operation" <ref>{{cite paper | title = Recommendation for Block Cipher Modes of Operation | publisher = National Institute for Standards & Technology | date = 2001 | url = http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf }}</ref> | |||
These modes can be applied to any block cipher. | |||
=== Electronic Code Book, ECB === | |||
In '''Electronic Code Book''' mode, the cipher is just applied to each block of plaintext independently. | |||
The disadvantage is that the same plaintext block always encrypts to the same ciphertext; this gives an enemy some information. ECB is therefore '''generally not used'''. | |||
=== Cipher Block Chaining, CBC === | |||
In '''cipher block chaining''' mode, the ciphertext output from the previous block is XORed into the plaintext before encryption. Encryption of block n is then: | |||
c<sub>n</sub> = encrypt( p<sub>n</sub> XOR c<sub>n-1</sub>) | |||
For this to work for n=1, an '''initialisation vector''' (IV) must be provided to act as c<sub>0</sub>. This need not be secret, but it must be different for each message and should be random. If the same IV is repeatedly used, then if two or more messages start with the same text, they will encrypt identically for the first block or the first few blocks. This is an unnecessary weakness; using unique IVs is therefore standard practice. | |||
CBC mode makes the encryption of any block depend on all blocks previously encrypted. A bit error in an encrypted block, such as might be caused by line noise, will cause the decryption of that block and the next to be garbled, but later blocks will not be affected. CBC is self-recovering against bit-flipping errors. However, loss of synchronisation is fatal; if even a single bit is dropped or added, then the affected block and all that follow it will be garbled. Authentication of the packet or message can prevent such problems if decryption is only applied to data that has passed authentication, | |||
Cipher block chaining is much the most '''widely used mode'''. [[IPsec]] specifies it as the only permitted mode. [[PGP]] and [[TLS]] use it as well. | |||
=== Cipher feedback, CFB === | |||
=== Output Feedback, OFB === | |||
=== Counter, CTR === | |||
In counter mode, a counter is encrypted to generate a series of pseudo-random output blocks. It can be used to create a [[Random number#pseudorandom number generator|pseudorandom number generator]] or a [[stream cipher]]; if the block cipher is secure and is keyed and re-keyed appropriately, these will be secure as well., | |||
Counter mode is used in the Yarrow <ref>{{cite paper | |||
| title = Yarrow-160: Notes on the Design and Analysis of the Yarrow Cryptographic Pseudorandom Number Generator | |||
| author = J. Kelsey, B. Schneier, and N. Ferguson | |||
| conference = Selected Areas in Cryptography, SAC '99 | |||
| url = http://www.schneier.com/yarrow.html | |||
| date = 1999 }}</ref> [[random number]] generator. | |||
It is possible to re-key using some of the system output as the new key; Yarrow does this every 10 iterations, just to complicate any analysis. However, this is not enough for security if large amounts of output are required; the cipher must also be re-keyed (much less often) from an external source of genuine [[random number]]s. The Yarrow paper demonstrates an attack after 2<sup>keysize/3</sup> outputs, so any use of counter mode should be externally re-keyed well before that. | |||
Revision as of 03:22, 29 October 2008
Block cipher modes
Various modes of operation for block cipher usage were originally defined for DES in a US Federal Information Processing Standard (FIPS) [1]. The most recent NIST recommendations are in "Recommendation for Block Cipher Modes of Operation" [2]
These modes can be applied to any block cipher.
Electronic Code Book, ECB
In Electronic Code Book mode, the cipher is just applied to each block of plaintext independently.
The disadvantage is that the same plaintext block always encrypts to the same ciphertext; this gives an enemy some information. ECB is therefore generally not used.
Cipher Block Chaining, CBC
In cipher block chaining mode, the ciphertext output from the previous block is XORed into the plaintext before encryption. Encryption of block n is then:
cn = encrypt( pn XOR cn-1)
For this to work for n=1, an initialisation vector (IV) must be provided to act as c0. This need not be secret, but it must be different for each message and should be random. If the same IV is repeatedly used, then if two or more messages start with the same text, they will encrypt identically for the first block or the first few blocks. This is an unnecessary weakness; using unique IVs is therefore standard practice.
CBC mode makes the encryption of any block depend on all blocks previously encrypted. A bit error in an encrypted block, such as might be caused by line noise, will cause the decryption of that block and the next to be garbled, but later blocks will not be affected. CBC is self-recovering against bit-flipping errors. However, loss of synchronisation is fatal; if even a single bit is dropped or added, then the affected block and all that follow it will be garbled. Authentication of the packet or message can prevent such problems if decryption is only applied to data that has passed authentication,
Cipher block chaining is much the most widely used mode. IPsec specifies it as the only permitted mode. PGP and TLS use it as well.
Cipher feedback, CFB
Output Feedback, OFB
Counter, CTR
In counter mode, a counter is encrypted to generate a series of pseudo-random output blocks. It can be used to create a pseudorandom number generator or a stream cipher; if the block cipher is secure and is keyed and re-keyed appropriately, these will be secure as well.,
Counter mode is used in the Yarrow [3] random number generator.
It is possible to re-key using some of the system output as the new key; Yarrow does this every 10 iterations, just to complicate any analysis. However, this is not enough for security if large amounts of output are required; the cipher must also be re-keyed (much less often) from an external source of genuine random numbers. The Yarrow paper demonstrates an attack after 2keysize/3 outputs, so any use of counter mode should be externally re-keyed well before that.
- ↑ (December 1980). FIPS 81: DES Modes of Operation.
- ↑ (2001). Recommendation for Block Cipher Modes of Operation. National Institute for Standards & Technology.
- ↑ J. Kelsey, B. Schneier, and N. Ferguson (1999). Yarrow-160: Notes on the Design and Analysis of the Yarrow Cryptographic Pseudorandom Number Generator.