Chapter 2

Encipherment Using
Modern Symmetric-Key
Ciphers-Block Ciphers

Copyright © The McGraw-Hill Companies, In. Permission required for reproduction or display.

8.1
8.2
8.3
8.4
8.5
• Block length is fixed (n-bit)
• How to encrypt large messages?
– Partition into n-bit blocks
– Choose mode of operation
• Electronic Codebook (ECB),
• Cipher-Block Chaining (CBC),
• Cipher Feedback (CFB),
• Output Feedback (OFB),
• Counter (CTR)
-- Modes of operation have been devised to encipher text of
any size employing either DES or AES.
• Two stream ciphers used for real-time processing of
data.
8.6
8-1 Continued

Figure 8.1 Modes of operation

8.7
Evaluation criteria
• Identical messages
– under which conditions ciphertext of two identical
messages are the same
• Chaining dependencies
– how adjacent plaintext blocks affect encryption of a
plaintext block
• Error propagation
– resistance to channel noise
• Efficiency
– preprocessing
– parallelization: random access

8.8
8.9
8.10
8.11
8.12
8.13
Electronic Codebook Book (ECB)

 message is broken into independent blocks

which are encrypted
 each block is a value which is substituted, like
a codebook, hence name
 each block is encoded independently of the
other blocks
 uses: secure transmission of single values

8.14
Electronic Codebook (ECB) Mode

The simplest mode of operation is called the electronic

codebook (ECB) mode.

Figure 8.2 Electronic codebook (ECB) mode

8.15
Advantages and Limitations of ECB

 message repetitions may show in ciphertext

 if aligned with message block
 particularly with data such graphics
 or with messages that change very little, which
become a code-book analysis problem
 weakness is due to the encrypted message blocks
being independent
 main use is sending a few blocks of data

8.16
Electronic Codebook (ECB)
• Does not hide data patterns, unsuitable for long messages
– Wiki example: pixel map using ECB

Plain text ECB mode Other modes

• Susceptible to replay attacks

– Example: a wired transfer transaction can be replayed by
resending the original message)

8.17
Example
Electronic Codebook (ECB)

Assume that Eve works in a company a few hours per month (her
monthly payment is very low). She knows that the company uses
several blocks of information for each employee in which the
seventh block is the amount of money to be deposited in the
employee’s account. Eve can intercept the ciphertext sent to the
bank at the end of the month, replace the block with the
information about her payment with a copy of the block with the
information about the payment of a full-time colleague. Each
month Eve can receive more money than she deserves.

8.18
8.19
Electronic Codebook (ECB)
Error Propagation
A single bit error in transmission can create errors in
several in the corresponding block. However, the error
does not have any effect on the other blocks.

8.20
Cipher Block Chaining (CBC)
 message is broken into blocks
 linked together in encryption operation
 each previous cipher blocks is chained with
current plaintext block, hence name
 use Initial Vector (IV) to start process
 uses: bulk data encryption, authentication

8.21
8.1.2 Cipher Block Chaining (CBC) Mode

In CBC mode, each plaintext block is exclusive-ored with

the previous ciphertext block before being encrypted.
Figure 8.3 Cipher block chaining (CBC) mode

8.22
8.1.2 Continued
Figure 8.3 Cipher block chaining (CBC) mode

8.23
Message Padding
 at end of message must handle a possible last
short block
 which is not as large as block size of cipher
 pad either with known non-data value (e.g. nulls)
 or pad last block along with count of pad size
 eg. [ b1 b2 b3 0 0 0 0 5]
 means have 3 data bytes, then 5 bytes pad+count
 this may require an extra entire block over those in
message
 there are other, more esoteric modes, which
avoid the need for an extra block

8.24
Advantages and Limitations of CBC
 a ciphertext block depends on all blocks before
it
 any change to a block affects all following
ciphertext blocks
 need Initialization Vector (IV)
 which must be known to sender & receiver
 if sent in clear, attacker can change bits of first block, and
change IV to compensate
 hence IV must either be a fixed value (as in EFTPOS)
 or must be sent encrypted in ECB mode before rest of
message

8.25
8.26
Cipher Feedback (CFB) Mode
In some situations, we need to use DES or AES as secure
ciphers, but the plaintext or ciphertext block sizes are to
be smaller.
Figure 8.4 Encryption in cipher feedback (CFB) mode

8.27
8.28
Continued

Note
In CFB mode, encipherment and decipherment use
the encryption function of the underlying block
cipher.

The relation between plaintext and ciphertext blocks is

shown below:

8.29
Continued

CFB as a Stream Cipher

Figure 8.5 Cipher feedback (CFB) mode as a stream cipher

8.30
8.31
Cipher FeedBack (CFB)
 message is treated as a stream of bits
 added to the output of the block cipher
 result is feed back for next stage (hence name)
 standard allows any number of bit (1,8, 64 or 128 etc)
to be feed back
 denoted CFB-1, CFB-8, CFB-64, CFB-128 etc
 most efficient to use all bits in block (64 or 128)
 uses: stream data encryption, authentication

8.32
Advantages and Limitations of CFB
 appropriate when data arrives in bits/bytes
 most common stream mode
 limitation is need to stall while do block
encryption after every n-bits
 note that the block cipher is used in
encryption mode at both ends
 errors propagate for several blocks after the
error

8.33
Output Feedback (OFB) Mode

In this mode each bit in the ciphertext is independent of

the previous bit or bits. This avoids error propagation.
Figure 8.6 Encryption in output feedback (OFB) mode

8.34
Continued
OFB as a Stream Cipher

Figure 8.7 Output feedback (OFB) mode as a stream cipher

8.35
8.36
Output FeedBack (OFB)
 message is treated as a stream of bits
 output of cipher is added to message
 output is then feed back (hence name)
 feedback is independent of message
 can be computed in advance
Ci = Pi XOR Oi
Oi = DESK1(Oi-1)
O-1 = IV
 uses: stream encryption on noisy channels
8.37
Advantages and Limitations of OFB
 bit errors do not propagate
 more vulnerable to message stream modification
 a variation of a Vernam cipher
 hence must never reuse the same sequence

(key+IV)
 sender & receiver must remain in sync
 originally specified with m-bit feedback
 subsequent research has shown that only full
block feedback (ie CFB-64 or CFB-128) should
ever be used

8.38
Counter (CTR) Mode

In the counter (CTR) mode, there is no feedback. The

pseudorandomness in the key stream is achieved using a
counter.
Figure 8.8 Encryption in counter (CTR) mode

8.39
Continued

Figure 8.9 Counter (CTR) mode as a stream cipher

8.40
Counter (CTR)
 a “new” mode, though proposed early on
 similar to OFB but encrypts counter value
rather than any feedback value
 must have a different key & counter value for
every plaintext block (never reused)
Oi = DESK1(i)
Ci = Pi XOR Oi
 uses: high-speed network encryptions

8.41
Advantages and Limitations of CTR
 efficiency
 can do parallel encryptions in hardware or
software
 can preprocess in advance of need
 good for burst high speed links
 random access to encrypted data blocks
 provable security (good as other modes)
 but must ensure never reuse key/counter
values, otherwise could break (cf OFB)

8.42
8.43
8.1.5 Continued

Comparison of Different Modes

n-bit

8.44
Selection of Modes

 Choice of encryption mode affects

 Encryption/decryption speed
 Security against active adversaries (bit flips)

 Security against passive adversaries (ECB)

 Error propagation

8.45
Stream Ciphers

 process message bit by bit (as a stream)

 have a pseudo random keystream
 combined (XOR) with plaintext bit by bit
 randomness of stream key completely destroys
statistically properties in message
 Ci = Mi XOR StreamKeyi
 but must never reuse stream key
 otherwise can recover messages (cf book cipher)

8.46
Stream Cipher Structure

8.47
Stream Cipher Properties

 some design considerations are:

 long period with no repetitions
 statistically random
 depends on large enough key
 large linear complexity
 properly designed, can be as secure as a block
cipher with same size key
 but usually simpler & faster

8.48