SlideShare une entreprise Scribd logo

Block Cipher Modes of Operation And Cmac For Authentication

V
Vittorio Giovara

Thiese are the slides used for presenting the Block Cipher Modes of Operation and CMAC for Authentication document by Alberto Grand.

Technologie
1  sur  32
Télécharger pour lire hors ligne
Block Cipher Modes of Operation Alberto Grand Politecnico di Torino Computer Systems Security – prof. Antonio Lioy
What are modes of operation? Block ciphers only allow to encrypt entire blocks. What if our message is longer/shorter than the block size? We use modes of operation! Algorithms that exploit a block cipher to provide a service (e.g. confidentiality, authentication) 5 NIST-recommended modes providing confidentiality: ECB, CBC, CFB, OFB, CTR CMAC may be considered a block cipher mode of operation providing authentication. 2
Electronic Codebook (ECB) Associates each possible plaintext block to a ciphertext block, like a codebook. Hello world! aY1:?§h24(r Requires padding Encryption/decryption of multiple blocks in parallel A 1-bit error in a ciphertext block garbles the corresponding decrypted block. 3
Deficiencies of ECB Problems when the original message contains regular data patterns, because always encrypted in the same way. Only suitable for 1-block-sized data (e.g. a key) “The securest thing you can do with ECB is not use it!” 4
Cipher Block Chaining (CBC) Allows the same plaintext blocks to be encrypted to different ciphertext blocks. Encrypted blocks are “chained” through XORing. Requires an initialisation vector (IV) Hello world q%1aX l’3z1$ IV CIPHER-1 CIPHER-1 CIPHER CIPHER IV q%1aX l’3z1$ Hello world 5
Features of CBC No parallel encrypting , while parallel decrypting is possible. A 1-bit error affects two blocks: the corresponding block is garbled the corresponding bit is flipped in the next block Problem with the IV: 1-bit error only flips 1 bit in the 1st block, no garbled block. Hard to detect! Solutions: encipher the IV don’t transmit the IV, but compute it from a known value use authentication! 6
Propagating CBC (PCBC) It’s a variation of CBC designed to propagate errors. It also involves the previous plaintext block in the XOR operation. Is error propagation desirable? It depends! NO if transmission errors YES if intentional, malicious changes Used in Kerberos v.4, but abandoned starting from v.5 because inversion of two adjacent blocks does not affect subsequent blocks. 7
Cipher Feedback (CFB) Turns a block cipher into a stream cipher, message size need not be multiple of block size. Very similar to CBC (ciphering and XORing are swapped). IV IV CIPHER CIPHER CIPHER CIPHER Hello world q%1aX l’3z1$ q%1aX l’3z1$ Hello world 8
Features of CFB No parallel encrypting of multiple blocks – although some form of pipelining is possible. Parallel decryption is possible Only the forward function is used. A 1-bit error : flips corresponding bit in current segment may garble the next ⌈b/s⌉ segments This is highly noticeable, so CFB is less exposed to the risk of deliberate bit changes. 9
OpenPGP with CFB Widespread standard for exchanging encrypted e- mail messages. A variant of CFB is used for symmetric cryptography: a random block R is enciphered and used as an IV the first 2 bytes of R are replicated in the 2nd block for integrity checks Leak of information! About 215 set-up attempts + about 215 attempts per block enable an attacker to discover the first 2 bytes of any block. PGP stands for “Pretty Good Privacy”! 10
Output Feedback (OFB) Turns a block cipher into a stream cipher. It features the iteration of the forward cipher on an IV. IV IV CIPHER CIPHER CIPHER CIPHER Hello world q%1aX l’3z1$ q%1aX l’3z1$ Hello world 11
Features of OFB (i) Neither encryption nor decryption can be performed in parallel due to block chaining. If IV available prior to ciphertext, keystream blocks can be pre-computed. IV needs to be a nonce, otherwise know-plaintext attack is possible (under same key): an attacker who knows the ith plaintext block can easily reconstruct the ith keystream block he can then understand the ith block of every message 12
Features of OFB (ii) A 1-bit error in a ciphertext block only produces a bit-specific error in the corresponding block: good for error correcting codes, which work even when applied before encryption bad because it’s hardly noticeable! A 1-bit error in the IV causes all blocks to be garbled. 13
Counter (CTR) Turns a block cipher into a stream cipher. Keystreams blocks are generated by encrypting a set of counter blocks. CTR block #1 CTR block #2 CTR block #1 CTR block #2 CIPHER CIPHER CIPHER CIPHER Hello world q%1aX l’3z1$ q%1aX l’3z1$ Hello world 14
Features of CTR (i) Both encryption and decryption can be performed fully in parallel on multiple blocks. Provides true random access to ciphertext blocks. If the initial counter block is available, keystream blocks may be computed prior to receiving the ciphertext . It’s simple! No inverse cipher function is required for decryption. It is becoming increasingly used. 15
Features of CTR (ii) Assurance is required that: counters do not repeat within a single message counters do not repeat across all messages under a given key Done through an incrementing function. Usually, first b-m bits are a message nonce, following m bits are incremented (message length < 2m blocks). Alternatively, counters are concatenated (total length of all messages < 2m blocks) 16
Padding: pros and cons Increases amount of data to be sent with no increase of transmitted information. With regular data pattern, padding with random values makes cryptanalysis more difficult. When padding scheme in known, it may expose exchange of messages to timing attacks. OpenSSL prior to v.0.9.6c with CBC-MAC MAC is located at the end, padding is needed Message only evaluated if padding is correct Attacker may systematically find out bits starting from second-to-last block. 17
Ciphertext Stealing (CTS) Sometimes padding is unacceptable limited bandwidth exchange of many messages that would require padding We want to avoid extra data, but cipher blocks need entire blocks! Solution: use CTS! by accomplishing some extra operations, enables to produce as many output data as given in input we pay in terms of complexity and execution time we still cannot encyrpt very short messages (< 1 block). Usually not worth it! 18
Related-mode attacks (i) Attacks against a given block cipher mode of operation: we must know which mode is being used we need an oracle of another mode, but with the same underlying cipher 19
Related-mode attacks (ii) Using ECB against CTR MU intercepted Ci and C0 He chooses P’i = C0 + i C’i = CIPHk(P’i) Since Ci = CIPHk(C0 + i) ⊕ Pi he can compute Pi = Ci ⊕ C’i. Only one chosen plaintext query is required. 20
The CMAC Mode for Authentication
What is CMAC? The 5 modes of operation provide confidentiality, but we need authentication and integrity. We must use a mode for authentication! it implies integrity A MAC algorithm provides stronger assurance of data integrity than a checksum. CMAC exploits the CBC mode of operation to chain cipherblocks and obtain a value which depends on all previous blocks. 22
Once upon time… …there was an insecure mode for authentication named CBC-MAC: only provided security for messages whose length was a multiple of the block size attacker could change the whole message (except last block) without notice when CBC was used for encryption with the same key. Black & Rogaway made it secure for arbitrary-length messages using 2 extra keys (XCBC). Iwata & Kurosawa derived the extra keys from the shared secret (OMAC, OMAC1 = CMAC). 23
Subkey generation 2 subkeys K1, K2 are generated from the key Can be computed once and stored (must be secret!) Rb is a value related to the block size Rb = 012010000111 when b = 128 Rb = 05911011 when b = 64 L ⃪ CIPHk (0b) if MSB1(L) = 0 then K1 ⃪ L << 1 else K1 ⃪ (L << 1) ⊕ Rb if MSB1(K1) = 0 then K2 ⃪ K1 << 1 else K2 ⃪ (K1 << 1) ⊕ Rb Finite-field mathematics are involved! 24
CMAC generation if Mlen = 0 then n ⃪ 1 else n ⃪ ⌈ len / b⌉ ⌈M ⌉ if M*n complete then Mn ⃪ M*n ⊕ K1 else Mn ⃪ (M*n ‖10j) ⊕ K1 C0 ⃪ 0b for i ⃪ 1 to n do Ci ⃪ CIPHk (Ci-1 ⊕ Mi) T ⃪ MSBTlen(Cn) Formatting of the message does not need to complete before starting CBC encryption. 25
CMAC verification Receiver may decrypt data with the appropriate algorithm. He then applies CMAC generation process to the data. He compares the generated MAC with the one he received: if identical, message is authentic if not, in-transit errors or attack! 26
Length of the MAC (i) When verification fails, we are sure the message is inauthentic. But when it succeeds, we are not 100% sure it is authentic! MU may have simply guessed the right MAC for a message His chances of succeeding are 1/2Tlen Longer MACs provide higher assurance, but use more bandwidth/storage space. If attacker can make more than one attempt his chances increase! 27
Length of the MAC (ii) For most applications, 64 bits are enough. NIST provides guidance. Two parameters: MaxInvalids : maximum number of attempts before system halts Risk : highest acceptable probability that an inauthentic message is mistakenly trusted. Tlen ≥ log2 (MaxInvalids / Risk) e.g. MaxInvalids = 1 Risk = 0.25 ⇒ Tlen = 2 bits 28
Message span of the key (i) It’s the total number of messages to which CMAC is applied with the same key. Affects security against attacks based on detecting 2 distinct messages that lead to the same MAC. We call this event a collision. This happens because possible messages are much more than possible MACs. It should not occur during the lifetime of a key. Message span should be limited! 29
Message span of the key (ii) Probability says that a collision is expected among a set of 2b/2 messages. For general purpose applications: no more than 248 messages when b = 128 no more than 221 messages when b = 64 For higher level of security: no more than 248 message blocks when b = 128 (222 GB) no more than 221 message blocks when b = 64 (16 MB) Sometimes message span is time-limited. 30
Protection vs. replay attacks No protection against replay attacks is ensured by CMAC: Malicious user may intercept a message with its correct MAC and send it at a later time. It’s perfectly valid! Such protection must be provided by protocol or application that uses CMAC for authentication: sequential number timestamp message nonce etc. 31
Any questions? 32

Recommandé

Message Authentication Code & HMAC
Message Authentication Code & HMACMessage Authentication Code & HMAC
Message Authentication Code & HMACKrishna Gehlot
 
Ipsec
IpsecIpsec
IpsecRupesh Mishra
 
Block cipher modes of operation
Block cipher modes of operation Block cipher modes of operation
Block cipher modes of operation harshit chavda
 
Data Encryption Standard (DES)
Data Encryption Standard (DES)Data Encryption Standard (DES)
Data Encryption Standard (DES)Haris Ahmed
 
5. message authentication and hash function
5. message authentication and hash function5. message authentication and hash function
5. message authentication and hash functionChirag Patel
 
Cryptography - Block cipher & stream cipher
Cryptography - Block cipher & stream cipherCryptography - Block cipher & stream cipher
Cryptography - Block cipher & stream cipherNiloy Biswas
 
Block Cipher
Block CipherBlock Cipher
Block CipherBrandon Byungyong Jo
 
Advanced encryption standard (aes)
Advanced encryption standard (aes)Advanced encryption standard (aes)
Advanced encryption standard (aes)farazvirk554
 

Recommandé

Message Authentication Code & HMAC
Message Authentication Code & HMACMessage Authentication Code & HMAC
Message Authentication Code & HMACKrishna Gehlot
 
Ipsec
IpsecIpsec
IpsecRupesh Mishra
 
Block cipher modes of operation
Block cipher modes of operation Block cipher modes of operation
Block cipher modes of operation harshit chavda
 
Data Encryption Standard (DES)
Data Encryption Standard (DES)Data Encryption Standard (DES)
Data Encryption Standard (DES)Haris Ahmed
 
5. message authentication and hash function
5. message authentication and hash function5. message authentication and hash function
5. message authentication and hash functionChirag Patel
 
Cryptography - Block cipher & stream cipher
Cryptography - Block cipher & stream cipherCryptography - Block cipher & stream cipher
Cryptography - Block cipher & stream cipherNiloy Biswas
 
Block Cipher
Block CipherBlock Cipher
Block CipherBrandon Byungyong Jo
 
Advanced encryption standard (aes)
Advanced encryption standard (aes)Advanced encryption standard (aes)
Advanced encryption standard (aes)farazvirk554
 
Feistel cipher
Feistel cipherFeistel cipher
Feistel cipherMDKAWSARAHMEDSAGAR
 
DES
DESDES
DESNaga Srimanyu Timmaraju
 
Modes of Operation
Modes of Operation Modes of Operation
Modes of Operation Showkot Usman
 
Different types of Symmetric key Cryptography
Different types of Symmetric key CryptographyDifferent types of Symmetric key Cryptography
Different types of Symmetric key Cryptographysubhradeep mitra
 
symmetric key encryption algorithms
symmetric key encryption algorithms symmetric key encryption algorithms
symmetric key encryption algorithmsRashmi Burugupalli
 
Network Security and Cryptography
Network Security and CryptographyNetwork Security and Cryptography
Network Security and CryptographyAdam Reagan
 
Data encryption standard
Data encryption standardData encryption standard
Data encryption standardVasuki Ramasamy
 
Monoalphabetic Substitution Cipher
Monoalphabetic Substitution CipherMonoalphabetic Substitution Cipher
Monoalphabetic Substitution CipherSHUBHA CHATURVEDI
 
Transposition Cipher
Transposition CipherTransposition Cipher
Transposition Cipherdaniyalqureshi712
 
Fundamentals of cryptography
Fundamentals of cryptographyFundamentals of cryptography
Fundamentals of cryptographyHossain Md Shakhawat
 
Aes
AesAes
AesKunal Prajapati
 
RSA ALGORITHM
RSA ALGORITHMRSA ALGORITHM
RSA ALGORITHMSathish Kumar
 
MAC-Message Authentication Codes
MAC-Message Authentication CodesMAC-Message Authentication Codes
MAC-Message Authentication CodesDarshanPatil82
 
Cryptography and Network Security William Stallings Lawrie Brown
Cryptography and Network Security William Stallings Lawrie BrownCryptography and Network Security William Stallings Lawrie Brown
Cryptography and Network Security William Stallings Lawrie BrownInformation Security Awareness Group
 
Cryptography.ppt
Cryptography.pptCryptography.ppt
Cryptography.pptUday Meena
 
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYCS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYKathirvel Ayyaswamy
 
Cryptography and Information Security
Cryptography and Information SecurityCryptography and Information Security
Cryptography and Information SecurityDr Naim R Kidwai
 
Symmetric encryption
Symmetric encryptionSymmetric encryption
Symmetric encryptionDR RICHMOND ADEBIAYE
 
Block Cipher and its Design Principles
Block Cipher and its Design PrinciplesBlock Cipher and its Design Principles
Block Cipher and its Design PrinciplesSHUBHA CHATURVEDI
 
Information and data security block cipher and the data encryption standard (...
Information and data security block cipher and the data encryption standard (...Information and data security block cipher and the data encryption standard (...
Information and data security block cipher and the data encryption standard (...Mazin Alwaaly
 
Zero to ECC in 30 Minutes: A primer on Elliptic Curve Cryptography (ECC)
Zero to ECC in 30 Minutes: A primer on Elliptic Curve Cryptography (ECC)Zero to ECC in 30 Minutes: A primer on Elliptic Curve Cryptography (ECC)
Zero to ECC in 30 Minutes: A primer on Elliptic Curve Cryptography (ECC)Entrust Datacard
 
Alice & bob public key cryptography 101
Alice & bob public key cryptography 101Alice & bob public key cryptography 101
Alice & bob public key cryptography 101Joshua Thijssen
 

Contenu connexe

Tendances

Different types of Symmetric key Cryptography
Different types of Symmetric key CryptographyDifferent types of Symmetric key Cryptography
Different types of Symmetric key Cryptographysubhradeep mitra
 
symmetric key encryption algorithms
symmetric key encryption algorithms symmetric key encryption algorithms
symmetric key encryption algorithmsRashmi Burugupalli
 
Network Security and Cryptography
Network Security and CryptographyNetwork Security and Cryptography
Network Security and CryptographyAdam Reagan
 
Data encryption standard
Data encryption standardData encryption standard
Data encryption standardVasuki Ramasamy
 
Monoalphabetic Substitution Cipher
Monoalphabetic Substitution CipherMonoalphabetic Substitution Cipher
Monoalphabetic Substitution CipherSHUBHA CHATURVEDI
 
MAC-Message Authentication Codes
MAC-Message Authentication CodesMAC-Message Authentication Codes
MAC-Message Authentication CodesDarshanPatil82
 
Cryptography.ppt
Cryptography.pptCryptography.ppt
Cryptography.pptUday Meena
 
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYCS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYKathirvel Ayyaswamy
 
Cryptography and Information Security
Cryptography and Information SecurityCryptography and Information Security
Cryptography and Information SecurityDr Naim R Kidwai
 
Block Cipher and its Design Principles
Block Cipher and its Design PrinciplesBlock Cipher and its Design Principles
Block Cipher and its Design PrinciplesSHUBHA CHATURVEDI
 
Information and data security block cipher and the data encryption standard (...
Information and data security block cipher and the data encryption standard (...Information and data security block cipher and the data encryption standard (...
Information and data security block cipher and the data encryption standard (...Mazin Alwaaly
 

Tendances (20)

Feistel cipher
Feistel cipherFeistel cipher
Feistel cipher
 
DES
DESDES
DES
 
Modes of Operation
Modes of Operation Modes of Operation
Modes of Operation
 
Different types of Symmetric key Cryptography
Different types of Symmetric key CryptographyDifferent types of Symmetric key Cryptography
Different types of Symmetric key Cryptography
 
symmetric key encryption algorithms
symmetric key encryption algorithms symmetric key encryption algorithms
symmetric key encryption algorithms
 
Network Security and Cryptography
Network Security and CryptographyNetwork Security and Cryptography
Network Security and Cryptography
 
Data encryption standard
Data encryption standardData encryption standard
Data encryption standard
 
Monoalphabetic Substitution Cipher
Monoalphabetic Substitution CipherMonoalphabetic Substitution Cipher
Monoalphabetic Substitution Cipher
 
Transposition Cipher
Transposition CipherTransposition Cipher
Transposition Cipher
 
Fundamentals of cryptography
Fundamentals of cryptographyFundamentals of cryptography
Fundamentals of cryptography
 
Aes
AesAes
Aes
 
RSA ALGORITHM
RSA ALGORITHMRSA ALGORITHM
RSA ALGORITHM
 
MAC-Message Authentication Codes
MAC-Message Authentication CodesMAC-Message Authentication Codes
MAC-Message Authentication Codes
 
Cryptography and Network Security William Stallings Lawrie Brown
Cryptography and Network Security William Stallings Lawrie BrownCryptography and Network Security William Stallings Lawrie Brown
Cryptography and Network Security William Stallings Lawrie Brown
 
Cryptography.ppt
Cryptography.pptCryptography.ppt
Cryptography.ppt
 
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYCS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
 
Cryptography and Information Security
Cryptography and Information SecurityCryptography and Information Security
Cryptography and Information Security
 
Symmetric encryption
Symmetric encryptionSymmetric encryption
Symmetric encryption
 
Block Cipher and its Design Principles
Block Cipher and its Design PrinciplesBlock Cipher and its Design Principles
Block Cipher and its Design Principles
 
Information and data security block cipher and the data encryption standard (...
Information and data security block cipher and the data encryption standard (...Information and data security block cipher and the data encryption standard (...
Information and data security block cipher and the data encryption standard (...
 

En vedette

Zero to ECC in 30 Minutes: A primer on Elliptic Curve Cryptography (ECC)
Zero to ECC in 30 Minutes: A primer on Elliptic Curve Cryptography (ECC)Zero to ECC in 30 Minutes: A primer on Elliptic Curve Cryptography (ECC)
Zero to ECC in 30 Minutes: A primer on Elliptic Curve Cryptography (ECC)Entrust Datacard
 
Alice & bob public key cryptography 101
Alice & bob public key cryptography 101Alice & bob public key cryptography 101
Alice & bob public key cryptography 101Joshua Thijssen
 
Ch03 block-cipher-and-data-encryption-standard
Ch03 block-cipher-and-data-encryption-standardCh03 block-cipher-and-data-encryption-standard
Ch03 block-cipher-and-data-encryption-standardtarekiceiuk
 
CNIT 141: 9. Elliptic Curve Cryptosystems
CNIT 141: 9. Elliptic Curve CryptosystemsCNIT 141: 9. Elliptic Curve Cryptosystems
CNIT 141: 9. Elliptic Curve CryptosystemsSam Bowne
 
Cryptography
CryptographyCryptography
CryptographyAnandKaGe
 
Cryptography and Message Authentication NS3
Cryptography and Message Authentication NS3Cryptography and Message Authentication NS3
Cryptography and Message Authentication NS3koolkampus
 
Alice & bob public key cryptography 101
Alice & bob public key cryptography 101Alice & bob public key cryptography 101
Alice & bob public key cryptography 101Joshua Thijssen
 
Information and data security block cipher operation
Information and data security block cipher operationInformation and data security block cipher operation
Information and data security block cipher operationMazin Alwaaly
 
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYCS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYKathirvel Ayyaswamy
 
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYCS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYKathirvel Ayyaswamy
 
Cipher techniques
Cipher techniquesCipher techniques
Cipher techniquesMohd Arif
 
PUBLIC KEY ENCRYPTION
PUBLIC KEY ENCRYPTIONPUBLIC KEY ENCRYPTION
PUBLIC KEY ENCRYPTIONraf_slide
 
Introduction to Digital signatures
Introduction to Digital signaturesIntroduction to Digital signatures
Introduction to Digital signaturesRohit Bhat
 

En vedette (17)

Zero to ECC in 30 Minutes: A primer on Elliptic Curve Cryptography (ECC)
Zero to ECC in 30 Minutes: A primer on Elliptic Curve Cryptography (ECC)Zero to ECC in 30 Minutes: A primer on Elliptic Curve Cryptography (ECC)
Zero to ECC in 30 Minutes: A primer on Elliptic Curve Cryptography (ECC)
 
Alice & bob public key cryptography 101
Alice & bob public key cryptography 101Alice & bob public key cryptography 101
Alice & bob public key cryptography 101
 
Ch03 block-cipher-and-data-encryption-standard
Ch03 block-cipher-and-data-encryption-standardCh03 block-cipher-and-data-encryption-standard
Ch03 block-cipher-and-data-encryption-standard
 
Substitution cipher
Substitution cipher Substitution cipher
Substitution cipher
 
CNIT 141: 9. Elliptic Curve Cryptosystems
CNIT 141: 9. Elliptic Curve CryptosystemsCNIT 141: 9. Elliptic Curve Cryptosystems
CNIT 141: 9. Elliptic Curve Cryptosystems
 
Public key cryptography and RSA
Public key cryptography and RSAPublic key cryptography and RSA
Public key cryptography and RSA
 
Substitution Cipher
Substitution CipherSubstitution Cipher
Substitution Cipher
 
Ecc2
Ecc2Ecc2
Ecc2
 
Cryptography
CryptographyCryptography
Cryptography
 
Cryptography and Message Authentication NS3
Cryptography and Message Authentication NS3Cryptography and Message Authentication NS3
Cryptography and Message Authentication NS3
 
Alice & bob public key cryptography 101
Alice & bob public key cryptography 101Alice & bob public key cryptography 101
Alice & bob public key cryptography 101
 
Information and data security block cipher operation
Information and data security block cipher operationInformation and data security block cipher operation
Information and data security block cipher operation
 
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYCS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
 
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYCS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
 
Cipher techniques
Cipher techniquesCipher techniques
Cipher techniques
 
PUBLIC KEY ENCRYPTION
PUBLIC KEY ENCRYPTIONPUBLIC KEY ENCRYPTION
PUBLIC KEY ENCRYPTION
 
Introduction to Digital signatures
Introduction to Digital signaturesIntroduction to Digital signatures
Introduction to Digital signatures
 

Similaire à Block Cipher Modes of Operation And Cmac For Authentication

Information Security
Information SecurityInformation Security
Information Securityraxosz
 
block ciphermodes of operation.pptx
block ciphermodes of operation.pptxblock ciphermodes of operation.pptx
block ciphermodes of operation.pptxDEEPAK948083
 
Comparative analysis on different DES model
Comparative analysis on different DES modelComparative analysis on different DES model
Comparative analysis on different DES modelSaeed Siddik
 
Ciphers modes
Ciphers modesCiphers modes
Ciphers modesAsad Ali
 
Block Cipher and Operation Modes
Block Cipher and Operation Modes Block Cipher and Operation Modes
Block Cipher and Operation Modes SHUBHA CHATURVEDI
 
Jaimin chp-8 - network security-new -use this - 2011 batch
Jaimin chp-8 - network security-new -use this - 2011 batchJaimin chp-8 - network security-new -use this - 2011 batch
Jaimin chp-8 - network security-new -use this - 2011 batchJaimin Jani
 
CR 06 - Block Cipher Operation.ppt
CR 06 - Block Cipher Operation.pptCR 06 - Block Cipher Operation.ppt
CR 06 - Block Cipher Operation.pptssuseraaf866
 
Block cipher modes of operations
Block cipher modes of operationsBlock cipher modes of operations
Block cipher modes of operationsAkashRanjandas1
 
CNIT 141: 5. More About Block Ciphers + Modular Arithmetic 2
CNIT 141: 5. More About Block Ciphers + Modular Arithmetic 2CNIT 141: 5. More About Block Ciphers + Modular Arithmetic 2
CNIT 141: 5. More About Block Ciphers + Modular Arithmetic 2Sam Bowne
 
THE UNIFIED OPERATION STRUCTURE FOR SYMMETRIC-KEY ALGORITHM
THE UNIFIED OPERATION STRUCTURE FOR SYMMETRIC-KEY ALGORITHMTHE UNIFIED OPERATION STRUCTURE FOR SYMMETRIC-KEY ALGORITHM
THE UNIFIED OPERATION STRUCTURE FOR SYMMETRIC-KEY ALGORITHMcscpconf
 
SymmetricCryptography-Part3 - Tagged.pdf
SymmetricCryptography-Part3 - Tagged.pdfSymmetricCryptography-Part3 - Tagged.pdf
SymmetricCryptography-Part3 - Tagged.pdfMohammedMorhafJaely
 
Block Ciphers Modes of Operation
Block Ciphers Modes of OperationBlock Ciphers Modes of Operation
Block Ciphers Modes of OperationRoman Oliynykov
 
Block Ciphers and the Data Encryption Standard
Block Ciphers and the Data Encryption StandardBlock Ciphers and the Data Encryption Standard
Block Ciphers and the Data Encryption StandardDr.Florence Dayana
 

Similaire à Block Cipher Modes of Operation And Cmac For Authentication (20)

Information Security
Information SecurityInformation Security
Information Security
 
block ciphermodes of operation.pptx
block ciphermodes of operation.pptxblock ciphermodes of operation.pptx
block ciphermodes of operation.pptx
 
Comparative analysis on different DES model
Comparative analysis on different DES modelComparative analysis on different DES model
Comparative analysis on different DES model
 
Ciphers modes
Ciphers modesCiphers modes
Ciphers modes
 
13528 l8
13528 l813528 l8
13528 l8
 
Encryption
EncryptionEncryption
Encryption
 
Block Cipher and Operation Modes
Block Cipher and Operation Modes Block Cipher and Operation Modes
Block Cipher and Operation Modes
 
Block Ciphers Modes of Operation
Block Ciphers Modes of OperationBlock Ciphers Modes of Operation
Block Ciphers Modes of Operation
 
Jaimin chp-8 - network security-new -use this - 2011 batch
Jaimin chp-8 - network security-new -use this - 2011 batchJaimin chp-8 - network security-new -use this - 2011 batch
Jaimin chp-8 - network security-new -use this - 2011 batch
 
CR 06 - Block Cipher Operation.ppt
CR 06 - Block Cipher Operation.pptCR 06 - Block Cipher Operation.ppt
CR 06 - Block Cipher Operation.ppt
 
unit 2.ppt
unit 2.pptunit 2.ppt
unit 2.ppt
 
DEC algorithm
DEC algorithmDEC algorithm
DEC algorithm
 
Block cipher modes of operations
Block cipher modes of operationsBlock cipher modes of operations
Block cipher modes of operations
 
CNIT 141: 5. More About Block Ciphers + Modular Arithmetic 2
CNIT 141: 5. More About Block Ciphers + Modular Arithmetic 2CNIT 141: 5. More About Block Ciphers + Modular Arithmetic 2
CNIT 141: 5. More About Block Ciphers + Modular Arithmetic 2
 
4.ppt
4.ppt4.ppt
4.ppt
 
THE UNIFIED OPERATION STRUCTURE FOR SYMMETRIC-KEY ALGORITHM
THE UNIFIED OPERATION STRUCTURE FOR SYMMETRIC-KEY ALGORITHMTHE UNIFIED OPERATION STRUCTURE FOR SYMMETRIC-KEY ALGORITHM
THE UNIFIED OPERATION STRUCTURE FOR SYMMETRIC-KEY ALGORITHM
 
ch06.ppt
ch06.pptch06.ppt
ch06.ppt
 
SymmetricCryptography-Part3 - Tagged.pdf
SymmetricCryptography-Part3 - Tagged.pdfSymmetricCryptography-Part3 - Tagged.pdf
SymmetricCryptography-Part3 - Tagged.pdf
 
Block Ciphers Modes of Operation
Block Ciphers Modes of OperationBlock Ciphers Modes of Operation
Block Ciphers Modes of Operation
 
Block Ciphers and the Data Encryption Standard
Block Ciphers and the Data Encryption StandardBlock Ciphers and the Data Encryption Standard
Block Ciphers and the Data Encryption Standard
 

Plus de Vittorio Giovara

Color me intrigued: A jaunt through color technology in video
Color me intrigued: A jaunt through color technology in videoColor me intrigued: A jaunt through color technology in video
Color me intrigued: A jaunt through color technology in videoVittorio Giovara
 
An overview on 10 bit video: UHDTV, HDR, and coding efficiency
An overview on 10 bit video: UHDTV, HDR, and coding efficiencyAn overview on 10 bit video: UHDTV, HDR, and coding efficiency
An overview on 10 bit video: UHDTV, HDR, and coding efficiencyVittorio Giovara
 
Introduction to video reverse engineering
Introduction to video reverse engineeringIntroduction to video reverse engineering
Introduction to video reverse engineeringVittorio Giovara
 
Fuzzing Techniques for Software Vulnerability Discovery
Fuzzing Techniques for Software Vulnerability DiscoveryFuzzing Techniques for Software Vulnerability Discovery
Fuzzing Techniques for Software Vulnerability DiscoveryVittorio Giovara
 
Parallel and Distributed Computing on Low Latency Clusters
Parallel and Distributed Computing on Low Latency ClustersParallel and Distributed Computing on Low Latency Clusters
Parallel and Distributed Computing on Low Latency ClustersVittorio Giovara
 
Software Requirements for Safety-related Systems
Software Requirements for Safety-related SystemsSoftware Requirements for Safety-related Systems
Software Requirements for Safety-related SystemsVittorio Giovara
 
Microprocessor-based Systems 48/32bit Division Algorithm
Microprocessor-based Systems 48/32bit Division AlgorithmMicroprocessor-based Systems 48/32bit Division Algorithm
Microprocessor-based Systems 48/32bit Division AlgorithmVittorio Giovara
 
Misra C Software Development Standard
Misra C Software Development StandardMisra C Software Development Standard
Misra C Software Development StandardVittorio Giovara
 
OpenSSL User Manual and Data Format
OpenSSL User Manual and Data FormatOpenSSL User Manual and Data Format
OpenSSL User Manual and Data FormatVittorio Giovara
 
Authenticated Encryption Gcm Ccm
Authenticated Encryption Gcm CcmAuthenticated Encryption Gcm Ccm
Authenticated Encryption Gcm CcmVittorio Giovara
 

Plus de Vittorio Giovara (13)

Color me intrigued: A jaunt through color technology in video
Color me intrigued: A jaunt through color technology in videoColor me intrigued: A jaunt through color technology in video
Color me intrigued: A jaunt through color technology in video
 
An overview on 10 bit video: UHDTV, HDR, and coding efficiency
An overview on 10 bit video: UHDTV, HDR, and coding efficiencyAn overview on 10 bit video: UHDTV, HDR, and coding efficiency
An overview on 10 bit video: UHDTV, HDR, and coding efficiency
 
Introduction to video reverse engineering
Introduction to video reverse engineeringIntroduction to video reverse engineering
Introduction to video reverse engineering
 
Il Caso Ryanair
Il Caso RyanairIl Caso Ryanair
Il Caso Ryanair
 
I Mercati Geografici
I Mercati GeograficiI Mercati Geografici
I Mercati Geografici
 
Crittografia Quantistica
Crittografia QuantisticaCrittografia Quantistica
Crittografia Quantistica
 
Fuzzing Techniques for Software Vulnerability Discovery
Fuzzing Techniques for Software Vulnerability DiscoveryFuzzing Techniques for Software Vulnerability Discovery
Fuzzing Techniques for Software Vulnerability Discovery
 
Parallel and Distributed Computing on Low Latency Clusters
Parallel and Distributed Computing on Low Latency ClustersParallel and Distributed Computing on Low Latency Clusters
Parallel and Distributed Computing on Low Latency Clusters
 
Software Requirements for Safety-related Systems
Software Requirements for Safety-related SystemsSoftware Requirements for Safety-related Systems
Software Requirements for Safety-related Systems
 
Microprocessor-based Systems 48/32bit Division Algorithm
Microprocessor-based Systems 48/32bit Division AlgorithmMicroprocessor-based Systems 48/32bit Division Algorithm
Microprocessor-based Systems 48/32bit Division Algorithm
 
Misra C Software Development Standard
Misra C Software Development StandardMisra C Software Development Standard
Misra C Software Development Standard
 
OpenSSL User Manual and Data Format
OpenSSL User Manual and Data FormatOpenSSL User Manual and Data Format
OpenSSL User Manual and Data Format
 
Authenticated Encryption Gcm Ccm
Authenticated Encryption Gcm CcmAuthenticated Encryption Gcm Ccm
Authenticated Encryption Gcm Ccm
 

Dernier

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 

Dernier (20)

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 

Block Cipher Modes of Operation And Cmac For Authentication

  • 1. Block Cipher Modes of Operation Alberto Grand Politecnico di Torino Computer Systems Security – prof. Antonio Lioy
  • 2. What are modes of operation? Block ciphers only allow to encrypt entire blocks. What if our message is longer/shorter than the block size? We use modes of operation! Algorithms that exploit a block cipher to provide a service (e.g. confidentiality, authentication) 5 NIST-recommended modes providing confidentiality: ECB, CBC, CFB, OFB, CTR CMAC may be considered a block cipher mode of operation providing authentication. 2
  • 3. Electronic Codebook (ECB) Associates each possible plaintext block to a ciphertext block, like a codebook. Hello world! aY1:?§h24(r Requires padding Encryption/decryption of multiple blocks in parallel A 1-bit error in a ciphertext block garbles the corresponding decrypted block. 3
  • 4. Deficiencies of ECB Problems when the original message contains regular data patterns, because always encrypted in the same way. Only suitable for 1-block-sized data (e.g. a key) “The securest thing you can do with ECB is not use it!” 4
  • 5. Cipher Block Chaining (CBC) Allows the same plaintext blocks to be encrypted to different ciphertext blocks. Encrypted blocks are “chained” through XORing. Requires an initialisation vector (IV) Hello world q%1aX l’3z1$ IV CIPHER-1 CIPHER-1 CIPHER CIPHER IV q%1aX l’3z1$ Hello world 5
  • 6. Features of CBC No parallel encrypting , while parallel decrypting is possible. A 1-bit error affects two blocks: the corresponding block is garbled the corresponding bit is flipped in the next block Problem with the IV: 1-bit error only flips 1 bit in the 1st block, no garbled block. Hard to detect! Solutions: encipher the IV don’t transmit the IV, but compute it from a known value use authentication! 6
  • 7. Propagating CBC (PCBC) It’s a variation of CBC designed to propagate errors. It also involves the previous plaintext block in the XOR operation. Is error propagation desirable? It depends! NO if transmission errors YES if intentional, malicious changes Used in Kerberos v.4, but abandoned starting from v.5 because inversion of two adjacent blocks does not affect subsequent blocks. 7
  • 8. Cipher Feedback (CFB) Turns a block cipher into a stream cipher, message size need not be multiple of block size. Very similar to CBC (ciphering and XORing are swapped). IV IV CIPHER CIPHER CIPHER CIPHER Hello world q%1aX l’3z1$ q%1aX l’3z1$ Hello world 8
  • 9. Features of CFB No parallel encrypting of multiple blocks – although some form of pipelining is possible. Parallel decryption is possible Only the forward function is used. A 1-bit error : flips corresponding bit in current segment may garble the next ⌈b/s⌉ segments This is highly noticeable, so CFB is less exposed to the risk of deliberate bit changes. 9
  • 10. OpenPGP with CFB Widespread standard for exchanging encrypted e- mail messages. A variant of CFB is used for symmetric cryptography: a random block R is enciphered and used as an IV the first 2 bytes of R are replicated in the 2nd block for integrity checks Leak of information! About 215 set-up attempts + about 215 attempts per block enable an attacker to discover the first 2 bytes of any block. PGP stands for “Pretty Good Privacy”! 10
  • 11. Output Feedback (OFB) Turns a block cipher into a stream cipher. It features the iteration of the forward cipher on an IV. IV IV CIPHER CIPHER CIPHER CIPHER Hello world q%1aX l’3z1$ q%1aX l’3z1$ Hello world 11
  • 12. Features of OFB (i) Neither encryption nor decryption can be performed in parallel due to block chaining. If IV available prior to ciphertext, keystream blocks can be pre-computed. IV needs to be a nonce, otherwise know-plaintext attack is possible (under same key): an attacker who knows the ith plaintext block can easily reconstruct the ith keystream block he can then understand the ith block of every message 12
  • 13. Features of OFB (ii) A 1-bit error in a ciphertext block only produces a bit-specific error in the corresponding block: good for error correcting codes, which work even when applied before encryption bad because it’s hardly noticeable! A 1-bit error in the IV causes all blocks to be garbled. 13
  • 14. Counter (CTR) Turns a block cipher into a stream cipher. Keystreams blocks are generated by encrypting a set of counter blocks. CTR block #1 CTR block #2 CTR block #1 CTR block #2 CIPHER CIPHER CIPHER CIPHER Hello world q%1aX l’3z1$ q%1aX l’3z1$ Hello world 14
  • 15. Features of CTR (i) Both encryption and decryption can be performed fully in parallel on multiple blocks. Provides true random access to ciphertext blocks. If the initial counter block is available, keystream blocks may be computed prior to receiving the ciphertext . It’s simple! No inverse cipher function is required for decryption. It is becoming increasingly used. 15
  • 16. Features of CTR (ii) Assurance is required that: counters do not repeat within a single message counters do not repeat across all messages under a given key Done through an incrementing function. Usually, first b-m bits are a message nonce, following m bits are incremented (message length < 2m blocks). Alternatively, counters are concatenated (total length of all messages < 2m blocks) 16
  • 17. Padding: pros and cons Increases amount of data to be sent with no increase of transmitted information. With regular data pattern, padding with random values makes cryptanalysis more difficult. When padding scheme in known, it may expose exchange of messages to timing attacks. OpenSSL prior to v.0.9.6c with CBC-MAC MAC is located at the end, padding is needed Message only evaluated if padding is correct Attacker may systematically find out bits starting from second-to-last block. 17
  • 18. Ciphertext Stealing (CTS) Sometimes padding is unacceptable limited bandwidth exchange of many messages that would require padding We want to avoid extra data, but cipher blocks need entire blocks! Solution: use CTS! by accomplishing some extra operations, enables to produce as many output data as given in input we pay in terms of complexity and execution time we still cannot encyrpt very short messages (< 1 block). Usually not worth it! 18
  • 19. Related-mode attacks (i) Attacks against a given block cipher mode of operation: we must know which mode is being used we need an oracle of another mode, but with the same underlying cipher 19
  • 20. Related-mode attacks (ii) Using ECB against CTR MU intercepted Ci and C0 He chooses P’i = C0 + i C’i = CIPHk(P’i) Since Ci = CIPHk(C0 + i) ⊕ Pi he can compute Pi = Ci ⊕ C’i. Only one chosen plaintext query is required. 20
  • 21. The CMAC Mode for Authentication
  • 22. What is CMAC? The 5 modes of operation provide confidentiality, but we need authentication and integrity. We must use a mode for authentication! it implies integrity A MAC algorithm provides stronger assurance of data integrity than a checksum. CMAC exploits the CBC mode of operation to chain cipherblocks and obtain a value which depends on all previous blocks. 22
  • 23. Once upon time… …there was an insecure mode for authentication named CBC-MAC: only provided security for messages whose length was a multiple of the block size attacker could change the whole message (except last block) without notice when CBC was used for encryption with the same key. Black & Rogaway made it secure for arbitrary-length messages using 2 extra keys (XCBC). Iwata & Kurosawa derived the extra keys from the shared secret (OMAC, OMAC1 = CMAC). 23
  • 24. Subkey generation 2 subkeys K1, K2 are generated from the key Can be computed once and stored (must be secret!) Rb is a value related to the block size Rb = 012010000111 when b = 128 Rb = 05911011 when b = 64 L ⃪ CIPHk (0b) if MSB1(L) = 0 then K1 ⃪ L << 1 else K1 ⃪ (L << 1) ⊕ Rb if MSB1(K1) = 0 then K2 ⃪ K1 << 1 else K2 ⃪ (K1 << 1) ⊕ Rb Finite-field mathematics are involved! 24
  • 25. CMAC generation if Mlen = 0 then n ⃪ 1 else n ⃪ ⌈ len / b⌉ ⌈M ⌉ if M*n complete then Mn ⃪ M*n ⊕ K1 else Mn ⃪ (M*n ‖10j) ⊕ K1 C0 ⃪ 0b for i ⃪ 1 to n do Ci ⃪ CIPHk (Ci-1 ⊕ Mi) T ⃪ MSBTlen(Cn) Formatting of the message does not need to complete before starting CBC encryption. 25
  • 26. CMAC verification Receiver may decrypt data with the appropriate algorithm. He then applies CMAC generation process to the data. He compares the generated MAC with the one he received: if identical, message is authentic if not, in-transit errors or attack! 26
  • 27. Length of the MAC (i) When verification fails, we are sure the message is inauthentic. But when it succeeds, we are not 100% sure it is authentic! MU may have simply guessed the right MAC for a message His chances of succeeding are 1/2Tlen Longer MACs provide higher assurance, but use more bandwidth/storage space. If attacker can make more than one attempt his chances increase! 27
  • 28. Length of the MAC (ii) For most applications, 64 bits are enough. NIST provides guidance. Two parameters: MaxInvalids : maximum number of attempts before system halts Risk : highest acceptable probability that an inauthentic message is mistakenly trusted. Tlen ≥ log2 (MaxInvalids / Risk) e.g. MaxInvalids = 1 Risk = 0.25 ⇒ Tlen = 2 bits 28
  • 29. Message span of the key (i) It’s the total number of messages to which CMAC is applied with the same key. Affects security against attacks based on detecting 2 distinct messages that lead to the same MAC. We call this event a collision. This happens because possible messages are much more than possible MACs. It should not occur during the lifetime of a key. Message span should be limited! 29
  • 30. Message span of the key (ii) Probability says that a collision is expected among a set of 2b/2 messages. For general purpose applications: no more than 248 messages when b = 128 no more than 221 messages when b = 64 For higher level of security: no more than 248 message blocks when b = 128 (222 GB) no more than 221 message blocks when b = 64 (16 MB) Sometimes message span is time-limited. 30
  • 31. Protection vs. replay attacks No protection against replay attacks is ensured by CMAC: Malicious user may intercept a message with its correct MAC and send it at a later time. It’s perfectly valid! Such protection must be provided by protocol or application that uses CMAC for authentication: sequential number timestamp message nonce etc. 31