OFB 는 CFB 모드와 비슷하다
암호의 출력 기능은 피드백되어 다음 ofb 에 입력된다.
CFB에서 출력 XOR 단위는 다음 블록을 암호화하기위한 입력이되도록 피드백됩니다.
다른 차이점은 OFB 모드가 S 비트 서브 세트가 아닌 일반 텍스트 및 암호 텍스트의 전체 블록에서 작동한다는 것입니다.
CBC 및 CFB의 경우 OFB 모드에는 초기화 벡터 (IV)가 필요합니다.
OFB에서 IV는 nonce 여야합니다.
암호화 출력 블록 Oi의 시퀀스는 키와 IV에만 의존하며 일반 텍스트에 의존하지 않습니다.
주어진 키와 IV, 평문 비트 스트림과 XOR하는 데 사용되는 출력 비트 스트림이 고정됩니다.
OFB 방법의 장점은 전송의 비트 오류가 전파되지 않는다는 것입니다.
OFB의 단점은 CFB보다 메시지 스트림 수정 공격에 더 취약하다는 것입니다.
단일 블록에서의 작동
(1) j 데이터 단위 내의 128 비트 블록의 순차 번호.
(2) i 128 비트 비틀기의 가치. 각 데이터 단위 (섹터)가 할당됩니다.
j 함수는 동일한 평문 블록이 데이터 유닛 내의 서로 다른 두 위치에 나타나면 두 개의 서로 다른 암호문 블록으로 암호화 함을 보장합니다.
i 함수는 동일한 평문 블록이 두 개의 다른 데이터 단위에서 같은 위치에 나타나는 경우 두 개의 다른 암호문 블록으로 암호화 함을 보장합니다.
Reference
William Stallings/“Cryptography and Network Security(Sixth Edition)”/PEARSON/2014
2. UCS Lab
5. OUTPUT FEEDBACK MODE
6. Counter Mode
7. XTS-AES Mode for Block-Oriented Storage Devices
- Storage Encryption Requirements
- Operation on a Single Block
- Operation on a Sector
3. UCS Lab
• Output feedback (OFB) mode is similar in structure to
that of CFB.
• The output of the encryption function is fed back to
become input for encrypting the next block in OFB.
• In CFB, the output XOR unit is fed back to become
input for encrypting the next block.
• Other difference is that the OFB mode operates on full
blocks of plaintext and ciphertext, not on an S-bit
subset.
• Cj = Pj ⊕E(K, Oj-1)
• Oj-1 = E(K, Oj-2)
• ENCRYPTION : Cj = Pj ⊕E(K, [Cj-i ⊕ Pj-1])
• DECRYPTION: Pj = Cj ⊕E(K, [Cj-i ⊕ Pj-1])
6. UCS Lab
• OFB Mode
• size of a block be b.
• Last block of plaintext contains U bits (indicated by *),
with u<b the most significant bits of the last output
block ON are used for the XOR operation.
OFB
I1 = Nonce
Ij =Oj-1 j= 2,....., N
Oj = E(K, Ij) j=1,..., N
Cj = Pj ⊕ Oj j=1,..,N-1
C*N = P*N⊕MSBu(ON)
I1 = Nonce
Ij =LSBb-s(Ij-1)||Cj-1 j = 2,....., N
Oj = E(K, Ij) j = 1,......, N
Pj = Cj ⊕ Oj j = 1,......., N-1
P*N = C*N⊕MSBu(ON)
7. UCS Lab
• In computing, the most significant bit (MSB, also
called the high-order bit) is the bit position in a binary
number having the greatest value. The MSB is
sometimes referred to as the left-most bit due to the
convention in positional notation of writing more
significant digits further to the left.
• In computing, the least significant bit (LSB) is the bit
position in a binary integer giving the units value, that
is, determining whether the number is even or odd. The
LSB is sometimes referred to as the right-most bit, due
to the convention in positional notation of writing less
significant digits further to the right.
8. UCS Lab
• CBC and CFB, the OFB mode requires an initialization
vector(IV).
• In OFB, the IV must be a nonce.
• The sequence of encryption output blocks Oi ,depends
only on the key and the IV and does not depend on the
plaintext.
• A given key and IV, the stream of output bits used to
XOR with the stream of plaintext bits is fixed.
• Advantage of the OFB method is that bit errors in
transmission do not propagate.
• Disadvantage of OFB is that it is more vulnerable to a
message stream modification attack than is CFB.
10. UCS Lab
• Counter (CTR) mode has increased recently with
applications to ATM (asynchronous transfer mode)
network security and IP security.
• A counter equal to the plaintext block size is used.
• The counter value must be different for each plaintext
block that is encrypted.
• The counter is initialized to some value and then
incremented by 1.
• The counter is encrypted and then XORed with the
plaintext block to produce the ciphertext block , there is
no chaining.
• For decryption, the same sequence of counter values is
used
11. UCS Lab
OFB Mode CTR Mode
• OFB and CTR Compare
Fedback for Next block cipher Counter +1 for Next block cipher
12. UCS Lab
• CTR Mode
• we do not need to use padding because of the structure
of the CTR mode.
• Counter value is used multiple times, then the
confidentiality of all of the plaintext blocks corresponding
to that counter value may be compromised.
• output allows any other plaintext blocks that are encrypted
using the same counter value.
CTR
Cj = Pj ⊕E(K, Tj)
j = 1,...., N – 1
C*N = P*N⊕MSBu[E(K, TN)]
Pj = Cj ⊕E(K,Tj)
j = 1,..., N – 1
P*N = C*N⊕MSBu[E(K, TN)]
15. UCS Lab
• Hardware Efficiency: Unlike the three chaining modes,
encryption (or decryption) in CTR mode can be done in
parallel on multiple blocks of plaintext or ciphertext.
• Software efficiency: because of the opportunities for
parallel execution in CTR mode, processors that support
parallel features, such as aggressive pipelining, multiple
instruction dispatch per clock cycle, a large number of
registers, and Single Instruction Multiple Data(SIMD)
instructions, can be effectively utilized.
• Preprocessing: The execution of the underlying
encryption algorithm does not depend on input of the
plaintext or ciphertext.
16. UCS Lab
• Random access: The ith block of plaintext or ciphertext
can be processed in random-access fashion with the
chaining modes. Applications in which a ciphertext is
stored and it is desired to decrypt just one block
• Provable security: It can be shown that CTR is at least as
secure as the other modes.
• Simplicity: Unlike ECB and CBC modes, CTR mode
requires only the implementation of the encryption
algorithm and not the decryption algorithm.
17. UCS Lab
• The Feedback mechanism, it is useful to think of the
encryption function as taking input from a input register
whose length equals the encryption block length and
with output stored in an output register.
• The input register is updated one block at a time by the
feedback mechanism.
• Both OFB and CTR produce output that is independent
of both the plaintext and the ciphertext.
22. UCS Lab
PART
– Storage Encryption Requirements
– Operation on a Single Block
– Operation on a Sector
• In 2010, NIST approved an additional bock cipher mode
of operation XTS-AES. This mode is also an IEEE Std
1619-2007.
• This standard describes a method of encryption for data
stored in sector-based devices.
• XTS-AES mode is based on the concept of a tweakable
block cipher.
• Standard has received widespread industry support.
23. UCS Lab
Tweakable Block Ciphers
– XTS = XEX(Xor-Encrypt-Xor)based Tweaked Codebook
mode with Ciphertext Stealing
– XTS-AES modeis based on the concept of a tweakable
block cipher.
– A tweakable block cipher is one that has three inputs: a
plaintext P, a symmetric key K, and a tweak T. and
produces a ciphertext output C. (C = E(K, T, P))
– The tweak need not be kept secret.
– Whereas the purpose of the key is to provide security,
the purpose of the tweak is to provide variability.
– the use of different tweaks with the same plaintext and
same key produces different outputs.
24. UCS Lab
Tweakable Block Ciphers
– ENCRYPTION : C = H(T)⊕E(K, H(T)⊕P)
– where H is a hash function.
– For decryption, the same structure is used with the
plaintext as input and decryption as the function
instead of encryption.
– DECRYPTION : H(T)⊕C=E(K, H(T)⊕P)
D[K, H(T)⊕C]=H(T)⊕P
H(T)⊕D(K, H(T)⊕C)=P
– This overcomes the principal security weakness of ECB,
which is that two encryptions of the same block yield
the same ciphertext.
26. UCS Lab
STORAGE ENCRYPTION REQUIREMENTS
(1) The ciphertext is freely available for an attacker
a. In DataBase, other users can retrieve an encrypted
record but are unable to read it without the key.
b. An unauthorized user manages to gain access to
encrypted records.
c. Data disk or laptop is stolen, giving the adversary
access to the encrypted data.
(2) Data layout is not changed on the storage medium and
in transit.
(3) Data are accessed in fixed sized blocks independently
from each other.
27. UCS Lab
(4) Encryption is performed in 16-byte blocks,
independently from other blocks.
(5) No other metadata used, except the location of the
data blocks within the whole data set.
(6) The same plaintext is encrypted to different ciphertexts
at different locations, but always to the same ciphertext
when written to the same location again.
(7) A standard conformant device can be constructed for
decryption of data encrypted by another standard
conformant device.
28. UCS Lab
• CTR mode, an adversary with write access to the
encrypted media can flip any bit of the plaintext by
flipping the corresponding ciphertext bit.
• CBC, An adversary with read/write access to the
encrypted disk can copy a ciphertext sector from one
position to another.
29. UCS Lab
OPERATION ON A SINGLE BLOCK
(1) j sequential number of the 128-bit block inside the
data unit.
(2) i The value of the 128-bit tweak. Each data unit (sector)
is assigned.
• j functions assures that if the same plaintext block
appears at two different positions within a data unit, it
will encrypt to two different ciphertext blocks.
• i functions assures that, if the same plaintext block
appears at the same position in two different data units,
it will encrypt to two different ciphertext blocks.
30. UCS Lab
• XTS-AES Operation on Single Block
(a) ENCRYPTION (b) DECRYPTION
31. UCS Lab
• Encryption and decryption of a single block :
• Encryption:
C = CC ⊕ T = E(K1, PP) ⊕ T = E(K1, P ⊕ T) ⊕ T
• Decryption:
P = PP ⊕ T = D(K1, CC) ⊕ T = D(K1, C ⊕ T) ⊕ T
• Substitute C: P=(P ⊕ T) ⊕ T = P
XTS-AES
block
Operation
T = E(K2, i) ⊕ αj
PP = P ⊕ T
CC = E(K1, PP)
C = CC ⊕ T
T = E(K2, i) ⊕ αj
CC = C ⊕ T
PP = D(K1, CC)
P = PP ⊕ T
32. UCS Lab
OPERATION ON A SECTOR
• Plaintext of a sector or data unit is organized into
blocks of 128 bits. Blocks are P0, P1,….., Pm.
• Encryption and decryption, each block is treated
independently.
• The last two blocks are encrypted/decrypted using a
ciphertext-stealing technique instead of padding
scheme.
• Use to make ciphertext length same as plaintext length.
• Requires more than one block of plaintext.
35. UCS Lab
XTS-AES Mode
– Block Encryption: XTS-AES-blockEnc(K, Pj, i, j)
– Block Decryption: XTS-AES-blockDec(K, Cj, i, j)
36. UCS Lab
• William Stallings/“Cryptography and Network
Security(Sixth Edition)”/PEARSON/2014
• 조상진/알기쉬운 정보보안기사/산업기사 “Engineer
Information security”/KISA /2015
• Wikipedia