SlideShare ist ein Scribd-Unternehmen logo

Block Cipher Modes of Operation And Cmac For Authentication

V
Vittorio Giovara

Thiese are the slides used for presenting the Block Cipher Modes of Operation and CMAC for Authentication document by Alberto Grand.

Technologie
1 von 32
Downloaden Sie, um offline zu lesen
Block Cipher Modes of Operation Alberto Grand Politecnico di Torino Computer Systems Security – prof. Antonio Lioy
What are modes of operation? Block ciphers only allow to encrypt entire blocks. What if our message is longer/shorter than the block size? We use modes of operation! Algorithms that exploit a block cipher to provide a service (e.g. confidentiality, authentication) 5 NIST-recommended modes providing confidentiality: ECB, CBC, CFB, OFB, CTR CMAC may be considered a block cipher mode of operation providing authentication. 2
Electronic Codebook (ECB) Associates each possible plaintext block to a ciphertext block, like a codebook. Hello world! aY1:?§h24(r Requires padding Encryption/decryption of multiple blocks in parallel A 1-bit error in a ciphertext block garbles the corresponding decrypted block. 3
Deficiencies of ECB Problems when the original message contains regular data patterns, because always encrypted in the same way. Only suitable for 1-block-sized data (e.g. a key) “The securest thing you can do with ECB is not use it!” 4
Cipher Block Chaining (CBC) Allows the same plaintext blocks to be encrypted to different ciphertext blocks. Encrypted blocks are “chained” through XORing. Requires an initialisation vector (IV) Hello world q%1aX l’3z1$ IV CIPHER-1 CIPHER-1 CIPHER CIPHER IV q%1aX l’3z1$ Hello world 5
Features of CBC No parallel encrypting , while parallel decrypting is possible. A 1-bit error affects two blocks: the corresponding block is garbled the corresponding bit is flipped in the next block Problem with the IV: 1-bit error only flips 1 bit in the 1st block, no garbled block. Hard to detect! Solutions: encipher the IV don’t transmit the IV, but compute it from a known value use authentication! 6
Propagating CBC (PCBC) It’s a variation of CBC designed to propagate errors. It also involves the previous plaintext block in the XOR operation. Is error propagation desirable? It depends! NO if transmission errors YES if intentional, malicious changes Used in Kerberos v.4, but abandoned starting from v.5 because inversion of two adjacent blocks does not affect subsequent blocks. 7
Cipher Feedback (CFB) Turns a block cipher into a stream cipher, message size need not be multiple of block size. Very similar to CBC (ciphering and XORing are swapped). IV IV CIPHER CIPHER CIPHER CIPHER Hello world q%1aX l’3z1$ q%1aX l’3z1$ Hello world 8
Features of CFB No parallel encrypting of multiple blocks – although some form of pipelining is possible. Parallel decryption is possible Only the forward function is used. A 1-bit error : flips corresponding bit in current segment may garble the next ⌈b/s⌉ segments This is highly noticeable, so CFB is less exposed to the risk of deliberate bit changes. 9
OpenPGP with CFB Widespread standard for exchanging encrypted e- mail messages. A variant of CFB is used for symmetric cryptography: a random block R is enciphered and used as an IV the first 2 bytes of R are replicated in the 2nd block for integrity checks Leak of information! About 215 set-up attempts + about 215 attempts per block enable an attacker to discover the first 2 bytes of any block. PGP stands for “Pretty Good Privacy”! 10
Output Feedback (OFB) Turns a block cipher into a stream cipher. It features the iteration of the forward cipher on an IV. IV IV CIPHER CIPHER CIPHER CIPHER Hello world q%1aX l’3z1$ q%1aX l’3z1$ Hello world 11
Features of OFB (i) Neither encryption nor decryption can be performed in parallel due to block chaining. If IV available prior to ciphertext, keystream blocks can be pre-computed. IV needs to be a nonce, otherwise know-plaintext attack is possible (under same key): an attacker who knows the ith plaintext block can easily reconstruct the ith keystream block he can then understand the ith block of every message 12
Features of OFB (ii) A 1-bit error in a ciphertext block only produces a bit-specific error in the corresponding block: good for error correcting codes, which work even when applied before encryption bad because it’s hardly noticeable! A 1-bit error in the IV causes all blocks to be garbled. 13
Counter (CTR) Turns a block cipher into a stream cipher. Keystreams blocks are generated by encrypting a set of counter blocks. CTR block #1 CTR block #2 CTR block #1 CTR block #2 CIPHER CIPHER CIPHER CIPHER Hello world q%1aX l’3z1$ q%1aX l’3z1$ Hello world 14
Features of CTR (i) Both encryption and decryption can be performed fully in parallel on multiple blocks. Provides true random access to ciphertext blocks. If the initial counter block is available, keystream blocks may be computed prior to receiving the ciphertext . It’s simple! No inverse cipher function is required for decryption. It is becoming increasingly used. 15
Features of CTR (ii) Assurance is required that: counters do not repeat within a single message counters do not repeat across all messages under a given key Done through an incrementing function. Usually, first b-m bits are a message nonce, following m bits are incremented (message length < 2m blocks). Alternatively, counters are concatenated (total length of all messages < 2m blocks) 16
Padding: pros and cons Increases amount of data to be sent with no increase of transmitted information. With regular data pattern, padding with random values makes cryptanalysis more difficult. When padding scheme in known, it may expose exchange of messages to timing attacks. OpenSSL prior to v.0.9.6c with CBC-MAC MAC is located at the end, padding is needed Message only evaluated if padding is correct Attacker may systematically find out bits starting from second-to-last block. 17
Ciphertext Stealing (CTS) Sometimes padding is unacceptable limited bandwidth exchange of many messages that would require padding We want to avoid extra data, but cipher blocks need entire blocks! Solution: use CTS! by accomplishing some extra operations, enables to produce as many output data as given in input we pay in terms of complexity and execution time we still cannot encyrpt very short messages (< 1 block). Usually not worth it! 18
Related-mode attacks (i) Attacks against a given block cipher mode of operation: we must know which mode is being used we need an oracle of another mode, but with the same underlying cipher 19
Related-mode attacks (ii) Using ECB against CTR MU intercepted Ci and C0 He chooses P’i = C0 + i C’i = CIPHk(P’i) Since Ci = CIPHk(C0 + i) ⊕ Pi he can compute Pi = Ci ⊕ C’i. Only one chosen plaintext query is required. 20
The CMAC Mode for Authentication
What is CMAC? The 5 modes of operation provide confidentiality, but we need authentication and integrity. We must use a mode for authentication! it implies integrity A MAC algorithm provides stronger assurance of data integrity than a checksum. CMAC exploits the CBC mode of operation to chain cipherblocks and obtain a value which depends on all previous blocks. 22
Once upon time… …there was an insecure mode for authentication named CBC-MAC: only provided security for messages whose length was a multiple of the block size attacker could change the whole message (except last block) without notice when CBC was used for encryption with the same key. Black & Rogaway made it secure for arbitrary-length messages using 2 extra keys (XCBC). Iwata & Kurosawa derived the extra keys from the shared secret (OMAC, OMAC1 = CMAC). 23
Subkey generation 2 subkeys K1, K2 are generated from the key Can be computed once and stored (must be secret!) Rb is a value related to the block size Rb = 012010000111 when b = 128 Rb = 05911011 when b = 64 L ⃪ CIPHk (0b) if MSB1(L) = 0 then K1 ⃪ L << 1 else K1 ⃪ (L << 1) ⊕ Rb if MSB1(K1) = 0 then K2 ⃪ K1 << 1 else K2 ⃪ (K1 << 1) ⊕ Rb Finite-field mathematics are involved! 24
CMAC generation if Mlen = 0 then n ⃪ 1 else n ⃪ ⌈ len / b⌉ ⌈M ⌉ if M*n complete then Mn ⃪ M*n ⊕ K1 else Mn ⃪ (M*n ‖10j) ⊕ K1 C0 ⃪ 0b for i ⃪ 1 to n do Ci ⃪ CIPHk (Ci-1 ⊕ Mi) T ⃪ MSBTlen(Cn) Formatting of the message does not need to complete before starting CBC encryption. 25
CMAC verification Receiver may decrypt data with the appropriate algorithm. He then applies CMAC generation process to the data. He compares the generated MAC with the one he received: if identical, message is authentic if not, in-transit errors or attack! 26
Length of the MAC (i) When verification fails, we are sure the message is inauthentic. But when it succeeds, we are not 100% sure it is authentic! MU may have simply guessed the right MAC for a message His chances of succeeding are 1/2Tlen Longer MACs provide higher assurance, but use more bandwidth/storage space. If attacker can make more than one attempt his chances increase! 27
Length of the MAC (ii) For most applications, 64 bits are enough. NIST provides guidance. Two parameters: MaxInvalids : maximum number of attempts before system halts Risk : highest acceptable probability that an inauthentic message is mistakenly trusted. Tlen ≥ log2 (MaxInvalids / Risk) e.g. MaxInvalids = 1 Risk = 0.25 ⇒ Tlen = 2 bits 28
Message span of the key (i) It’s the total number of messages to which CMAC is applied with the same key. Affects security against attacks based on detecting 2 distinct messages that lead to the same MAC. We call this event a collision. This happens because possible messages are much more than possible MACs. It should not occur during the lifetime of a key. Message span should be limited! 29
Message span of the key (ii) Probability says that a collision is expected among a set of 2b/2 messages. For general purpose applications: no more than 248 messages when b = 128 no more than 221 messages when b = 64 For higher level of security: no more than 248 message blocks when b = 128 (222 GB) no more than 221 message blocks when b = 64 (16 MB) Sometimes message span is time-limited. 30
Protection vs. replay attacks No protection against replay attacks is ensured by CMAC: Malicious user may intercept a message with its correct MAC and send it at a later time. It’s perfectly valid! Such protection must be provided by protocol or application that uses CMAC for authentication: sequential number timestamp message nonce etc. 31
Any questions? 32

Empfohlen

RC4&RC5
RC4&RC5RC4&RC5
RC4&RC5Mohamed El-Serngawy
 
Block cipher modes of operation
Block cipher modes of operation Block cipher modes of operation
Block cipher modes of operation harshit chavda
 
Message Authentication Code & HMAC
Message Authentication Code & HMACMessage Authentication Code & HMAC
Message Authentication Code & HMACKrishna Gehlot
 
Message authentication
Message authenticationMessage authentication
Message authenticationCAS
 
Cryptography.ppt
Cryptography.pptCryptography.ppt
Cryptography.pptUday Meena
 
Modes of Operation
Modes of Operation Modes of Operation
Modes of Operation Showkot Usman
 
block ciphers
block ciphersblock ciphers
block ciphersAsad Ali
 
Block cipher modes of operations
Block cipher modes of operationsBlock cipher modes of operations
Block cipher modes of operationsAkashRanjandas1
 

Empfohlen

RC4&RC5
RC4&RC5RC4&RC5
RC4&RC5Mohamed El-Serngawy
 
Block cipher modes of operation
Block cipher modes of operation Block cipher modes of operation
Block cipher modes of operation harshit chavda
 
Message Authentication Code & HMAC
Message Authentication Code & HMACMessage Authentication Code & HMAC
Message Authentication Code & HMACKrishna Gehlot
 
Message authentication
Message authenticationMessage authentication
Message authenticationCAS
 
Cryptography.ppt
Cryptography.pptCryptography.ppt
Cryptography.pptUday Meena
 
Modes of Operation
Modes of Operation Modes of Operation
Modes of Operation Showkot Usman
 
block ciphers
block ciphersblock ciphers
block ciphersAsad Ali
 
Block cipher modes of operations
Block cipher modes of operationsBlock cipher modes of operations
Block cipher modes of operationsAkashRanjandas1
 
Encryption algorithms
Encryption algorithmsEncryption algorithms
Encryption algorithmstrilokchandra prakash
 
Key management
Key managementKey management
Key managementSujata Regoti
 
Introduction to Cryptography
Introduction to CryptographyIntroduction to Cryptography
Introduction to CryptographyBharat Kumar Katur
 
CMACs and MACS based on block ciphers, Digital signature
CMACs and MACS based on block ciphers, Digital signatureCMACs and MACS based on block ciphers, Digital signature
CMACs and MACS based on block ciphers, Digital signatureAdarsh Patel
 
DES
DESDES
DESNaga Srimanyu Timmaraju
 
Message Authentication
Message AuthenticationMessage Authentication
Message Authenticationchauhankapil
 
CRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYCRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYKathirvel Ayyaswamy
 
symmetric key encryption algorithms
symmetric key encryption algorithms symmetric key encryption algorithms
symmetric key encryption algorithmsRashmi Burugupalli
 
SHA 1 Algorithm
SHA 1 AlgorithmSHA 1 Algorithm
SHA 1 AlgorithmShiva RamDam
 
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYCS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYKathirvel Ayyaswamy
 
Cryptography
CryptographyCryptography
Cryptographyamiable_indian
 
Asymmetric Cryptography.pptx
Asymmetric Cryptography.pptxAsymmetric Cryptography.pptx
Asymmetric Cryptography.pptxdiaa46
 
Cryptography
CryptographyCryptography
Cryptographyjayashri kolekar
 
Transposition Cipher
Transposition CipherTransposition Cipher
Transposition Cipherdaniyalqureshi712
 
key distribution in network security
key distribution in network securitykey distribution in network security
key distribution in network securitybabak danyal
 
Hash Function
Hash FunctionHash Function
Hash Functionstalin rijal
 
Cryptography
CryptographyCryptography
CryptographyDeepak Kumar
 
SHA- Secure hashing algorithm
SHA- Secure hashing algorithmSHA- Secure hashing algorithm
SHA- Secure hashing algorithmRuchi Maurya
 
Idea(international data encryption algorithm)
Idea(international data encryption algorithm)Idea(international data encryption algorithm)
Idea(international data encryption algorithm)SAurabh PRajapati
 
Block Ciphers and the Data Encryption Standard
Block Ciphers and the Data Encryption StandardBlock Ciphers and the Data Encryption Standard
Block Ciphers and the Data Encryption StandardDr.Florence Dayana
 
Zero to ECC in 30 Minutes: A primer on Elliptic Curve Cryptography (ECC)
Zero to ECC in 30 Minutes: A primer on Elliptic Curve Cryptography (ECC)Zero to ECC in 30 Minutes: A primer on Elliptic Curve Cryptography (ECC)
Zero to ECC in 30 Minutes: A primer on Elliptic Curve Cryptography (ECC)Entrust Datacard
 
Alice & bob public key cryptography 101
Alice & bob public key cryptography 101Alice & bob public key cryptography 101
Alice & bob public key cryptography 101Joshua Thijssen
 

Weitere ähnliche Inhalte

Was ist angesagt?

CMACs and MACS based on block ciphers, Digital signature
CMACs and MACS based on block ciphers, Digital signatureCMACs and MACS based on block ciphers, Digital signature
CMACs and MACS based on block ciphers, Digital signatureAdarsh Patel
 
Message Authentication
Message AuthenticationMessage Authentication
Message Authenticationchauhankapil
 
CRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYCRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYKathirvel Ayyaswamy
 
symmetric key encryption algorithms
symmetric key encryption algorithms symmetric key encryption algorithms
symmetric key encryption algorithmsRashmi Burugupalli
 
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYCS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYKathirvel Ayyaswamy
 
Asymmetric Cryptography.pptx
Asymmetric Cryptography.pptxAsymmetric Cryptography.pptx
Asymmetric Cryptography.pptxdiaa46
 
key distribution in network security
key distribution in network securitykey distribution in network security
key distribution in network securitybabak danyal
 
SHA- Secure hashing algorithm
SHA- Secure hashing algorithmSHA- Secure hashing algorithm
SHA- Secure hashing algorithmRuchi Maurya
 
Idea(international data encryption algorithm)
Idea(international data encryption algorithm)Idea(international data encryption algorithm)
Idea(international data encryption algorithm)SAurabh PRajapati
 
Block Ciphers and the Data Encryption Standard
Block Ciphers and the Data Encryption StandardBlock Ciphers and the Data Encryption Standard
Block Ciphers and the Data Encryption StandardDr.Florence Dayana
 

Was ist angesagt? (20)

Encryption algorithms
Encryption algorithmsEncryption algorithms
Encryption algorithms
 
Key management
Key managementKey management
Key management
 
Introduction to Cryptography
Introduction to CryptographyIntroduction to Cryptography
Introduction to Cryptography
 
CMACs and MACS based on block ciphers, Digital signature
CMACs and MACS based on block ciphers, Digital signatureCMACs and MACS based on block ciphers, Digital signature
CMACs and MACS based on block ciphers, Digital signature
 
DES
DESDES
DES
 
Message Authentication
Message AuthenticationMessage Authentication
Message Authentication
 
CRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYCRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITY
 
symmetric key encryption algorithms
symmetric key encryption algorithms symmetric key encryption algorithms
symmetric key encryption algorithms
 
SHA 1 Algorithm
SHA 1 AlgorithmSHA 1 Algorithm
SHA 1 Algorithm
 
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYCS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
 
Cryptography
CryptographyCryptography
Cryptography
 
Asymmetric Cryptography.pptx
Asymmetric Cryptography.pptxAsymmetric Cryptography.pptx
Asymmetric Cryptography.pptx
 
Cryptography
CryptographyCryptography
Cryptography
 
Transposition Cipher
Transposition CipherTransposition Cipher
Transposition Cipher
 
key distribution in network security
key distribution in network securitykey distribution in network security
key distribution in network security
 
Hash Function
Hash FunctionHash Function
Hash Function
 
Cryptography
CryptographyCryptography
Cryptography
 
SHA- Secure hashing algorithm
SHA- Secure hashing algorithmSHA- Secure hashing algorithm
SHA- Secure hashing algorithm
 
Idea(international data encryption algorithm)
Idea(international data encryption algorithm)Idea(international data encryption algorithm)
Idea(international data encryption algorithm)
 
Block Ciphers and the Data Encryption Standard
Block Ciphers and the Data Encryption StandardBlock Ciphers and the Data Encryption Standard
Block Ciphers and the Data Encryption Standard
 

Andere mochten auch

Zero to ECC in 30 Minutes: A primer on Elliptic Curve Cryptography (ECC)
Zero to ECC in 30 Minutes: A primer on Elliptic Curve Cryptography (ECC)Zero to ECC in 30 Minutes: A primer on Elliptic Curve Cryptography (ECC)
Zero to ECC in 30 Minutes: A primer on Elliptic Curve Cryptography (ECC)Entrust Datacard
 
Alice & bob public key cryptography 101
Alice & bob public key cryptography 101Alice & bob public key cryptography 101
Alice & bob public key cryptography 101Joshua Thijssen
 
Ch03 block-cipher-and-data-encryption-standard
Ch03 block-cipher-and-data-encryption-standardCh03 block-cipher-and-data-encryption-standard
Ch03 block-cipher-and-data-encryption-standardtarekiceiuk
 
Information and data security block cipher and the data encryption standard (...
Information and data security block cipher and the data encryption standard (...Information and data security block cipher and the data encryption standard (...
Information and data security block cipher and the data encryption standard (...Mazin Alwaaly
 
CNIT 141: 9. Elliptic Curve Cryptosystems
CNIT 141: 9. Elliptic Curve CryptosystemsCNIT 141: 9. Elliptic Curve Cryptosystems
CNIT 141: 9. Elliptic Curve CryptosystemsSam Bowne
 
Cryptography
CryptographyCryptography
CryptographyAnandKaGe
 
Cryptography and Message Authentication NS3
Cryptography and Message Authentication NS3Cryptography and Message Authentication NS3
Cryptography and Message Authentication NS3koolkampus
 
Different types of Symmetric key Cryptography
Different types of Symmetric key CryptographyDifferent types of Symmetric key Cryptography
Different types of Symmetric key Cryptographysubhradeep mitra
 
Alice & bob public key cryptography 101
Alice & bob public key cryptography 101Alice & bob public key cryptography 101
Alice & bob public key cryptography 101Joshua Thijssen
 
Information and data security block cipher operation
Information and data security block cipher operationInformation and data security block cipher operation
Information and data security block cipher operationMazin Alwaaly
 
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYCS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYKathirvel Ayyaswamy
 
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYCS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYKathirvel Ayyaswamy
 
Cipher techniques
Cipher techniquesCipher techniques
Cipher techniquesMohd Arif
 
PUBLIC KEY ENCRYPTION
PUBLIC KEY ENCRYPTIONPUBLIC KEY ENCRYPTION
PUBLIC KEY ENCRYPTIONraf_slide
 
Introduction to Digital signatures
Introduction to Digital signaturesIntroduction to Digital signatures
Introduction to Digital signaturesRohit Bhat
 

Andere mochten auch (19)

Zero to ECC in 30 Minutes: A primer on Elliptic Curve Cryptography (ECC)
Zero to ECC in 30 Minutes: A primer on Elliptic Curve Cryptography (ECC)Zero to ECC in 30 Minutes: A primer on Elliptic Curve Cryptography (ECC)
Zero to ECC in 30 Minutes: A primer on Elliptic Curve Cryptography (ECC)
 
Alice & bob public key cryptography 101
Alice & bob public key cryptography 101Alice & bob public key cryptography 101
Alice & bob public key cryptography 101
 
Ch03 block-cipher-and-data-encryption-standard
Ch03 block-cipher-and-data-encryption-standardCh03 block-cipher-and-data-encryption-standard
Ch03 block-cipher-and-data-encryption-standard
 
Information and data security block cipher and the data encryption standard (...
Information and data security block cipher and the data encryption standard (...Information and data security block cipher and the data encryption standard (...
Information and data security block cipher and the data encryption standard (...
 
Substitution cipher
Substitution cipher Substitution cipher
Substitution cipher
 
CNIT 141: 9. Elliptic Curve Cryptosystems
CNIT 141: 9. Elliptic Curve CryptosystemsCNIT 141: 9. Elliptic Curve Cryptosystems
CNIT 141: 9. Elliptic Curve Cryptosystems
 
Public key cryptography and RSA
Public key cryptography and RSAPublic key cryptography and RSA
Public key cryptography and RSA
 
Substitution Cipher
Substitution CipherSubstitution Cipher
Substitution Cipher
 
Ecc2
Ecc2Ecc2
Ecc2
 
Cryptography
CryptographyCryptography
Cryptography
 
Cryptography and Message Authentication NS3
Cryptography and Message Authentication NS3Cryptography and Message Authentication NS3
Cryptography and Message Authentication NS3
 
Different types of Symmetric key Cryptography
Different types of Symmetric key CryptographyDifferent types of Symmetric key Cryptography
Different types of Symmetric key Cryptography
 
Alice & bob public key cryptography 101
Alice & bob public key cryptography 101Alice & bob public key cryptography 101
Alice & bob public key cryptography 101
 
Information and data security block cipher operation
Information and data security block cipher operationInformation and data security block cipher operation
Information and data security block cipher operation
 
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYCS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
 
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYCS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
 
Cipher techniques
Cipher techniquesCipher techniques
Cipher techniques
 
PUBLIC KEY ENCRYPTION
PUBLIC KEY ENCRYPTIONPUBLIC KEY ENCRYPTION
PUBLIC KEY ENCRYPTION
 
Introduction to Digital signatures
Introduction to Digital signaturesIntroduction to Digital signatures
Introduction to Digital signatures
 

Ähnlich wie Block Cipher Modes of Operation And Cmac For Authentication

Information Security
Information SecurityInformation Security
Information Securityraxosz
 
block ciphermodes of operation.pptx
block ciphermodes of operation.pptxblock ciphermodes of operation.pptx
block ciphermodes of operation.pptxDEEPAK948083
 
Comparative analysis on different DES model
Comparative analysis on different DES modelComparative analysis on different DES model
Comparative analysis on different DES modelSaeed Siddik
 
Ciphers modes
Ciphers modesCiphers modes
Ciphers modesAsad Ali
 
Block Cipher and Operation Modes
Block Cipher and Operation Modes Block Cipher and Operation Modes
Block Cipher and Operation Modes SHUBHA CHATURVEDI
 
Jaimin chp-8 - network security-new -use this - 2011 batch
Jaimin chp-8 - network security-new -use this - 2011 batchJaimin chp-8 - network security-new -use this - 2011 batch
Jaimin chp-8 - network security-new -use this - 2011 batchJaimin Jani
 
CR 06 - Block Cipher Operation.ppt
CR 06 - Block Cipher Operation.pptCR 06 - Block Cipher Operation.ppt
CR 06 - Block Cipher Operation.pptssuseraaf866
 
Data Encryption Standard (DES)
Data Encryption Standard (DES)Data Encryption Standard (DES)
Data Encryption Standard (DES)Haris Ahmed
 
CNIT 141: 5. More About Block Ciphers + Modular Arithmetic 2
CNIT 141: 5. More About Block Ciphers + Modular Arithmetic 2CNIT 141: 5. More About Block Ciphers + Modular Arithmetic 2
CNIT 141: 5. More About Block Ciphers + Modular Arithmetic 2Sam Bowne
 
THE UNIFIED OPERATION STRUCTURE FOR SYMMETRIC-KEY ALGORITHM
THE UNIFIED OPERATION STRUCTURE FOR SYMMETRIC-KEY ALGORITHMTHE UNIFIED OPERATION STRUCTURE FOR SYMMETRIC-KEY ALGORITHM
THE UNIFIED OPERATION STRUCTURE FOR SYMMETRIC-KEY ALGORITHMcscpconf
 
SymmetricCryptography-Part3 - Tagged.pdf
SymmetricCryptography-Part3 - Tagged.pdfSymmetricCryptography-Part3 - Tagged.pdf
SymmetricCryptography-Part3 - Tagged.pdfMohammedMorhafJaely
 
Block Ciphers Modes of Operation
Block Ciphers Modes of OperationBlock Ciphers Modes of Operation
Block Ciphers Modes of OperationRoman Oliynykov
 
CISSP Certification Security Engineering-Part2
CISSP Certification Security Engineering-Part2CISSP Certification Security Engineering-Part2
CISSP Certification Security Engineering-Part2Hamed Moghaddam
 

Ähnlich wie Block Cipher Modes of Operation And Cmac For Authentication (20)

Information Security
Information SecurityInformation Security
Information Security
 
block ciphermodes of operation.pptx
block ciphermodes of operation.pptxblock ciphermodes of operation.pptx
block ciphermodes of operation.pptx
 
Comparative analysis on different DES model
Comparative analysis on different DES modelComparative analysis on different DES model
Comparative analysis on different DES model
 
Ciphers modes
Ciphers modesCiphers modes
Ciphers modes
 
13528 l8
13528 l813528 l8
13528 l8
 
Encryption
EncryptionEncryption
Encryption
 
Block Cipher and Operation Modes
Block Cipher and Operation Modes Block Cipher and Operation Modes
Block Cipher and Operation Modes
 
Block Ciphers Modes of Operation
Block Ciphers Modes of OperationBlock Ciphers Modes of Operation
Block Ciphers Modes of Operation
 
Jaimin chp-8 - network security-new -use this - 2011 batch
Jaimin chp-8 - network security-new -use this - 2011 batchJaimin chp-8 - network security-new -use this - 2011 batch
Jaimin chp-8 - network security-new -use this - 2011 batch
 
CR 06 - Block Cipher Operation.ppt
CR 06 - Block Cipher Operation.pptCR 06 - Block Cipher Operation.ppt
CR 06 - Block Cipher Operation.ppt
 
unit 2.ppt
unit 2.pptunit 2.ppt
unit 2.ppt
 
Data Encryption Standard (DES)
Data Encryption Standard (DES)Data Encryption Standard (DES)
Data Encryption Standard (DES)
 
DEC algorithm
DEC algorithmDEC algorithm
DEC algorithm
 
CNIT 141: 5. More About Block Ciphers + Modular Arithmetic 2
CNIT 141: 5. More About Block Ciphers + Modular Arithmetic 2CNIT 141: 5. More About Block Ciphers + Modular Arithmetic 2
CNIT 141: 5. More About Block Ciphers + Modular Arithmetic 2
 
4.ppt
4.ppt4.ppt
4.ppt
 
THE UNIFIED OPERATION STRUCTURE FOR SYMMETRIC-KEY ALGORITHM
THE UNIFIED OPERATION STRUCTURE FOR SYMMETRIC-KEY ALGORITHMTHE UNIFIED OPERATION STRUCTURE FOR SYMMETRIC-KEY ALGORITHM
THE UNIFIED OPERATION STRUCTURE FOR SYMMETRIC-KEY ALGORITHM
 
ch06.ppt
ch06.pptch06.ppt
ch06.ppt
 
SymmetricCryptography-Part3 - Tagged.pdf
SymmetricCryptography-Part3 - Tagged.pdfSymmetricCryptography-Part3 - Tagged.pdf
SymmetricCryptography-Part3 - Tagged.pdf
 
Block Ciphers Modes of Operation
Block Ciphers Modes of OperationBlock Ciphers Modes of Operation
Block Ciphers Modes of Operation
 
CISSP Certification Security Engineering-Part2
CISSP Certification Security Engineering-Part2CISSP Certification Security Engineering-Part2
CISSP Certification Security Engineering-Part2
 

Mehr von Vittorio Giovara

Color me intrigued: A jaunt through color technology in video
Color me intrigued: A jaunt through color technology in videoColor me intrigued: A jaunt through color technology in video
Color me intrigued: A jaunt through color technology in videoVittorio Giovara
 
An overview on 10 bit video: UHDTV, HDR, and coding efficiency
An overview on 10 bit video: UHDTV, HDR, and coding efficiencyAn overview on 10 bit video: UHDTV, HDR, and coding efficiency
An overview on 10 bit video: UHDTV, HDR, and coding efficiencyVittorio Giovara
 
Introduction to video reverse engineering
Introduction to video reverse engineeringIntroduction to video reverse engineering
Introduction to video reverse engineeringVittorio Giovara
 
Fuzzing Techniques for Software Vulnerability Discovery
Fuzzing Techniques for Software Vulnerability DiscoveryFuzzing Techniques for Software Vulnerability Discovery
Fuzzing Techniques for Software Vulnerability DiscoveryVittorio Giovara
 
Parallel and Distributed Computing on Low Latency Clusters
Parallel and Distributed Computing on Low Latency ClustersParallel and Distributed Computing on Low Latency Clusters
Parallel and Distributed Computing on Low Latency ClustersVittorio Giovara
 
Software Requirements for Safety-related Systems
Software Requirements for Safety-related SystemsSoftware Requirements for Safety-related Systems
Software Requirements for Safety-related SystemsVittorio Giovara
 
Microprocessor-based Systems 48/32bit Division Algorithm
Microprocessor-based Systems 48/32bit Division AlgorithmMicroprocessor-based Systems 48/32bit Division Algorithm
Microprocessor-based Systems 48/32bit Division AlgorithmVittorio Giovara
 
Misra C Software Development Standard
Misra C Software Development StandardMisra C Software Development Standard
Misra C Software Development StandardVittorio Giovara
 
OpenSSL User Manual and Data Format
OpenSSL User Manual and Data FormatOpenSSL User Manual and Data Format
OpenSSL User Manual and Data FormatVittorio Giovara
 
Authenticated Encryption Gcm Ccm
Authenticated Encryption Gcm CcmAuthenticated Encryption Gcm Ccm
Authenticated Encryption Gcm CcmVittorio Giovara
 

Mehr von Vittorio Giovara (13)

Color me intrigued: A jaunt through color technology in video
Color me intrigued: A jaunt through color technology in videoColor me intrigued: A jaunt through color technology in video
Color me intrigued: A jaunt through color technology in video
 
An overview on 10 bit video: UHDTV, HDR, and coding efficiency
An overview on 10 bit video: UHDTV, HDR, and coding efficiencyAn overview on 10 bit video: UHDTV, HDR, and coding efficiency
An overview on 10 bit video: UHDTV, HDR, and coding efficiency
 
Introduction to video reverse engineering
Introduction to video reverse engineeringIntroduction to video reverse engineering
Introduction to video reverse engineering
 
Il Caso Ryanair
Il Caso RyanairIl Caso Ryanair
Il Caso Ryanair
 
I Mercati Geografici
I Mercati GeograficiI Mercati Geografici
I Mercati Geografici
 
Crittografia Quantistica
Crittografia QuantisticaCrittografia Quantistica
Crittografia Quantistica
 
Fuzzing Techniques for Software Vulnerability Discovery
Fuzzing Techniques for Software Vulnerability DiscoveryFuzzing Techniques for Software Vulnerability Discovery
Fuzzing Techniques for Software Vulnerability Discovery
 
Parallel and Distributed Computing on Low Latency Clusters
Parallel and Distributed Computing on Low Latency ClustersParallel and Distributed Computing on Low Latency Clusters
Parallel and Distributed Computing on Low Latency Clusters
 
Software Requirements for Safety-related Systems
Software Requirements for Safety-related SystemsSoftware Requirements for Safety-related Systems
Software Requirements for Safety-related Systems
 
Microprocessor-based Systems 48/32bit Division Algorithm
Microprocessor-based Systems 48/32bit Division AlgorithmMicroprocessor-based Systems 48/32bit Division Algorithm
Microprocessor-based Systems 48/32bit Division Algorithm
 
Misra C Software Development Standard
Misra C Software Development StandardMisra C Software Development Standard
Misra C Software Development Standard
 
OpenSSL User Manual and Data Format
OpenSSL User Manual and Data FormatOpenSSL User Manual and Data Format
OpenSSL User Manual and Data Format
 
Authenticated Encryption Gcm Ccm
Authenticated Encryption Gcm CcmAuthenticated Encryption Gcm Ccm
Authenticated Encryption Gcm Ccm
 

Kürzlich hochgeladen

Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 

Kürzlich hochgeladen (20)

Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 

Block Cipher Modes of Operation And Cmac For Authentication

  • 1. Block Cipher Modes of Operation Alberto Grand Politecnico di Torino Computer Systems Security – prof. Antonio Lioy
  • 2. What are modes of operation? Block ciphers only allow to encrypt entire blocks. What if our message is longer/shorter than the block size? We use modes of operation! Algorithms that exploit a block cipher to provide a service (e.g. confidentiality, authentication) 5 NIST-recommended modes providing confidentiality: ECB, CBC, CFB, OFB, CTR CMAC may be considered a block cipher mode of operation providing authentication. 2
  • 3. Electronic Codebook (ECB) Associates each possible plaintext block to a ciphertext block, like a codebook. Hello world! aY1:?§h24(r Requires padding Encryption/decryption of multiple blocks in parallel A 1-bit error in a ciphertext block garbles the corresponding decrypted block. 3
  • 4. Deficiencies of ECB Problems when the original message contains regular data patterns, because always encrypted in the same way. Only suitable for 1-block-sized data (e.g. a key) “The securest thing you can do with ECB is not use it!” 4
  • 5. Cipher Block Chaining (CBC) Allows the same plaintext blocks to be encrypted to different ciphertext blocks. Encrypted blocks are “chained” through XORing. Requires an initialisation vector (IV) Hello world q%1aX l’3z1$ IV CIPHER-1 CIPHER-1 CIPHER CIPHER IV q%1aX l’3z1$ Hello world 5
  • 6. Features of CBC No parallel encrypting , while parallel decrypting is possible. A 1-bit error affects two blocks: the corresponding block is garbled the corresponding bit is flipped in the next block Problem with the IV: 1-bit error only flips 1 bit in the 1st block, no garbled block. Hard to detect! Solutions: encipher the IV don’t transmit the IV, but compute it from a known value use authentication! 6
  • 7. Propagating CBC (PCBC) It’s a variation of CBC designed to propagate errors. It also involves the previous plaintext block in the XOR operation. Is error propagation desirable? It depends! NO if transmission errors YES if intentional, malicious changes Used in Kerberos v.4, but abandoned starting from v.5 because inversion of two adjacent blocks does not affect subsequent blocks. 7
  • 8. Cipher Feedback (CFB) Turns a block cipher into a stream cipher, message size need not be multiple of block size. Very similar to CBC (ciphering and XORing are swapped). IV IV CIPHER CIPHER CIPHER CIPHER Hello world q%1aX l’3z1$ q%1aX l’3z1$ Hello world 8
  • 9. Features of CFB No parallel encrypting of multiple blocks – although some form of pipelining is possible. Parallel decryption is possible Only the forward function is used. A 1-bit error : flips corresponding bit in current segment may garble the next ⌈b/s⌉ segments This is highly noticeable, so CFB is less exposed to the risk of deliberate bit changes. 9
  • 10. OpenPGP with CFB Widespread standard for exchanging encrypted e- mail messages. A variant of CFB is used for symmetric cryptography: a random block R is enciphered and used as an IV the first 2 bytes of R are replicated in the 2nd block for integrity checks Leak of information! About 215 set-up attempts + about 215 attempts per block enable an attacker to discover the first 2 bytes of any block. PGP stands for “Pretty Good Privacy”! 10
  • 11. Output Feedback (OFB) Turns a block cipher into a stream cipher. It features the iteration of the forward cipher on an IV. IV IV CIPHER CIPHER CIPHER CIPHER Hello world q%1aX l’3z1$ q%1aX l’3z1$ Hello world 11
  • 12. Features of OFB (i) Neither encryption nor decryption can be performed in parallel due to block chaining. If IV available prior to ciphertext, keystream blocks can be pre-computed. IV needs to be a nonce, otherwise know-plaintext attack is possible (under same key): an attacker who knows the ith plaintext block can easily reconstruct the ith keystream block he can then understand the ith block of every message 12
  • 13. Features of OFB (ii) A 1-bit error in a ciphertext block only produces a bit-specific error in the corresponding block: good for error correcting codes, which work even when applied before encryption bad because it’s hardly noticeable! A 1-bit error in the IV causes all blocks to be garbled. 13
  • 14. Counter (CTR) Turns a block cipher into a stream cipher. Keystreams blocks are generated by encrypting a set of counter blocks. CTR block #1 CTR block #2 CTR block #1 CTR block #2 CIPHER CIPHER CIPHER CIPHER Hello world q%1aX l’3z1$ q%1aX l’3z1$ Hello world 14
  • 15. Features of CTR (i) Both encryption and decryption can be performed fully in parallel on multiple blocks. Provides true random access to ciphertext blocks. If the initial counter block is available, keystream blocks may be computed prior to receiving the ciphertext . It’s simple! No inverse cipher function is required for decryption. It is becoming increasingly used. 15
  • 16. Features of CTR (ii) Assurance is required that: counters do not repeat within a single message counters do not repeat across all messages under a given key Done through an incrementing function. Usually, first b-m bits are a message nonce, following m bits are incremented (message length < 2m blocks). Alternatively, counters are concatenated (total length of all messages < 2m blocks) 16
  • 17. Padding: pros and cons Increases amount of data to be sent with no increase of transmitted information. With regular data pattern, padding with random values makes cryptanalysis more difficult. When padding scheme in known, it may expose exchange of messages to timing attacks. OpenSSL prior to v.0.9.6c with CBC-MAC MAC is located at the end, padding is needed Message only evaluated if padding is correct Attacker may systematically find out bits starting from second-to-last block. 17
  • 18. Ciphertext Stealing (CTS) Sometimes padding is unacceptable limited bandwidth exchange of many messages that would require padding We want to avoid extra data, but cipher blocks need entire blocks! Solution: use CTS! by accomplishing some extra operations, enables to produce as many output data as given in input we pay in terms of complexity and execution time we still cannot encyrpt very short messages (< 1 block). Usually not worth it! 18
  • 19. Related-mode attacks (i) Attacks against a given block cipher mode of operation: we must know which mode is being used we need an oracle of another mode, but with the same underlying cipher 19
  • 20. Related-mode attacks (ii) Using ECB against CTR MU intercepted Ci and C0 He chooses P’i = C0 + i C’i = CIPHk(P’i) Since Ci = CIPHk(C0 + i) ⊕ Pi he can compute Pi = Ci ⊕ C’i. Only one chosen plaintext query is required. 20
  • 21. The CMAC Mode for Authentication
  • 22. What is CMAC? The 5 modes of operation provide confidentiality, but we need authentication and integrity. We must use a mode for authentication! it implies integrity A MAC algorithm provides stronger assurance of data integrity than a checksum. CMAC exploits the CBC mode of operation to chain cipherblocks and obtain a value which depends on all previous blocks. 22
  • 23. Once upon time… …there was an insecure mode for authentication named CBC-MAC: only provided security for messages whose length was a multiple of the block size attacker could change the whole message (except last block) without notice when CBC was used for encryption with the same key. Black & Rogaway made it secure for arbitrary-length messages using 2 extra keys (XCBC). Iwata & Kurosawa derived the extra keys from the shared secret (OMAC, OMAC1 = CMAC). 23
  • 24. Subkey generation 2 subkeys K1, K2 are generated from the key Can be computed once and stored (must be secret!) Rb is a value related to the block size Rb = 012010000111 when b = 128 Rb = 05911011 when b = 64 L ⃪ CIPHk (0b) if MSB1(L) = 0 then K1 ⃪ L << 1 else K1 ⃪ (L << 1) ⊕ Rb if MSB1(K1) = 0 then K2 ⃪ K1 << 1 else K2 ⃪ (K1 << 1) ⊕ Rb Finite-field mathematics are involved! 24
  • 25. CMAC generation if Mlen = 0 then n ⃪ 1 else n ⃪ ⌈ len / b⌉ ⌈M ⌉ if M*n complete then Mn ⃪ M*n ⊕ K1 else Mn ⃪ (M*n ‖10j) ⊕ K1 C0 ⃪ 0b for i ⃪ 1 to n do Ci ⃪ CIPHk (Ci-1 ⊕ Mi) T ⃪ MSBTlen(Cn) Formatting of the message does not need to complete before starting CBC encryption. 25
  • 26. CMAC verification Receiver may decrypt data with the appropriate algorithm. He then applies CMAC generation process to the data. He compares the generated MAC with the one he received: if identical, message is authentic if not, in-transit errors or attack! 26
  • 27. Length of the MAC (i) When verification fails, we are sure the message is inauthentic. But when it succeeds, we are not 100% sure it is authentic! MU may have simply guessed the right MAC for a message His chances of succeeding are 1/2Tlen Longer MACs provide higher assurance, but use more bandwidth/storage space. If attacker can make more than one attempt his chances increase! 27
  • 28. Length of the MAC (ii) For most applications, 64 bits are enough. NIST provides guidance. Two parameters: MaxInvalids : maximum number of attempts before system halts Risk : highest acceptable probability that an inauthentic message is mistakenly trusted. Tlen ≥ log2 (MaxInvalids / Risk) e.g. MaxInvalids = 1 Risk = 0.25 ⇒ Tlen = 2 bits 28
  • 29. Message span of the key (i) It’s the total number of messages to which CMAC is applied with the same key. Affects security against attacks based on detecting 2 distinct messages that lead to the same MAC. We call this event a collision. This happens because possible messages are much more than possible MACs. It should not occur during the lifetime of a key. Message span should be limited! 29
  • 30. Message span of the key (ii) Probability says that a collision is expected among a set of 2b/2 messages. For general purpose applications: no more than 248 messages when b = 128 no more than 221 messages when b = 64 For higher level of security: no more than 248 message blocks when b = 128 (222 GB) no more than 221 message blocks when b = 64 (16 MB) Sometimes message span is time-limited. 30
  • 31. Protection vs. replay attacks No protection against replay attacks is ensured by CMAC: Malicious user may intercept a message with its correct MAC and send it at a later time. It’s perfectly valid! Such protection must be provided by protocol or application that uses CMAC for authentication: sequential number timestamp message nonce etc. 31