CRYPTOGRAPHY AND NETWORK SECURITY PRINCIPLES AND PRACTICE William Stallings

1. Block cipher modes of operation
Second Part

2. IV
• All these modes (except ECB) require an initialization vector, or IV --
a sort of 'dummy block' to kick off the process for the first real block,
and also to provide some randomization for the process. There is no
need for the IV to be secret, in most cases, but it is important that it
is never reused with the same key.
• The size of the IV depends on the encryption algorithm and on the
cryptographic protocol in use and is normally as large as the block
size of the cipher or as large as the encryption key
• The IV must be known to the recipient of the encrypted information
to be able to decrypt it. There are a number of ways to ensure that:
by transmitting the IV along with the packet, by agreeing on it
beforehand during the key exchange or the handshake,

3. Cipher modes of operation
• Any block cipher is essentially just a
monoalphabetic substitution cipher using big
characters (on 64 bits)
• �The same plaintext and the same key will
always generate the same ciphertext –this may
be exploited sometimes
• �E.g., this may be exploited to break the header
of a document if we know its structure
• �Five modes of operation (originally for DES,
applicable to any symmetric cipher) have been
defined
• �Describe them briefly in the following

4. Electronic Code Book (ECB) Mode
• This is the simplest way to use the cipher: break
the plaintext into 64-bit blocks and encrypt each
of them with the same key
• The last block should be padded to 64-bit if it is
shorter
• Note: same block and same key always yields
same cipher block
• This can be easily attacked:
• If the message always starts with a predefined
header, then the attacker may have a number of
known plain-cipher pairs

6. Cipher Block Chaining Mode (CBC)
• �Devised to defeat the previous
attack
• �All cipher blocks will be chained
so that if one is modified, the
cipher text cannot be decrypted
correctly (will only produce
“garbage”)
• �Each plaintext block is XORed
with the previous cipher block
before encryption
• �The first plaintext block is
XORed with an initialization vector
IV
• �An initialization vector (IV), also
known as Initialization Value, is a term
in Cryptography. IV is a block of bits
that is combined with the first block of
data in any of several modes of a
block cipher.

7. Cipher Feedback Mode (CFB)
• makes a block cipher into a self-
synchronizing stream cipher. �
• Use a shift register (64 bit for DES, 128 bit for AES, etc)
that is initially set to an initialization vector IV
• Encrypt the content of the register, take leftmost byte of
the cipher and XOR with the current plaintext byte P –the
result C is transmitted, register is left shifted with one
byte and C is placed in the rightmost byte of the register
• Decryption works exactly the same way: note that one
must use the encryption box here

10. Output Feedback Mode (OFB)
(also known as Stream Cipher Mode)
• If affecting 64 bits (for DES, 128 bits for AES) by one
single inverted bit is too much for an application, use
OFB
• Encrypt an IV to get an output block; this block is them
encrypted to get a second block, etc. –this is the key
stream and it will be treated as a one-time pad and
XORed with the plaintext to get the ciphertext
• Key stream is independent of the data and can be
computed in advance
• For decryption generate the same key stream using the
IV and the key
• 1-bit error in the transmission only affects 1-bit in the
ciphertext and in the decryption

13. Counter Mode
• �Files are sometimes kept on computers in encrypted form�
• All modes of operations except ECB make random access to the file
impossible: to access data at the end of the file one has to decrypt
everything�
• Counter Mode fixes this problem
• �Plaintext is not encrypted directly
• �IV plus a constant is encrypted and the resulting ciphertext is
XORed with the plaintext –add 1 to IV in each step
• �Note: if the same IV is used twice with the same key, then
cryptanalyst may XOR the ciphers to get the XOR of the plaintexts –
this could be used in an attack�
– IV must be random!�
– Encryption/decryption in parallel for multiple blocks�
– Simple: decryption algorithm not needed�
– Random access to the file

15. RC5
• Symmetric encryption algorithm developed by Rivest; in (RSA DATA
SECURITY)
• RSA (which stands for Rivest, Shamir and Adleman who first publicly came
up with an encrption algo for public-key cryptography.
• �Characteristics of RC5
– �Suitable for hardware and software: uses only common operations found on
microprocessors
– �Fast: simple and word oriented
– �Adaptable to processors of different word lengths:
– �Variable number of rounds: number of rounds is the 2nd
parameter
– �Variable-length key: key length is the 3rdparameter of RC5
– �Simple: easy to implement and analyze
– �Low memory requirement: suitable for smart cards or other devices with limited
memory
– �High security
– �Data-dependent rotations

16. RC5
• Parameters
– w is the word size in bits –RC5 encrypts blocks of 2 words. Allowed values: 16,
32, 64
– r is the number of rounds. Allowed values: 0,1,…,255
– b is the number of 8-bit bytes in the secret key K. Allowed values: 0,1,…,255
• A specific version of RC5 is denoted RC5-w/r/b
– The author advises to use RC5-32/12/16 as the “nominal” version
– That means: 64-bit plaintext/ciphertext blocks, 12 rounds, 128-bit key
• Algorithm
– Key expansion
– Input manipulation
• �Details are on the following slides:
– where addition and subtraction (+ and -) are modulo 2w
– bitwise XOR is ⊕
– x<<<y is the circular left-shift of x by y bits
– x>>>y is the circular right-shift of word x by y bits

18. RC4 Stream Cipher
• This is the most popular symmetric stream
cipher
• Designed by Rivest for RSA Security
• Used in SSL/TLS (Secure Sockets
Layer/Transport Layer Security) standards for
secure communication between Web browsers
and servers
• Used in WEP, part of the IEEE 802.11 wireless
LAN standard
• RC4 was kept as a trade secret by RSA Inc but
got anonymously posted on the Internet in 1994

19. Stream cipher structure
• �Process the message byte by byte (as a stream)
• �Typically have a (pseudo) random stream key that is
XORed with plaintext bit by bit
• �Randomness of stream key completely destroys any
statistically properties in the message
• �Ci= Mi XOR Stream Key i
• �The simplest encryption/decryption algorithm possible!
• �A stream cipher is similar to the one-time pad
discussed a few lectures back
• ��One must never reuse stream key
– �Otherwise can remove effect and recover messages
– �XOR two ciphertexts obtained with the same key stream to
obtain the XOR of the plaintext.

21. Stream cipher design
• �Key stream should have a large period –a
pseudorandom number generator uses a function that
produces a deterministic (if given the same input
information will always produce the same output )
stream of bits that eventually repeats
• �If treated as a stream of bytes, all 255 values should
occur with the same frequency
• �Key should be long enough to protect against brute-
force attack
• �At least 128 bits
• �Advantage over block ciphers: generating the stream
key is much faster than encrypting and decrypting and
less code is needed

22. RC4 algorithm
• Key length is variable: from 1 to 256 bytes
• Based on the key initialize a 256-byte
state vector S: S[0…255]
• At all times S contains a permutation of
the numbers 0, 1, …, 255
• For encryption and decryption a byte k is
selected from S and the entries in S are
permuted