MODES OF OPERATION

TheK-bit CFB mode of operation is shown in Figure 2.8. The CFB mode treats the message as a stream of s bits. The plaintext message is chained (using XOR) to the output of the block cipher to obtain the ciphertext. The ciphertext is also used as a feed- back for the next stage, as shown in the figure. The specification allows any number of bits (1, 8, or 64) to be used in the feedback. The CFB mode is typically used for stream data encryption and authentication.

CFB uses block cipher in either the encryption or the decryption mode at both ends. CFB mode also exhibits chaining dependencies. Therefore, reordering ciphertext blocks affects decryption. Proper decryption requires the preceding ceil(n/r) ciphertext blocks to be correct. This mode is also self-synchronizing but needs ceil(n/r) to do so. Errors in thejth ciphertext block affects the next ceil(n/r) blocks. The effect of such errors on the decryption of thejth ciphertext block is predictable. This property, however, could be used by an adversary to their advantage.

We next consider theK-bit OFB mode of operation. This mode can also operate as a stream cipher. In this case the keystream is generated independently of the plaintext and ciphertext messages, as shown in Figure 2.9. The output of the encryption operation is not only chained to the plaintext message (via an XOR operation), but also is used as a feedback for the next round. This mode is typically used to perform stream encryption.

Since the information which is used as the feedback is independent of the message, it can be computed in advance. Thus, the operations such as encryption or decryption can be done very fast if enough memory resources exist to store the keystream in advance. The OFB mode ensures that, if ciphertext is garbled, then only the corresponding plaintext is garbled. Further, the recovered plaintext will have predictable changes. This mode of operation, however, cannot self-synchronize after loss of ciphertext bits. In this case

Figure 2.8. CFB mode of operation.

Figure 2.9. OFB mode of operation.

explicit self-synchronization is required. This implies that sender and receiver must be synchronized during transmission, which may increase the overhead associated with this scheme.

We next consider the CTR mode of operation, shown in Figure 2.10. This mode encrypts a counter value and the output of the encryption is then chained to the plaintext. Further, the counter value is changed for every plaintext block. Thus, the counter value is never reused. Typically, this mode is used to ensure high-speed network encryptions. This is because the key stream can be generated in advance and encryptions or decryptions done in parallel. In addition, this mode also allows random access to encrypted data blocks. Thus, decryption can start at any point rather than being forced to start at the beginning (assuming the value of the counter is known for the specific block of interest). In terms of error recovery, this mode has the property that, if a ciphertext block is garbled, then only the corresponding plaintext is garbled. When using this mode, it is important to ensure that the counter values are not reused assuming that the key does not change. Other- wise, the attacker can obtain extra information by using the XOR of two ciphertext blocks. By doing so, the attacker will obtain the value corresponding to the XOR of the matching plaintext blocks.

2.4 MISCELLANEOUS PROPERTIES

In addition to the fundamental properties discussed earlier, there are several other proper- ties that are made use of in the various security mechanisms discussed throughout the book. In this section, we explain these properties. We start off by looking at hash chains. More specifically, we consider the pre-image resistance property of hashing

algorithms and describe this again briefly. We do this because this property is used in several security mechanisms.

2.4.1 One-Way Property of Hash Chains

One application of the pre-image property of hash algorithms is in the context of one time passwords. Note, however, that this property is also used in other schemes such as TESLA, which we discuss later in this chapter. The one-time password problem consists of a party making use of passwords in order to prove his or her identity to the other party. Further, every password is used only once. We next explain this property.

Consider two parties, Alice and Bob. Alice is considered to be the claimant and is expected to verify her identity to the verifier Bob. We next explain how this can be done using the one-way hash functionH. Initially Alice chooses a secretwas well as a constant

t. The constanttindicates the number of times verification can be done. Then Alice hashes the secretwttimes using the hash functionHto get the value denoted asHt(w). Then Alice transfersHt(w) securely to Bob. This secure transfer can be accomplished through the trans- mission of a digital signature by Alice on the hash value transferred. This is the initial shared secret between Alice and Bob. Now during the operation of the protocol, when Alice has to identify herself to Bob for theith time (let us say during the initiation of the

ith session), Alice computes Ht2i(w) and transmits the value to Bob. Bob checks that that the value is correct by calculatingHi[Ht2i(w)] and verifying whether the outcome equals the initial valueHt(w) transferred securely by Alice. If the verification holds, Bob accepts the claim of Alice and otherwise not. Note that this scheme requires that both Alice and Bob be synchronized in terms of the number of identification sessions completed. Further, this scheme also limits the number of identification sessions tot. Once this number of sessions expires, the whole process is repeated again. A scheme based on this idea, called Lamport’s one-way function, based on one-time passwords, has been proposed [7]. In addition, this concept of hash chains also arises in several places when we look at the various functions in ad hoc networks.

2.4.2 TESLA

We next consider another primitive that is widely used, especially in the context of broad- cast authentication. Broadcasting and multicasting are used widely in a variety of appli- cations in wireless ad hoc networks. Example applications include IP multicast, situational awareness applications in the battlefield environment, and emergency response in ad hoc networks. Such broadcast/multicast applications also need security. However, security solutions designed for point-to-point communication are not often applicable to broadcast/multicast communication. This is particularly true regarding authentication.

To understand this, consider point-to-point communication, also referred to as unicast communication. Message authentication in such a case can be achieved through the use of symmetric, asymmetric schemes or message digests, as discussed earlier. A typical authentication approach using asymmetric cryptography is based on the use of digital signatures. As discussed earlier, though, the digital signature approach is typically expens- ive, particularly in terms of the computational overhead. The generation, verification, and communication costs associated with digital signatures are very high. This might make this approach impractical in resource-constrained networks such as ad hoc networks.

The other alternative in such a case is to make use of symmetric key concepts. The use of message digests can provide individual authentication in point-to-point communication