[slides] Block Cipher Modes of Operation and CMAC for Authentication

Block Cipher Modes of

Block Cipher Modes of

Operation

Alberto Grand

Politecnico di Torino

What are modes of operation?

Block ciphers only allow to encrypt entire blocks.
Block ciphers only allow to encrypt entire blocks.
What if our message is longer/shorter than the

block size?

We use modes of operation!

Algorithms that exploit a block cipher to provide a service

(e.g. confidentiality, authentication)

5 NIST-recommended modes providing confidentiality:

5 NIST-recommended modes providing confidentiality:

ECB, CBC, CFB, OFB, CTR

CMAC may be considered a block cipher mode of operation

Electronic Codebook (ECB)

Associates each possible plaintext block to a

ciphertext block, like a codebook. ciphertext block, like a codebook.

Hello world! aY1\:?§h24(r

Requires padding

Encryption/decryption of multiple blocks in parallel
A 1-bit error in a ciphertext block garbles the

Deficiencies of ECB

Problems when the original message contains regular Problems when the original message contains regular

data patterns, because always encrypted in the same way.

Only suitable for 1-block-sized data (e.g. a key)

Cipher Block Chaining (CBC)

Allows the same plaintext blocks to be encrypted to
Allows the same plaintext blocks to be encrypted to

different ciphertext blocks.

Encrypted blocks are “chained” through XORing.
Requires an initialisation vector (IV)

Hello IV world q%1aX l’3z1$ IV CIPHER CIPHER CIPHER-1 _CIPHER-1 IV

Features of CBC

No parallel encrypting , while parallel decrypting is
No parallel encrypting , while parallel decrypting is

possible.

A 1-bit error affects two blocks:

the corresponding block is garbled

the corresponding bit is flipped in the next block

Problem with the IV: 1-bit error only flips 1 bit in

the 1st _{block, no garbled block. Hard to detect!} the 1st _{block, no garbled block. Hard to detect!}

Solutions:

encipher the IV

don’t transmit the IV, but compute it from a known value

Propagating CBC (PCBC)

It’s a variation of CBC designed to propagate errors.
It’s a variation of CBC designed to propagate errors.
It also involves the previous plaintext block in the

XOR operation.

Is error propagation desirable? It depends!

NO if transmission errors

YES if intentional, malicious changes

Used in Kerberos v.4, but abandoned starting from

Used in Kerberos v.4, but abandoned starting from

v.5 because inversion of two adjacent blocks does not affect subsequent blocks.

Cipher Feedback (CFB)

Turns a block cipher into a stream cipher, message
Turns a block cipher into a stream cipher, message

size need not be multiple of block size.

Very similar to CBC (ciphering and XORing are

swapped). IV

CIPHER CIPHER CIPHER

IV CIPHER Hello CIPHER q%1aX world CIPHER l’3z1$ q%1aX l’3z1$ Hello world CIPHER CIPHER

Features of CFB

No parallel encrypting of multiple blocks – although
No parallel encrypting of multiple blocks – although

some form of pipelining is possible.

Parallel decryption is possible

Only the forward function is used.
A 1-bit error :

flips corresponding bit in current segment

may garble the next ⌈b/s⌉ segments

may garble the next ⌈b/s⌉ segments

This is highly noticeable, so CFB is less exposed

OpenPGP with CFB

Widespread standard for exchanging encrypted e-
Widespread standard for exchanging encrypted

e-mail messages.

A variant of CFB is used for symmetric

cryptography:

a random block R is enciphered and used as an IV

the first 2 bytes of R are replicated in the 2nd block for

integrity checks integrity checks

Leak of information! About 215 set-up attempts +

about 215 _{attempts per block enable an attacker to} discover the first 2 bytes of any block.

Output Feedback (OFB)

Turns a block cipher into a stream cipher.
Turns a block cipher into a stream cipher.

It features the iteration of the forward cipher on an

IV. IV

CIPHER CIPHER CIPHER

IV CIPHER Hello CIPHER q%1aX world CIPHER l’3z1$ q%1aX l’3z1$ Hello world CIPHER CIPHER

Features of OFB (i)

Neither encryption nor decryption can be performed

in parallel due to block chaining.

If IV available prior to ciphertext, keystream blocks

can be pre-computed.

IV needs to be a nonce, otherwise know-plaintext

attack is possible (under same key): attack is possible (under same key):

an attacker who knows the ith plaintext block can easily

reconstruct the ith _{keystream block}

Features of OFB (ii)

A 1-bit error in a ciphertext block only produces a

bit-specific error in the corresponding block:

good for error correcting codes, which work even when

applied before encryption

bad because it’s hardly noticeable!

A 1-bit error in the IV causes all blocks to be
A 1-bit error in the IV causes all blocks to be

Counter (CTR)

Turns a block cipher into a stream cipher.
Turns a block cipher into a stream cipher.

Keystreams blocks are generated by encrypting a

set of counter blocks. CTR block #1

CIPHER CIPHER CIPHER CIPHER

CTR block #2 CTR block #1 CTR block #2

Hello CIPHER q%1aX world CIPHER l’3z1$ q%1aX l’3z1$ Hello world CIPHER CIPHER

Features of CTR (i)

Both encryption and decryption can be performed
Both encryption and decryption can be performed

fully in parallel on multiple blocks.

Provides true random access to ciphertext blocks.
If the initial counter block is available, keystream

blocks may be computed prior to receiving the ciphertext .

It’s simple!

It’s simple!

No inverse cipher function is required for decryption.

Features of CTR (ii)

Assurance is required that:
Assurance is required that:

counters do not repeat within a single message

counters do not repeat across all messages under a given

key

Done through an incrementing function.

Usually, first b-m bits are a message nonce,

following m bits are incremented (message length < following m bits are incremented (message length < 2m _blocks).

Alternatively, counters are concatenated (total

Padding: pros and cons

Increases amount of data to be sent with no
Increases amount of data to be sent with no

increase of transmitted information.

With regular data pattern, padding with random

values makes cryptanalysis more difficult.

When padding scheme in known, it may expose

exchange of messages to timing attacks.

OpenSSL prior to v.0.9.6c with CBC-MAC

OpenSSL prior to v.0.9.6c with CBC-MAC

MAC is located at the end, padding is needed
Message only evaluated if padding is correct

Attacker may systematically find out bits starting from

Ciphertext Stealing (CTS)

Sometimes padding is unacceptable
Sometimes padding is unacceptable

limited bandwidth

exchange of many messages that would require padding

We want to avoid extra data, but cipher blocks need

entire blocks!

Solution: use CTS!

by accomplishing some extra operations, enables to

by accomplishing some extra operations, enables to

produce as many output data as given in input

we pay in terms of complexity and execution time

we still cannot encyrpt very short messages (< 1 block).

Related-mode attacks (i)

Attacks against a given block cipher mode of

operation:

we must know which mode is being used

we need an oracle of another mode, but with the same

underlying cipher underlying cipher

Related-mode attacks (ii)

Using ECB against CTR

MU intercepted C_i and C₀
He chooses P’_i = C₀ + i
C’_i = CIPH_k(P’_i)

Since C_i = CIPH_k(C₀ + i) ⊕ P_i he can compute P_i =

⊕

Since C_i = CIPH_k(C₀ + i) ⊕ P_i he can compute P_i =

C_i ⊕ C’_i.

The CMAC Mode for

The CMAC Mode for

Authentication

What is CMAC?

The 5 modes of operation provide confidentiality,
The 5 modes of operation provide confidentiality,

but we need authentication and integrity.

We must use a mode for authentication!

it implies integrity

A MAC algorithm provides stronger assurance of

data integrity than a checksum.

CMAC exploits the CBC mode of operation to chain

CMAC exploits the CBC mode of operation to chain

cipherblocks and obtain a value which depends on all previous blocks.

Once upon time…

…there was an insecure mode for authentication
…there was an insecure mode for authentication

named CBC-MAC:

only provided security for messages whose length was a

multiple of the block size

attacker could change the whole message (except last

block) without notice when CBC was used for encryption with the same key.

Black & Rogaway made it secure for arbitrary-length

Black & Rogaway made it secure for arbitrary-length

messages using 2 extra keys (XCBC).

Iwata & Kurosawa derived the extra keys from the

Subkey generation

2 subkeys K₁, K₂ are generated from the key
2 subkeys K₁, K₂ are generated from the key

Can be computed once and stored (must be secret!)
R_b is a value related to the block size

R_b = 012010000111 when b = 128
R_b = 05911011 when b = 64 L ⃪ CIPH_k (0b₎ if _{MSB (L) = 0 then K ⃪ L << 1} ⃪ ⊕ ⃪

Finite-field mathematics are involved!

⃪ if _MSB 1(L) = 0 then K1 ⃪ L << 1 else _K 1 ⃪ (L << 1) ⊕ Rb if _MSB 1(K1) = 0 then K2 ⃪ K1 << 1 else _K 2 ⃪ (K1 << 1) ⊕ Rb

CMAC generation

if _M len = 0 then n ⃪ 1 ⃪ ⌈ ⌉ ⃪ ⊕ if _M len = 0 then n ⃪ 1 else _{n ⃪ ⌈M} len / b⌉ if _M* n complete then Mn ⃪ M*n ⊕ K1 else _M n ⃪ (M*n ‖10j) ⊕ K1 C₀ ⃪ 0b for _{i ⃪ 1 to n do} C_i ⃪ CIPH_k (C_i-1 ⊕ M_i) T ⃪ MSB_Tlen(C_n)

Formatting of the message does not need to

CMAC verification

Receiver may decrypt data with the appropriate
Receiver may decrypt data with the appropriate

algorithm.

He then applies CMAC generation process to the

data.

He compares the generated MAC with the one he

received:

if identical, message is authentic

if identical, message is authentic
if not, in-transit errors or attack!

Length of the MAC (i)

When verification fails, we are sure the message is
When verification fails, we are sure the message is

inauthentic.

But when it succeeds, we are not 100% sure it is

authentic!

MU may have simply guessed the right MAC for a message
His chances of succeeding are 1/2Tlen

Longer MACs provide higher assurance, but use
Longer MACs provide higher assurance, but use

more bandwidth/storage space.

If attacker can make more than one attempt his

Length of the MAC (ii)

For most applications, 64 bits are enough.
For most applications, 64 bits are enough.
NIST provides guidance. Two parameters:

MaxInvalids : maximum number of attempts before system

halts

Risk : highest acceptable probability that an inauthentic

message is mistakenly trusted.

TT_lenlen ≥ log≥ log₂₂ (MaxInvalids / Risk)(MaxInvalids / Risk)
e.g. MaxInvalids = 1

Risk = 0.25

Message span of the key (i)

It’s the total number of messages to which CMAC is
It’s the total number of messages to which CMAC is

applied with the same key.

Affects security against attacks based on detecting

2 distinct messages that lead to the same MAC.

We call this event a collision.

This happens because possible messages are much more

than possible MACs. than possible MACs.

It should not occur during the lifetime of a key.

Message span of the key (ii)

Probability says that a collision is expected among a
Probability says that a collision is expected among a

set of 2b/2 _messages.

For general purpose applications:

no more than 248 messages when b = 128
no more than 221 messages when b = 64

For higher level of security:

no more than 248 _{message blocks when b = 128 (2}22 _GB)

no more than 248 message blocks when b = 128 (222 GB)
no more than 221 message blocks when b = 64 (16 MB)

Protection vs. replay attacks

No protection against replay attacks is ensured by
No protection against replay attacks is ensured by

CMAC:

Malicious user may intercept a message with its correct

MAC and send it at a later time.

It’s perfectly valid!

Such protection must be provided by protocol or

application that uses CMAC for authentication: application that uses CMAC for authentication:

sequential number
timestamp

message nonce
etc.