Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Properties of new NIST
block cipher modes of
operation
Roman Oliynykov
Professor at
Information Technologies Security Depa...
Outline
 A few words about myself
 Need of block cipher modes of operation and well-
known standard modes
 Newly develo...
About myself (I)
 I’m from Ukraine (Eastern part of
Europe),
host country of Euro2012 football
championship
 I live in K...
About myself (II)
 Professor at Information Technologies Security
Department at Kharkov National University of
Radioelect...
Need for modes of operation
 stream cipher:
 encryption of arbitrary length message
 no error propagation during decryp...
Main block cipher modes of
operation: confidentiality only
 Electronic Codebook Mode (ECB)
 Cipher Block Chaining (CBC)
...
Electronic Codebook Mode
(ECB)
ECB advantages
 any part of encrypted message could be
easily decrypted (or re-encrypted after
modification)
 error mult...
ECB disadvantages: equal plaintext
blocks lead to equal ciphertext
blocks: ECB IS NOT RECOMMEDED
TO SEPARATE USE
NB: messa...
Cipher Block Chaining (CBC)
Unique and random (unpredictable) IV must be provided for each message
CBC advantages and
disadvantages
 advantages
 equal messages using the same keys will be encrypted to
different cryptogr...
Cipher Feedback (CFB)
Unique IV must be provided for each message
CFB advantages and
disadvantages
 advantages
 equal messages using the same keys will be encrypted to
different cryptogr...
Output Feedback (OFB)
Unique IV must be provided for each message
OFB advantages and
disadvantages
 advantages
 equal messages using the same keys will be encrypted to
different cryptogr...
Counter (CTR)
Unique IV must be provided for each message
CTR advantages and
disadvantages
 advantages
 equal messages using the same keys will be encrypted to
different cryptogr...
Additional block cipher modes
of operation (NIST SP 800-38)
 CMAC (Cipher-based Message Authentication
Code)
 Galois/Cou...
CMAC (Cipher-based Message
Authentication Code)
CMAC (Cipher-based Message
Authentication Code)
 integrity check (not encryption mode)
 length extensions attack protect...
Galois/Counter Mode (GCM) and
GMAC (Galois MAC):
encryption with GCTR
NB: equal to CTR mode with specific given incrementa...
Galois/Counter Mode (GCM) and
GMAC (Galois MAC):
MAC with GMAC
Galois/Counter Mode (GCM) and GMAC
(Galois MAC): encryption and ICV
generation
Galois/Counter Mode (GCM) and GMAC
(Galois MAC): decryption and ICV
verification
Galois/Counter Mode (GCM)
and GMAC (Galois MAC)
 used for confidentiality and integrity
 there may be present optional n...
CCM (Counter (CTR) mode and the
Cipher Block Chaining-Message
Authentication Code (CBC-MAC))
 advanced mode of combining ...
XTS (Xor еncrypt xor Tweakable
block Cipher): encryption
XTS (Xor еncrypt xor Tweakable
block Cipher): decryption
XTS (Xor еncrypt xor
Tweakable block Cipher)
 mode intended to on-the-fly encryption of storage
with block access (hard d...
Key Wrapping mode:
encryption
Key Wrapping mode:
decryption
Key Wrapping mode
 intended to protect key data confidentiality
 advantages
 may be used with padding if data block len...
FF (Format-Preserving
Encryption) mode
 intended to protect specific data (like credit
card numbers) in existing IT syste...
FF (Format-Preserving
Encryption) mode
Conclusions
 Block ciphers may provide excellent
cryptographic properties, but for practical
application they need modes ...
Upcoming SlideShare
Loading in …5
×

Block Ciphers Modes of Operation

12,616 views

Published on

Slides on my lecture on block cipher modes of operation and their properties given at University of Bergen (Norway), on December, 2014

Published in: Internet
  • DOWNLOAD FULL MOVIE, INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... ,DOWNLOAD FULL. MOVIE 4K,FHD,HD,480P here { https://tinyurl.com/yybdfxwh }
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD FULL MOVIE, INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... ,DOWNLOAD FULL. MOVIE 4K,FHD,HD,480P here { https://tinyurl.com/yybdfxwh }
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Block Ciphers Modes of Operation

  1. 1. Properties of new NIST block cipher modes of operation Roman Oliynykov Professor at Information Technologies Security Department Kharkov National University of Radioelectronics Head of Scientific Research Department JSC “Institute of Information Technologies” Ukraine Visiting professor at Samsung Advanced Technology Training Institute Korea ROliynykov@gmail.com December 2014
  2. 2. Outline  A few words about myself  Need of block cipher modes of operation and well- known standard modes  Newly developed and NIST adopted modes and their properties  Conclusions
  3. 3. About myself (I)  I’m from Ukraine (Eastern part of Europe), host country of Euro2012 football championship  I live in Kharkov (the second biggest city in the country, population is 1.5 million people), Eastern Ukraine (near Russia), former capital of the Soviet Ukraine (1918-1934) three Nobel prize winners worked at Kharkov University
  4. 4. About myself (II)  Professor at Information Technologies Security Department at Kharkov National University of Radioelectronics  courses on computer networks and operation system security, special mathematics for cryptographic applications  Head of Scientific Research Department at JSC “Institute of Information Technologies”  Scientific interests: symmetric cryptographic primitives synthesis and cryptanalysis  Visiting professor at Samsung Advanced Technology Training Institute  courses on computer networks and operation system security, software security, effective application and implementation of symmetric cryptography
  5. 5. Need for modes of operation  stream cipher:  encryption of arbitrary length message  no error propagation during decryption (adversary can selectively change plaintext bits by ciphertext modification)  no integrity check  same procedure for encryption and decryption  block cipher (ECB mode):  encryption of fixed block  error propagation during decryption (avalanche effect)  no integrity check  the same plaintext blocks have the same ciphertext (until key is changed)  different procedures for encryption and decryption
  6. 6. Main block cipher modes of operation: confidentiality only  Electronic Codebook Mode (ECB)  Cipher Block Chaining (CBC)  Cipher Feedback (CFB)  Output Feedback (OFB)  Counter (CTR) US National Institute of Standard Special Publications (NIST SP) 800-38 ISO/IEC 10116:2006 ANSI X9.52
  7. 7. Electronic Codebook Mode (ECB)
  8. 8. ECB advantages  any part of encrypted message could be easily decrypted (or re-encrypted after modification)  error multiplication properties:  if ciphertext is modified by attacker, modifications in plaintext would be random, unpredictable and inside one block only  errors in plaintext cannot be controlled by the attacker (without knowledge of the secret key) NB: error multiplication may seem as disadvantage on noisy physical channels with error correction codes before encryption NB: error correction codes should be applied after encryption – there should be no such huge redundancy of plaintext
  9. 9. ECB disadvantages: equal plaintext blocks lead to equal ciphertext blocks: ECB IS NOT RECOMMEDED TO SEPARATE USE NB: message length must be aligned to the cipher block size NB: encryption and decryption function must be implemented
  10. 10. Cipher Block Chaining (CBC) Unique and random (unpredictable) IV must be provided for each message
  11. 11. CBC advantages and disadvantages  advantages  equal messages using the same keys will be encrypted to different cryptograms (ciphertexts)  message can be decrypted from any part (but decrypted only)  error multiplication properties (single bit + the next block)  disadvantages  message length must be aligned to the cipher block size  message blocks cannot be re-encrypted after modification (the rest of message must be re-encrypted)  decryption implementation is needed  if attacker can insert some parts into message and get ciphertext, part of user message can be compromised (cookie stealing attack over SSL connection when hacker can sniff traffic and install malicious plug-in to Firefox was demonstrated)  not recommended for the future (CTR is better variant)
  12. 12. Cipher Feedback (CFB) Unique IV must be provided for each message
  13. 13. CFB advantages and disadvantages  advantages  equal messages using the same keys will be encrypted to different cryptograms (ciphertexts)  message length can be arbitrary  randomness of IV is not needed  error multiplication properties (single bit + several blocks)  decryption implementation (ECB) is not needed  disadvantages  message blocks cannot be decrypted from any part or re- encrypted after modification  encryption speed is significantly slower  not recommended for the future (CTR is better variant)
  14. 14. Output Feedback (OFB) Unique IV must be provided for each message
  15. 15. OFB advantages and disadvantages  advantages  equal messages using the same keys will be encrypted to different cryptograms (ciphertexts)  message length can be arbitrary  randomness of IV is not needed  decryption implementation (ECB) is not needed  disadvantages  no error multiplication properties  message blocks cannot be decrypted from any part or re- encrypted after modification  key sequence period is expected to 2n/2, where n – block size in bits (but with some probability could be much shorter, so there is security threat)  not recommended for the future (CTR is better variant)
  16. 16. Counter (CTR) Unique IV must be provided for each message
  17. 17. CTR advantages and disadvantages  advantages  equal messages using the same keys will be encrypted to different cryptograms (ciphertexts)  message length can be arbitrary  randomness of IV is not needed (IV is encrypted and used as start counter value), simple counter can be used (e.g., arithmetic addition)  message blocks can be decrypted from any part or re-encrypted after modification  decryption implementation (ECB) is not needed  disadvantages  no error multiplication properties  main recommended mode of operation for confidentiality
  18. 18. Additional block cipher modes of operation (NIST SP 800-38)  CMAC (Cipher-based Message Authentication Code)  Galois/Counter Mode (GCM) and GMAC (Galois MAC)  CCM (Counter (CTR) mode and the Cipher Block Chaining-Message Authentication Code (CBC- MAC))  XTS (Xor еncrypt xor Tweakable block Cipher)  Key Wrapping  FF (Format-Preserving Encryption)
  19. 19. CMAC (Cipher-based Message Authentication Code)
  20. 20. CMAC (Cipher-based Message Authentication Code)  integrity check (not encryption mode)  length extensions attack protected  no attack published (September 2013) effective more than to 2Tlen/2 encryptions, where Tlen – integrity check value (ICV) size in bits
  21. 21. Galois/Counter Mode (GCM) and GMAC (Galois MAC): encryption with GCTR NB: equal to CTR mode with specific given incremental function
  22. 22. Galois/Counter Mode (GCM) and GMAC (Galois MAC): MAC with GMAC
  23. 23. Galois/Counter Mode (GCM) and GMAC (Galois MAC): encryption and ICV generation
  24. 24. Galois/Counter Mode (GCM) and GMAC (Galois MAC): decryption and ICV verification
  25. 25. Galois/Counter Mode (GCM) and GMAC (Galois MAC)  used for confidentiality and integrity  there may be present optional not encrypted part of message (A): e.g., network packet headers  computation of integrity check value (ICV) is made over the ciphertext (not plaintext): effective for network traffic protection with denial-of-service (DoS) attack countermeasures  the fastest mode for confidentiality and integrity  special Intel and AMD processor assembler instruction (PCLMULQDQ) for this mode supports  length extensions attack protected  small amount of weak keys may exist for integrity check
  26. 26. CCM (Counter (CTR) mode and the Cipher Block Chaining-Message Authentication Code (CBC-MAC))  advanced mode of combining CMAC and CTR (with improvement)  there may be present optional not encrypted part of message (A): e.g., network packet headers  developed and well suitable for hardware implementation  implemented in IEEE 802.11 (WiFi) networks in hardware (communication chips)
  27. 27. XTS (Xor еncrypt xor Tweakable block Cipher): encryption
  28. 28. XTS (Xor еncrypt xor Tweakable block Cipher): decryption
  29. 29. XTS (Xor еncrypt xor Tweakable block Cipher)  mode intended to on-the-fly encryption of storage with block access (hard drives, etc.)  blocks have equal size  no room to save integrity check value  advantages (over ECB and CTR):  the same data in the different blocks will give different ciphertext  ciphertext modification will give random plaintext modification (no predictable data changing for attacker)  highly effective (almost like CTR, but gives additional basic and simple integrity service)  may be used with padding if data block length is not aligned to the cipher block size (but less effective here)  disadvantage:  decryption implementation is needed
  30. 30. Key Wrapping mode: encryption
  31. 31. Key Wrapping mode: decryption
  32. 32. Key Wrapping mode  intended to protect key data confidentiality  advantages  may be used with padding if data block length is not aligned to the cipher block size (but less effective here)  ciphertext modification will give random plaintext modification (no predictable data changing for attacker)  no IV required  disadvantages  much slower comparing to other modes  equal messages will have equal cryptograms (no IV in this mode)
  33. 33. FF (Format-Preserving Encryption) mode  intended to protect specific data (like credit card numbers) in existing IT systems with strong limitation to ciphertext length and presentation  advantage  preserves original message alphabet (any, may be decimal or else, not only binary, hexadecimal, etc.) and length of the message  disadvantage  much slower comparing to other modes
  34. 34. FF (Format-Preserving Encryption) mode
  35. 35. Conclusions  Block ciphers may provide excellent cryptographic properties, but for practical application they need modes of operation  Such modes of operation may be used both for confidentiality and integrity  There are many different modes of operation for specific purposes, including network traffic protection, hard drive encryption, etc.  Careful selection of mode is needed, otherwise even a strong block cipher (e.g., AES-256) protection might be broken in some circumstances

×