Thiese are the slides used for presenting the Block Cipher Modes of Operation and CMAC for Authentication document by Alberto Grand.

1. Block Cipher Modes of
Operation
Alberto Grand
Politecnico di Torino
Computer Systems Security – prof. Antonio Lioy

2. What are modes of operation?
Block ciphers only allow to encrypt entire blocks.
What if our message is longer/shorter than the
block size?
We use modes of operation!
Algorithms that exploit a block cipher to provide a service
(e.g. confidentiality, authentication)
5 NIST-recommended modes providing confidentiality:
ECB, CBC, CFB, OFB, CTR
CMAC may be considered a block cipher mode of operation
providing authentication.
2

3. Electronic Codebook (ECB)
Associates each possible plaintext block to a
ciphertext block, like a codebook.
Hello world! aY1:?§h24(r
Requires padding
Encryption/decryption of multiple blocks in parallel
A 1-bit error in a ciphertext block garbles the
corresponding decrypted block.
3

4. Deficiencies of ECB
Problems when the original message contains regular
data patterns, because always encrypted in the same
way.
Only suitable for 1-block-sized data (e.g. a key)
“The securest thing you can do with ECB is not use it!”
4

5. Cipher Block Chaining (CBC)
Allows the same plaintext blocks to be encrypted to
different ciphertext blocks.
Encrypted blocks are “chained” through XORing.
Requires an initialisation vector (IV)
Hello world q%1aX l’3z1$
IV
CIPHER-1 CIPHER-1
CIPHER CIPHER IV
q%1aX l’3z1$ Hello world
5

6. Features of CBC
No parallel encrypting , while parallel decrypting is
possible.
A 1-bit error affects two blocks:
the corresponding block is garbled
the corresponding bit is flipped in the next block
Problem with the IV: 1-bit error only flips 1 bit in
the 1st block, no garbled block. Hard to detect!
Solutions:
encipher the IV
don’t transmit the IV, but compute it from a known value
use authentication!
6

7. Propagating CBC (PCBC)
It’s a variation of CBC designed to propagate errors.
It also involves the previous plaintext block in the
XOR operation.
Is error propagation desirable? It depends!
NO if transmission errors
YES if intentional, malicious changes
Used in Kerberos v.4, but abandoned starting from
v.5 because inversion of two adjacent blocks does
not affect subsequent blocks.
7

8. Cipher Feedback (CFB)
Turns a block cipher into a stream cipher, message
size need not be multiple of block size.
Very similar to CBC (ciphering and XORing are
swapped).
IV IV
CIPHER CIPHER CIPHER CIPHER
Hello world q%1aX l’3z1$
q%1aX l’3z1$ Hello world
8

9. Features of CFB
No parallel encrypting of multiple blocks – although
some form of pipelining is possible.
Parallel decryption is possible
Only the forward function is used.
A 1-bit error :
flips corresponding bit in current segment
may garble the next ⌈b/s⌉ segments
This is highly noticeable, so CFB is less exposed
to the risk of deliberate bit changes.
9

10. OpenPGP with CFB
Widespread standard for exchanging encrypted e-
mail messages.
A variant of CFB is used for symmetric
cryptography:
a random block R is enciphered and used as an IV
the first 2 bytes of R are replicated in the 2nd block for
integrity checks
Leak of information! About 215 set-up attempts +
about 215 attempts per block enable an attacker to
discover the first 2 bytes of any block.
PGP stands for “Pretty Good Privacy”!
10

11. Output Feedback (OFB)
Turns a block cipher into a stream cipher.
It features the iteration of the forward cipher on an
IV.
IV IV
CIPHER CIPHER CIPHER CIPHER
Hello world q%1aX l’3z1$
q%1aX l’3z1$ Hello world
11

12. Features of OFB (i)
Neither encryption nor decryption can be performed
in parallel due to block chaining.
If IV available prior to ciphertext, keystream blocks
can be pre-computed.
IV needs to be a nonce, otherwise know-plaintext
attack is possible (under same key):
an attacker who knows the ith plaintext block can easily
reconstruct the ith keystream block
he can then understand the ith block of every message
12

13. Features of OFB (ii)
A 1-bit error in a ciphertext block only produces a
bit-specific error in the corresponding block:
good for error correcting codes, which work even when
applied before encryption
bad because it’s hardly noticeable!
A 1-bit error in the IV causes all blocks to be
garbled.
13

14. Counter (CTR)
Turns a block cipher into a stream cipher.
Keystreams blocks are generated by encrypting a
set of counter blocks.
CTR block #1 CTR block #2 CTR block #1 CTR block #2
CIPHER CIPHER CIPHER CIPHER
Hello world q%1aX l’3z1$
q%1aX l’3z1$ Hello world
14

15. Features of CTR (i)
Both encryption and decryption can be performed
fully in parallel on multiple blocks.
Provides true random access to ciphertext blocks.
If the initial counter block is available, keystream
blocks may be computed prior to receiving the
ciphertext .
It’s simple!
No inverse cipher function is required for decryption.
It is becoming increasingly used.
15

16. Features of CTR (ii)
Assurance is required that:
counters do not repeat within a single message
counters do not repeat across all messages under a given
key
Done through an incrementing function.
Usually, first b-m bits are a message nonce,
following m bits are incremented (message length <
2m blocks).
Alternatively, counters are concatenated (total
length of all messages < 2m blocks)
16

17. Padding: pros and cons
Increases amount of data to be sent with no
increase of transmitted information.
With regular data pattern, padding with random
values makes cryptanalysis more difficult.
When padding scheme in known, it may expose
exchange of messages to timing attacks.
OpenSSL prior to v.0.9.6c with CBC-MAC
MAC is located at the end, padding is needed
Message only evaluated if padding is correct
Attacker may systematically find out bits starting from
second-to-last block.
17

18. Ciphertext Stealing (CTS)
Sometimes padding is unacceptable
limited bandwidth
exchange of many messages that would require padding
We want to avoid extra data, but cipher blocks need
entire blocks!
Solution: use CTS!
by accomplishing some extra operations, enables to
produce as many output data as given in input
we pay in terms of complexity and execution time
we still cannot encyrpt very short messages (< 1 block).
Usually not worth it!
18

19. Related-mode attacks (i)
Attacks against a given block cipher mode of
operation:
we must know which mode is being used
we need an oracle of another mode, but with the same
underlying cipher
19

20. Related-mode attacks (ii)
Using ECB against CTR
MU intercepted Ci and C0
He chooses P’i = C0 + i
C’i = CIPHk(P’i)
Since Ci = CIPHk(C0 + i) ⊕ Pi he can compute Pi =
Ci ⊕ C’i.
Only one chosen plaintext query is required.
20

21. The CMAC Mode for
Authentication

22. What is CMAC?
The 5 modes of operation provide confidentiality,
but we need authentication and integrity.
We must use a mode for authentication!
it implies integrity
A MAC algorithm provides stronger assurance of
data integrity than a checksum.
CMAC exploits the CBC mode of operation to chain
cipherblocks and obtain a value which depends on
all previous blocks.
22

23. Once upon time…
…there was an insecure mode for authentication
named CBC-MAC:
only provided security for messages whose length was a
multiple of the block size
attacker could change the whole message (except last
block) without notice when CBC was used for encryption
with the same key.
Black & Rogaway made it secure for arbitrary-length
messages using 2 extra keys (XCBC).
Iwata & Kurosawa derived the extra keys from the
shared secret (OMAC, OMAC1 = CMAC).
23

24. Subkey generation
2 subkeys K1, K2 are generated from the key
Can be computed once and stored (must be secret!)
Rb is a value related to the block size
Rb = 012010000111 when b = 128
Rb = 05911011 when b = 64
L ⃪ CIPHk (0b)
if MSB1(L) = 0 then K1 ⃪ L << 1
else K1 ⃪ (L << 1) ⊕ Rb
if MSB1(K1) = 0 then K2 ⃪ K1 << 1
else K2 ⃪ (K1 << 1) ⊕ Rb
Finite-field mathematics are involved!
24

25. CMAC generation
if Mlen = 0 then n ⃪ 1
else n ⃪ ⌈ len / b⌉
⌈M ⌉
if M*n complete then Mn ⃪ M*n ⊕ K1
else Mn ⃪ (M*n ‖10j) ⊕ K1
C0 ⃪ 0b
for i ⃪ 1 to n do
Ci ⃪ CIPHk (Ci-1 ⊕ Mi)
T ⃪ MSBTlen(Cn)
Formatting of the message does not need to
complete before starting CBC encryption.
25

26. CMAC verification
Receiver may decrypt data with the appropriate
algorithm.
He then applies CMAC generation process to the
data.
He compares the generated MAC with the one he
received:
if identical, message is authentic
if not, in-transit errors or attack!
26

27. Length of the MAC (i)
When verification fails, we are sure the message is
inauthentic.
But when it succeeds, we are not 100% sure it is
authentic!
MU may have simply guessed the right MAC for a message
His chances of succeeding are 1/2Tlen
Longer MACs provide higher assurance, but use
more bandwidth/storage space.
If attacker can make more than one attempt his
chances increase!
27

28. Length of the MAC (ii)
For most applications, 64 bits are enough.
NIST provides guidance. Two parameters:
MaxInvalids : maximum number of attempts before system
halts
Risk : highest acceptable probability that an inauthentic
message is mistakenly trusted.
Tlen ≥ log2 (MaxInvalids / Risk)
e.g. MaxInvalids = 1
Risk = 0.25
⇒ Tlen = 2 bits
28

29. Message span of the key (i)
It’s the total number of messages to which CMAC is
applied with the same key.
Affects security against attacks based on detecting
2 distinct messages that lead to the same MAC.
We call this event a collision.
This happens because possible messages are much more
than possible MACs.
It should not occur during the lifetime of a key.
Message span should be limited!
29

30. Message span of the key (ii)
Probability says that a collision is expected among a
set of 2b/2 messages.
For general purpose applications:
no more than 248 messages when b = 128
no more than 221 messages when b = 64
For higher level of security:
no more than 248 message blocks when b = 128 (222 GB)
no more than 221 message blocks when b = 64 (16 MB)
Sometimes message span is time-limited.
30

31. Protection vs. replay attacks
No protection against replay attacks is ensured by
CMAC:
Malicious user may intercept a message with its correct
MAC and send it at a later time.
It’s perfectly valid!
Such protection must be provided by protocol or
application that uses CMAC for authentication:
sequential number
timestamp
message nonce
etc.
31

32. Any questions?
32