<style>
.r {
color: rgb(255, 0, 5);
font-weight: bold;
}
.g {
color: rgb(0, 176, 81);
font-weight: bold;
}
.b {
color: rgb(45, 123, 238);
font-weight: bold;
}
.y {
color: rgb(247, 187, 18);
font-weight: bold;
}
</style>
# Block Cipher Operation
## Double DES (2DES)
- It seems to provide 112 (= 56×2) effect key bits?
- Unfortunately, it is **wrong**
- Actually, it provides only 57 (= 56+1) effect key bits.
- **Meet-in-the-Middle Attack**
- Rarely used
### Meet-in-the-Middle Attack
- a Known-Plaintext Attack
- Suppose that $P_a$ and $P_b$ are known.
- Let $C_a = E(K_2, (E(K_1 , P_a))$ and $C_b = E(K_2, (E(K_1, P_b))$
- For each possible key $K_1^\prime$, compute $E(K_1^\prime, P_a)$ and **stores the result** in memory (total $2^{56}$).
- Compute $D(K_2^\prime, C_a)$ for each possible key $K_2^\prime$ and looks for the sameresult in the memory.
- If there is a match
- Compute $C_b^\prime = E(K_2^\prime, (E(K_1^\prime, P_b))$
- If $C_b^\prime = C_b$, it is likely that $K_1^\prime = K_1$ and $K_2^\prime = K_2$.
- Otherwise, keep trying the remaining possible keys.
- The MAX number of encryption trials are $2^{56} + 2^{56} = 2^{57}.$
## Triple DES (3DES/TDES)
- Block size: 64 bits
- Key size: 112 bits (2-key), 168 bits (3-key)
- The 3-key 3DES provides **112 (=56×2) effect key bits**
- $2^{112} + 2^{56} \approx 2^{112}$
- Meet-in-the-Middle Attack
- Encrypt-Decrypt-Encrypt (EDE) pattern is not for security concern.
- Its only advantage is that it allows users of 3DES to decrypt data encrypted by users of the older single DES.
- Speed
- It is slower than DES (about 3 times).
- ==Triple DES (3DES/TDES) has been broken==
- The short block size of 64 bit makes 3DES vulnerable to block collision attacks if it is used to encrypt large amounts of data with the same key.
- **Sweet32 Attack** (2017)
- exploited in TLS and OpenVPN
- Practical Sweet32 attack on 3DES-based cipher-suites in TLS required $2^{36.6}$ blocks (785 GB) for a full attack
- Researchers were lucky to get a collision just after around $2^{20}$ blockswhich took 25 minutes.
## Block Cipher Modes of Operation
- Introduction
- Combination of
- the basic cipher
- feedback
- simple operation
- Considerations: **Security**, **Efficiency**
- DES was usually chosen as the representative of Block Ciphers.
- Modes
- ECB (Electronic Codebook)
- CBC (Cipher Block Chaining)
- CFB (Cipher Feedback)
- OFB (Output Feedback)
- CTR (Counter)
- XTS-**AES**
- Brief Description
(Description 沒什麼用)
## ECB Mode (Electronic Codebook Mode)
### About the name “Electronic Codebook”
- If the key is unchanged, the **same plaintext block** always encrypts to the **same ciphertext block**.
- Key 不變,明文相同,密文就一樣
- It is **theoretically** possible to create a **codebook** of plaintext blocks and corresponding ciphertext blocks for each value of key.
### Efficiency of ECB
- Encryption parallelizable: Yes✔
- Block 之間獨立,可以平行處理
- Decryption parallelizable: Yes✔
- Preprocessing capability: No❌
- 在明文來之前處理部分工作
- 若要用於加密 stream,需要能夠 preprocessing
### Security of ECB
- **Plaintext patterns are not concealed**.
- Identical plaintext blocks give identical ciphertext blocks.
- Block 之間互不影響,導致某個 block 被竄改不容易發現
- By **removing, repeating, or interchanging** ciphertext blocks, the attacker could easily fool the intended recipient.
- Solutions: **Chaining Techniques** or **MAC**.
## CBC Mode (Cipher Block Chaining Mode)
### Characteristic of CBC
- **IV** (Initialization Vector) is used as a seed
- IV is a **nonce**(隨機數)
- random number (unpredictable) or/+ timestamp (non-repeating)
- IV must be known to both sides.
- In general, IV is **unencrypted**.
- To be **more secure**, we can use the **ECB mode to encrypt IV**
- 每個 key 都不同,且只加密一個 block,可以克服 ECB 的缺點
- Each ciphertext block is dependent on all message blocks before it.
- A **change** in a plaintext block affects its **corresponding ciphertext block** and **all succeeding ciphertext blocks**.
### Efficiency of CBC
- Encryption parallelizable: No❌
- Decryption parallelizable: Yes✔
- $C_1$ 在解密的同時可以傳到 $C_2$ 作解密,而不用等到 $P_1$ 解出來。
- Preprocessing capability: No❌
### Security of CBC
- Plaintext patterns are **concealed**.
- Identical plaintext blocks will not give identical ciphertext blocks.
- The plaintext **cannot be easily manipulated** by modifying, removing, repeating, or interchanging ciphertext blocks.
- CBC is vulnerable to the **Bit Flipping Attack**
- The attacker **can change the ciphertext** in such a way as to **result in a predictable change of the plaintext**, although the attacker is not able to learn the plaintext itself.
- Scenario
- **Red Case**: a bit of $C_2$ is modified
- $P_2$ will be a **garbage** (**easily detected**)
- The corresponding bit of $P_3$ is flipped
- **Green Case**: a bit of **IV** is modified
- The corresponding bit of $P_1$ is flipped
- CBC is vulnerable to the **Padding Oracle Attack**
- The attacker can use the [**padding validation (PKCS #7)**](https://hackmd.io/fJB5r484SZqBEdWMQo4iAQ#PKCS-7-Padding-Scheme) of acryptographic message to decrypt the ciphertext.
- **Assumption**: having a **padding oracle** who will respond to queries about whether a message is correctly padded or not.
## CFB Mode (Cipher Feedback Mode)
- A Stream mode for Block Cipher
### Character of CFB
- ***s***: segment size (bits) ≡ the number of feedback bits
- Trading off efficiency and security, s may vary
- CFB-1, CFB-8 (most common), CFB-64, ...
- ***IV***: (Initialization Vector) is used as a seed
- IV is a nonce (隨機數)
- random number (unpredictable) or/+ timestamp (non-repeating)
- IV must be known to both sides
- In general, IV is unencrypted
- To be more secure, we can use the ECB mode to encrypt IV
### Efficiency of CFB
- Encryption parallelizable: No❌
- Decryption parallelizable: Yes✔
- Preprocessing capability: Yes✔
### Security of CFB
- Plaintext patterns are **concealed**.
- Identical plaintext blocks will not give identical ciphertext blocks.
- The plaintext **cannot be easily manipulated** by modifying, removing, repeating, or interchanging ciphertext blocks.
- With **full feedback** ($s = b$), when **two ciphertext segments are identical**, the outputs from the block cipher operation at the next step are also identical. This allows **information** about plaintext segments to **leak**.
- CFB is vulnerable to the Bit Flipping Attack
- The attacker can change the ciphertext in such a way as to result in a predictable change of the plaintext, although the attacker is not able to learn the plaintext itself
- Scenario
- <font class="g">Green Case</font>: a bit of C~1~ is modified
- The corresponding bit of P~1~ is flipped
- P~2~ will be a garbage (easily detected)
- <font class="r">Red Case</font>: a bit of the last segment C~3~ is modified
- The corresponding bit of P~3~ is flipped
## OFB Mode (Output Feedback Mode)
- A **Stream mode** for **Block Cipher**
### Characteristic of OFB
- Superficially similar to CFB, but
- the feedback is from the output of the block cipher and is independent of the message.
- operates on full blocks of plaintext and ciphertext
- **Nonce ($\equiv$ IV)** is used as a seed
- Nonce is random number (unpredictable) or/+ timestamp (non-repeating)
- Nonce must be known to both sides.
- In general, nonce is unencrypted.
- To be more secure, we can use the ECB mode to encrypt nonce
### Efficiency of OFB
- Encryption parallelizable: Yes✔
- Decryption parallelizable: Yes✔
- Preprocessing capability: Yes✔
### Security of OFB
- The plaintext **cannot** be easily manipulated by removing, repeating, or interchanging ciphertext blocks.
- OFB is **seriously** vulnerable to the **Bit Flipping Attack**
- Plaintext **can be easily manipulated** by modifying ciphertext blocks **without being detected**.
==↑↑↑期中考↑↑↑==
---
## CTR Mode (Counter Mode)
- A <font class='b'>Stream mode</font> for <font class='g'>Block Cipher</font>
### Characteristic of CTR
- Widely used for <font class='b'>ATM network security and IPSec</font>
- Suitable for <font class='g'>high-speed</font> network encryptions
- Similar to OFB but encrypts counter value
- must have a **different {Key & Counter}** value (never reused)
- random access to encrypted data blocks
- <font class='b'>Counter</font> is used as a seed
- The initial value of <font class='b'>Counter</font> (i.e., Counter 1) is {nonce \|\| counter}.
- <font class='b'>Counter</font> must be known to both sides.
- In general, <font class='b'>Counter</font> is <font class='g'>unencrypted</font>.
- To be <font class='y'>more secure</font>, we can use the <font class='y'>ECB mode to encrypt</font> Counter
### Efficiency of CTR
- Encryption parallelizable: Yes✔
- Decryption parallelizable: Yes✔
- Preprocessing capability: Yes✔
### Security of CTR
- The plaintext cannot be easily manipulated by removing, repeating, or interchanging ciphertext blocks.
- CTR is ==**seriously**== vulnerable to the **Bit Flipping Attack**
- Plaintext **can be easily manipulated** by modifying ciphertext blocks **without being detected**.
## XTS-AES Mode
### Characteristic of XTS-AES
- Specified in IEEE P1619 Standard
- <font class='y'>X</font>EX (Xor-Encrypt-Xor)-based <font class='y'>T</font>weaked CodeBook mode (TCB) with CipherText <font class='y'>S</font>tealing (CTS)
- **Random access** to encrypted data <font class='r'>stored in a sector-based device</font>
- each sector may have multiple blocks
- existing modes are not very suitable for encrypting stored data
- <font class='b'>uses AES twice</font> for each <font class='g'>block</font>
### Efficiency of XTS-AES
- Encryption parallelizable: Yes✔
- Decryption parallelizable: Yes✔
- Preprocessing capability: **Partial** (先處理 key2)
### Security of XTS-AES
- Secure for encrypting stored data in a sector-based device
Sign in with Wallet
Connect another wallet