CSCE 465 Lecture 13

« previous | Thursday, February 28, 2013 | next »

Modes of Operation (cont'd)

Cipher Feedback Mode (CFB)

• Input vector
• XOR message block with encrypted output of key and input
• resulting ciphertext fed into next encryption cycle
• Ciphertext block ${\displaystyle c_{i}}$ depends on all previous blocks
• No decryption needed

• No information leakage
• Encryption cannot be parallelized, but decryption can
• Can still do bit-flip trick
• Error propagation to self and adjacent blocks

General ${\displaystyle k}$-bit CFB Mode

Perform left-shift of initialization vector and append ${\displaystyle k}$ bits from cipher output

• Advantage: Errors only affect finite number of bytes beyond
• Disadvantage: Cannot compute "random" pad beforehand

Message Authentication Codes

(a.k.a Message Integrity Code)

Send last block of CBC (residue) as "message digest"

Ensure Confidentiality and Integrity: use two keys (one for encryption and one for MIC

Counter Mode (CTR)

• Start with IV
• Increment IV for each block encryption, use as input to each encryption
• XOR Message with encrypted output

• No Info leakage
• Can still perform bit-flip exploit
• Encryption and Decryption can be parallelized

Enables random access!

Triple DES

DES limitation: key length is too short.

We can apply DES multiple times (with different keys) to encrypt.

• essentially multiplies key length

Double-DES: is DES a group? (today we know it's not)

• If it is, then double-encryption with 2 keys will be the same as single encryption with a third key.
• Susceptible to meet-in-middle attack (plaintext encrypt/ ciphertext decrypt) from two directions until they are equal

Three times is better:

1. Encrypt using key 1
2. Decrypt using key 2
3. Encrypt again using key 1

To decrypt, reverse process:

1. Decrypt using key 1
2. Encrypt using key 2
3. Decrypt again using key 1

Why not 3 different keys? effective key length (112 bits) is enough

One-third as fast as DES on same platform, and designed to be slow in software

Outside-Chaining

(same as CBC with E = EDE)

Inside-Chaining

Stream Cipher

Encryption occurs on bit-by-bit level

Recall one-time pad: ${\displaystyle C=M\oplus K}$, where ${\displaystyle K}$ is random sequence of bits

Idea is to replace "random" with "pseudo-random" with secret seed

Perform XOR on each bit with corresponding bit in pad

Linear Feedback Shift Register (LFSR)

perform XOR on two adjacent bits ${\displaystyle i}$ and ${\displaystyle i+1}$, save it to ${\displaystyle i+3}$ and shift:

1 0 0 1 -> 1 0 0 1 1 0 1 0 1 1 1 ...

Repeats after 15 bits

Usually very fast (faster than block): used in wi-fi, DVD, RFID, VoIP

Weaknesses

does not provide perfect secrecy since it is not a truly random one-time pad

only as secure as pseudo-random number generator

XOR of known plaintext/ciphertext pair will reveal pad

DVD Encryption: Content Scrambling System (CSS)

Each DVD is encrypted with a disk-specific 40-bit disk key.

This DVD key is encrypted 410 times, once using its own key and one for each player vendor. There are 409 player manufacturers, each has their own key.

The first self-encrypted DVD key helps attacker verify his guess of key. Once a single DVD is cracked, all can be cracked.

DeCSS

DVD organization sued (Jon Lech Johanssen), the guy who cracked encryption (later dropped)

Illegal to publish DeCSS since it violates copyright law, but you can make T-Shirts of the code...

CSS uses a proprietary 40-bit stream cipher algorithm:

• Structural flaws in CSS reduce effective length to only 16 bits
• Can be compromized in less than a minute by brute force on 450 MHz processor
• New standard: Advanced Access Content System (AACS) used in HD DVD and Blu-ray Disk (128-bit AES (CBC))

Summary

• ECB mode is not secure
• CBC commonly used mode of operation
• Triple-DES is much stronger than DES (usually uses EDE in outer chaining mode)
• Stream cipher is simple and fast
  • Key size needs to be large enough