|
|
(One intermediate revision by one other user not shown) |
Line 1: |
Line 1: |
| {{about|cryptography|"method of operating"|modus operandi}}
| | His idea for weight loss was which you have to be concerned with all the carbohydrates we eat, not the fat. Many people have had success utilizing the Atkins diet. myself included until I ran into several problems with my health. However, these diet plans are not for everyone. Before we start the Atkins diet, or better yet any diet, talk to a doctor to ensure it is a wise decision for we.<br><br>Whatever choice of diet you choose to take, the information of a doctor or nutritionist is important for your success plus healthy weight reduction. If you follow the above mentioned guidelines then the experience is enjoyable and fruitful. You should have realistic goals set for the weight reduction to avoid disillusionment whilst paying close attention to ensure you know what are the best [http://safedietplans.com diets that work] swiftly for ladies the planet over.<br><br>These meals arrive as single servings thus you eat merely the appropriate amount to stay in the calorie count. All you need to do is warm the meal inside the microwave and enjoy. Along with removing temptation, diet plans additionally remove the difficulty associated with meal planning plus buying when you go on a diet. Forget all complicated stuff. Simply purchase the meals that appeal to you plus they might arrive at a door. If you don't like to pick plus choose the meals you are able to even let the firm choose the meals for you thus we have a balanced diet.<br><br>Family dinner makes a difference. If you all sit down for a meal, it is very much easier to make sure your child is eating healthy. No matter how busy you're, try to have 1 family meal together each day.<br><br>There are a number of prevalent diets that merely do not function alone. Therefore, it happens to be significant to join a gym to have a backup plan. Although a decrease inside overall calories may assist we lose weight or slow the fat gain, exercise may help you burn calories and grow your fat reduction. Your ultimate objective should be to change a lifestyle so which we consume less calories than you burn.<br><br>A objective may be a great deal of details, it's up to you. If you wish to reduce a salt intake, shed 10 lbs or stop eating a lot of processed foods you are able to do it. Begin a diary involving the objectives, plus take entries about how you're advancing.<br><br>We have considered all the above citations to choose diet medications that function. Our objective is to guide we by finding carefully selected top quality fat loss supplements, produced from natural resources and clinically proven to bring we the best results possible. Choose from the ideal and lose weight with confidence. The trim and attractive we are possible. Make the research plus slender down the healthy technique with good quality diet supplements. |
| | |
| In [[cryptography]], a '''mode of operation''' is an algorithm that uses a [[block cipher]] to provide an [[information security|information service]] such as [[confidentiality]] or [[authentication|authenticity]].<ref name="NIST-BLOCK-CIPHER-MODES">
| |
| {{cite web
| |
| | author = NIST Computer Security Division's (CSD) Security Technology Group (STG)
| |
| | title = Block cipher modes
| |
| | year = 2013
| |
| | work = Cryptographic Toolkit
| |
| | publisher = NIST
| |
| | url = http://csrc.nist.gov/groups/ST/toolkit/BCM/index.html
| |
| | accessdate = April 12, 2013
| |
| }}</ref>
| |
| A block cipher by itself is only suitable for the secure cryptographic transformation (encryption or decryption) of one fixed-length group of [[bit]]s called a [[Block (data storage)|block]].<ref name="FERGUSON">
| |
| {{Cite book
| |
| | others = Ferguson, N., Schneier, B. and Kohno, T.
| |
| | year = 2010
| |
| | title = Cryptography Engineering: Design Principles and Practical Applications
| |
| | publisher = Wiley Publishing, Inc.
| |
| | location = Indianapolis
| |
| | ISBN = 978-0-470-47424-2
| |
| | pages = 63, 64
| |
| }}</ref> A mode of operation describes how to repeatedly apply a cipher's single-block operation to securely transform amounts of data larger than a block.<ref name="NIST-PROPOSED-MODES">
| |
| {{cite web
| |
| | author = NIST Computer Security Division's (CSD) Security Technology Group (STG)
| |
| | title = Proposed modes
| |
| | year = 2013
| |
| | work = Cryptographic Toolkit
| |
| | publisher = NIST
| |
| | url = http://csrc.nist.gov/groups/ST/toolkit/BCM/modes_development.html
| |
| | accessdate = April 14, 2013
| |
| }}
| |
| </ref><ref name="HAC">
| |
| {{cite book
| |
| |authors=Alfred J. Menezes, Paul C. van Oorschot and Scott A. Vanstone
| |
| |title=Handbook of Applied Cryptography
| |
| |publisher=CRC Press
| |
| |year=1996
| |
| |isbn=0-8493-8523-7
| |
| |pages=228–233
| |
| |url=http://www.cacr.math.uwaterloo.ca/hac/
| |
| }}</ref><ref name="ISO-10116">
| |
| {{Cite journal
| |
| | authors = ISO JTC 1/SC 27
| |
| | title = ISO/IEC 10116:2006 - Information technology -- Security techniques -- Modes of operation for an n-bit block cipher
| |
| | journal = ISO Standards catalogue
| |
| | url = http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=38761
| |
| | year = 2006
| |
| }}</ref>
| |
| | |
| Most modes require a unique binary sequence, often called an [[initialization vector]] (IV), for each encryption operation. The IV has to be non-repeating and for some modes random as well. The initialization vector is used to ensure distinct [[ciphertext]]s are produced even when the same [[plaintext]] is encrypted multiple times independently with the same [[Key (cryptography)|key]].<ref name="HUANG">
| |
| {{Cite journal
| |
| | authors = Kuo-Tsang Huang, Jung-Hui Chiu, and Sung-Shiou Shen
| |
| | title = A Novel Structure with Dynamic Operation Mode for Symmetric-Key Block Ciphers
| |
| | journal = International Journal of Network Security & Its Applications (IJNSA)
| |
| | url = http://airccse.org/journal/ijnsa.html
| |
| |volume = 5
| |
| |issue = 1
| |
| |date=January 2013
| |
| | pages = 19
| |
| }}</ref> Block ciphers have one or more [[Block size (cryptography)|block size]](s), but during transformation the block size is always fixed. Block cipher modes operate on whole blocks and require that the last part of the data be [[Padding (cryptography)|padded]] to a full block if it is smaller than the current block size.<ref name="FERGUSON"/> There are, however, modes that do not require padding because they effectively use a block cipher as a [[stream cipher]].
| |
| | |
| Historically, encryption modes have been studied extensively in regard to their error propagation properties under various scenarios of data modification. Later development regarded [[integrity protection]] as an entirely separate cryptographic goal. Some modern modes of operation combine [[confidentiality]] and [[authentication|authenticity]] in an efficient way, and are known as [[authenticated encryption]] modes.<ref name="NIST-CURRENT-MODES">
| |
| {{cite web
| |
| | author = NIST Computer Security Division's (CSD) Security Technology Group (STG)
| |
| | title = Current modes
| |
| | year = 2013
| |
| | work = Cryptographic Toolkit
| |
| | publisher = NIST
| |
| | url = http://csrc.nist.gov/groups/ST/toolkit/BCM/current_modes.html
| |
| | accessdate = April 12, 2013
| |
| }}
| |
| </ref>
| |
| | |
| ==History and standardization==
| |
| The earliest modes of operation, ECB, CBC, OFB, and CFB (see below for all), date back to 1981 and were specified in [http://www.itl.nist.gov/fipspubs/fip81.htm FIPS 81], ''DES Modes of Operation''. In 2001, NIST revised its list of approved modes of operation by including AES as a block cipher and adding CTR mode in [http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf SP800-38A], ''Recommendation for Block Cipher Modes of Operation''. Finally, in January, 2010, NIST added [[XTS-AES]] in [http://csrc.nist.gov/publications/nistpubs/800-38E/nist-sp-800-38E.pdf SP800-38E], ''Recommendation for Block Cipher Modes of Operation: The XTS-AES Mode for Confidentiality on Storage Devices''. Other confidentiality modes exist which have not been approved by NIST. For example, CTS is [[ciphertext stealing]] mode and available in many popular cryptographic libraries.
| |
| | |
| The block cipher modes ECB, CBC, OFB, CFB, CTR, and [[XTS mode|XTS]] provide confidentiality, but they do not protect against accidental modification or malicious tampering. Modification or tampering can be detected with a separate [[message authentication code]] such as [[CBC-MAC]], or a [[digital signature]]. The cryptographic community recognized the need for dedicated integrity assurances and NIST responded with HMAC, CMAC, and GMAC. [[HMAC]] was approved in 2002 as [http://csrc.nist.gov/publications/fips/fips198/fips-198a.pdf FIPS 198], ''The Keyed-Hash Message Authentication Code (HMAC)'', [[CMAC]] was released in 2005 under [http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf SP800-38B], ''Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication'', and GMAC was formalized in 2007 under [http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf SP800-38D], ''Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC''.
| |
| | |
| After observing that compositing a confidentiality mode with an authenticity mode could be difficult and error prone, the cryptographic community began to supply modes which combined confidentiality and data integrity into a single cryptographic primitive. The modes are referred to as [[authenticated encryption]], AE or "authenc". Examples of authenc modes are [[CCM mode|CCM]] ([http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20_2007.pdf SP800-38C]), [[GCM mode|GCM]] ([http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf SP800-38D]), [[CWC mode|CWC]], [[EAX mode|EAX]], [[IAPM mode|IAPM]], and [[OCB mode|OCB]].
| |
| | |
| Modes of operation are nowadays defined by a number of national and internationally recognized standards bodies. The most influential source is the US [[NIST]]{{citation needed|date=April 2012}}. Other notable standards organizations include [[International Organization for Standardization|ISO]] (with ISO/IEC 10116<ref name="ISO-10116"/>), the [[International Electrotechnical Commission|IEC]], the [[IEEE]], the national [[ANSI]], and the [[IETF]].
| |
| | |
| ==Initialization vector (IV)==
| |
| {{Main|Initialization vector}}
| |
| | |
| An [[initialization vector]] (IV) or starting variable (SV)<ref name="ISO-10116"/> is a block of bits that is used by several modes to randomize the encryption and hence to produce distinct ciphertexts even if the same plaintext is encrypted multiple times, without the need for a slower re-keying process.<ref name="HUANG"/>
| |
| | |
| An [[initialization vector]] has different security requirements than a key, so the [[initialization vector|IV]] usually does not need to be secret. However, in most cases, it is important that an [[initialization vector]] is never reused under the same key. For CBC and CFB, reusing an IV leaks some information about the first block of plaintext, and about any common prefix shared by the two messages. For OFB and CTR, reusing an IV completely destroys security.<ref name="HUANG"/> This can be seen because both modes effectively create a bitstream that is XORed with the plaintext, and this bitstream is dependent on the password and IV only. Reusing a bitstream destroys security.<ref>{{cite web|title=Stream Cipher Reuse: A Graphic Example|url=http://www.cryptosmith.com/archives/70|publisher=Cryptosmith LLC|accessdate=27 March 2013}}</ref> In CBC mode, the [[initialization vector|IV]] must, in addition, be unpredictable at encryption time; in particular, the (previously) common practice of re-using the last ciphertext block of a message as the [[initialization vector|IV]] for the next message is insecure (for example, this method was used by SSL 2.0). If an attacker knows the [[initialization vector|IV]] (or the previous block of ciphertext) before he specifies the next plaintext, he can check his guess about plaintext of some block that was encrypted with the same key before (this is known as the TLS CBC IV attack).<ref>{{citation|author=B. Moeller|title=Security of CBC Ciphersuites in SSL/TLS: Problems and Countermeasures|date=May 20, 2004|url=http://www.openssl.org/~bodo/tls-cbc.txt}}</ref>
| |
| | |
| ==Padding==
| |
| {{Main|Padding (cryptography)}}
| |
| A [[block cipher]] works on units of a fixed [[block size (cryptography)|size]] (known as a ''block size''), but messages come in a variety of lengths. So some modes (namely [[Block cipher modes of operation#Electronic codebook .28ECB.29|ECB]] and [[Cipher block chaining|CBC]]) require that the final block be padded before encryption. Several [[padding (cryptography)|padding]] schemes exist. The simplest is to add null bytes to the [[plaintext]] to bring its length up to a multiple of the block size, but care must be taken that the original length of the plaintext can be recovered; this is so, for example, if the plaintext is a [[C (programming language)|C]] style [[Literal string|string]] which contains no null bytes except at the end. Slightly more complex is the original [[Data Encryption Standard|DES]] method, which is to add a single one [[bit]], followed by enough zero [[bit]]s to fill out the block; if the message ends on a block boundary, a whole padding block will be added. Most sophisticated are CBC-specific schemes such as [[ciphertext stealing]] or [[residual block termination]], which do not cause any extra ciphertext, at the expense of some additional complexity. [[Bruce Schneier|Schneier]] and [[Niels Ferguson|Ferguson]] suggest two possibilities<!-- Practical Crypto, sect 5.1 -->, both simple: append a byte with value 128 (hex 80), followed by as many zero bytes as needed to fill the last block, or pad the last block with ''n'' bytes all with value ''n''.
| |
| | |
| CFB, OFB and CTR modes do not require any special measures to handle messages whose lengths are not multiples of the block size, since the modes work by XORing the plaintext with the output of the block cipher. The last partial block of plaintext is XORed with the first few bytes of the last [[keystream]] block, producing a final ciphertext block that is the same size as the final partial plaintext block. This characteristic of stream ciphers makes them suitable for applications that require the encrypted ciphertext data to be the same size as the original plaintext data,
| |
| and for applications that transmit data in streaming form where it is inconvenient to add padding bytes.
| |
| | |
| ==Common modes==
| |
| Many modes of operation have been defined. Some of these are described below.
| |
| | |
| ===Electronic codebook (ECB)===
| |
| {{Infobox
| |
| |name =
| |
| |bodystyle =
| |
| |title =
| |
| |titlestyle =
| |
| |image =
| |
| |imagestyle =
| |
| |caption =
| |
| |captionstyle =
| |
| |headerstyle = background:#ccf;
| |
| |labelstyle = background:#ddf;
| |
| |datastyle =
| |
| | |
| |header1 = ECB
| |
| |label1 =
| |
| |data1 =
| |
| |header2 =
| |
| |label2 =
| |
| |data2 = Electronic codebook
| |
| |header3 =
| |
| |label3 = Encryption parallelizable:
| |
| |data3 = Yes
| |
| |header4 =
| |
| |label4 = Decryption parallelizable:
| |
| |data4 = Yes
| |
| |header5 =
| |
| |label5 =
| |
| |data5 =
| |
| | |
| |belowstyle = background:#ddf;
| |
| |below =
| |
| }}
| |
| The simplest of the encryption modes is the '''electronic codebook''' (ECB) mode. The message is divided into blocks, and each block is encrypted separately.
| |
| | |
| [[File:ECB encryption.svg]]
| |
| | |
| [[File:ECB decryption.svg]]
| |
| | |
| The disadvantage of this method is that identical [[plaintext]] blocks are encrypted into identical [[ciphertext]] blocks; thus, it does not hide data patterns well. In some senses, it doesn't provide serious message confidentiality, and it is not recommended for use in cryptographic protocols at all.
| |
| | |
| A striking example of the degree to which ECB can leave plaintext data patterns in the ciphertext can be seen when ECB mode is used to encrypt a [[bitmap image]] which uses large areas of uniform colour. While the colour of each individual [[pixel]] is encrypted, the overall image may still be discerned as the pattern of identically coloured pixels in the original remains in the encrypted version.
| |
| | |
| {{multiple image
| |
| | align = center
| |
| | image1 = Tux.jpg
| |
| | caption1 = Original image
| |
| | image2 = Tux ecb.jpg
| |
| | caption2 = Encrypted using ECB mode
| |
| | image3 = Tux secure.jpg
| |
| | caption3 = Modes other than ECB result in pseudo-randomness
| |
| | footer = The image on the right is how the image might appear encrypted with CBC, CTR or any of the other more secure modes—indistinguishable from random noise. Note that the random appearance of the image on the right does not ensure that the image has been securely encrypted; many kinds of insecure encryption have been developed which would produce output just as "random-looking".
| |
| | width = 196
| |
| }}
| |
| | |
| ECB mode can also make protocols without integrity protection even more susceptible to [[replay attack]]s, since each block gets decrypted in exactly the same way. For example, the ''[[Phantasy Star Online|Phantasy Star Online: Blue Burst]]'' online [[video game]] uses [[Blowfish (cipher)|Blowfish]] in ECB mode. Before the key exchange system was cracked, leading to even easier methods, cheaters repeated encrypted "monster killed" message packets, each an encrypted Blowfish block, to illegitimately gain [[experience point]]s quickly.{{Citation needed|date=February 2010}}
| |
| | |
| ===Cipher-block chaining (CBC)===
| |
| {{Infobox
| |
| |name =
| |
| |bodystyle =
| |
| |title =
| |
| |titlestyle =
| |
| |image =
| |
| |imagestyle =
| |
| |caption =
| |
| |captionstyle =
| |
| |headerstyle = background:#ccf;
| |
| |labelstyle = background:#ddf;
| |
| |datastyle =
| |
| | |
| |header1 = CBC
| |
| |label1 =
| |
| |data1 =
| |
| |header2 =
| |
| |label2 =
| |
| |data2 = Cipher-block chaining
| |
| |header3 =
| |
| |label3 = Encryption parallelizable:
| |
| |data3 = No
| |
| |header4 =
| |
| |label4 = Decryption parallelizable:
| |
| |data4 = Yes
| |
| |header5 =
| |
| |label5 =
| |
| |data5 =
| |
| | |
| |belowstyle = background:#ddf;
| |
| |below =
| |
| }}
| |
| IBM invented the cipher-block chaining (CBC) mode of operation in 1976.<ref>William F. Ehrsam, Carl H. W. Meyer, John L. Smith, Walter L. Tuchman, "Message verification and transmission error detection by block chaining", US Patent 4074066, 1976</ref> In CBC mode, each block of plaintext is [[XOR]]ed with the previous ciphertext block before being encrypted. This way, each ciphertext block depends on all plaintext blocks processed up to that point. To make each message unique, an [[initialization vector]] must be used in the first block.
| |
| | |
| [[File:CBC encryption.svg]]
| |
| | |
| [[File:CBC decryption.svg]]
| |
| | |
| If the first block has index 1, the mathematical formula for CBC encryption is
| |
| :<math>C_i = E_K(P_i \oplus C_{i-1}), C_0 = IV</math>
| |
| | |
| while the mathematical formula for CBC decryption is
| |
| :<math>P_i = D_K(C_i) \oplus C_{i-1}, C_0 = IV.</math>
| |
| | |
| CBC has been the most commonly used mode of operation. Its main drawbacks are that encryption is sequential (i.e., it cannot be parallelized), and that the message must be padded to a multiple of the cipher block size. One way to handle this last issue is through the method known as [[ciphertext stealing]]. Note that a one-bit change in a plaintext or IV affects all following ciphertext blocks.
| |
| | |
| Decrypting with the incorrect IV causes the first block of plaintext to be corrupt but subsequent plaintext blocks will be correct. This is because a plaintext block can be recovered from two adjacent blocks of ciphertext. As a consequence, decryption ''can'' be parallelized. Note that a one-bit change to the ciphertext causes complete corruption of the corresponding block of plaintext, and inverts the corresponding bit in the following block of plaintext, but the rest of the blocks remain intact.
| |
| | |
| ===Propagating cipher-block chaining (PCBC)===
| |
| {{Infobox
| |
| |name =
| |
| |bodystyle =
| |
| |title =
| |
| |titlestyle =
| |
| |image =
| |
| |imagestyle =
| |
| |caption =
| |
| |captionstyle =
| |
| |headerstyle = background:#ccf;
| |
| |labelstyle = background:#ddf;
| |
| |datastyle =
| |
| | |
| |header1 = PCBC
| |
| |label1 =
| |
| |data1 =
| |
| |header2 =
| |
| |label2 =
| |
| |data2 = Propagating cipher-block chaining
| |
| |header3 =
| |
| |label3 = Encryption parallelizable:
| |
| |data3 = No
| |
| |header4 =
| |
| |label4 = Decryption parallelizable:
| |
| |data4 = No
| |
| |header5 =
| |
| |label5 =
| |
| |data5 =
| |
| | |
| |belowstyle = background:#ddf;
| |
| |below =
| |
| }}
| |
| The propagating cipher-block chaining<ref>http://www.iks-jena.de/mitarb/lutz/security/cryptfaq/q84.html</ref> or plaintext cipher-block chaining<ref>{{cite book |last=Kaufman |first=C. |last2=Perlman |first2=R. |last3=Speciner |first3=M. |year=2002 |title=Network Security |location=Upper Saddle River, NJ |publisher=Prentice Hall |page=319 |edition=2nd |isbn=0130460192 }}</ref> mode was designed to cause small changes in the ciphertext to propagate indefinitely when decrypting, as well as when encrypting.
| |
| | |
| [[File:PCBC encryption.svg]]
| |
| | |
| [[File:PCBC decryption.svg]]
| |
| | |
| Encryption and decryption algorithms are as follows:
| |
| | |
| :<math>C_i = E_K(P_i \oplus P_{i-1} \oplus C_{i-1}), P_0 \oplus C_0 = IV</math>
| |
| | |
| :<math>P_i = D_K(C_i) \oplus P_{i-1} \oplus C_{i-1}, P_0 \oplus C_0 = IV</math>
| |
| | |
| PCBC is used in [[Kerberos (protocol)|Kerberos v4]] and [[WASTE]], most notably, but otherwise is not common. On a message encrypted in PCBC mode, if two adjacent ciphertext blocks are exchanged, this does not affect the decryption of subsequent blocks.<ref>{{cite book |last=Kohl |first=J. |chapter=The Use of Encryption in Kerberos for Network Authentication |title=Proceedings, Crypto '89 |year=1990 |publisher=Springer |location=Berlin |isbn=0387973176 |chapterurl=http://dsns.csie.nctu.edu.tw/research/crypto/HTML/PDF/C89/35.PDF }}</ref> For this reason, PCBC is not used in Kerberos v5.
| |
| | |
| ===Cipher feedback (CFB)===
| |
| {{Infobox
| |
| |name =
| |
| |bodystyle =
| |
| |title =
| |
| |titlestyle =
| |
| |image =
| |
| |imagestyle =
| |
| |caption =
| |
| |captionstyle =
| |
| |headerstyle = background:#ccf;
| |
| |labelstyle = background:#ddf;
| |
| |datastyle =
| |
| | |
| |header1 = CFB
| |
| |label1 =
| |
| |data1 =
| |
| |header2 =
| |
| |label2 =
| |
| |data2 = Cipher feedback
| |
| |header3 =
| |
| |label3 = Encryption parallelizable:
| |
| |data3 = No
| |
| |header4 =
| |
| |label4 = Decryption parallelizable:
| |
| |data4 = Yes
| |
| |header5 =
| |
| |label5 =
| |
| |data5 =
| |
| | |
| |belowstyle = background:#ddf;
| |
| |below =
| |
| }}
| |
| The ''cipher feedback'' (CFB) mode, a close relative of CBC, makes a block cipher into a self-synchronizing [[stream cipher]]. Operation is very similar; in particular, CFB decryption is almost identical to CBC encryption performed in reverse:
| |
| | |
| :<math>C_i = E_K (C_{i-1}) \oplus P_i</math>
| |
| | |
| :<math>P_i = E_K (C_{i-1}) \oplus C_i</math>
| |
| | |
| :<math>C_{0} = \ \mbox{IV}</math>
| |
| | |
| [[File:CFB encryption.svg]]
| |
| | |
| [[File:CFB decryption.svg]]
| |
| | |
| This simplest way of using CFB described above is not any more self-synchronizing than other cipher modes like CBC. If a whole blocksize of ciphertext is lost both CBC and CFB will synchronize, but losing only a single byte or bit will permanently throw off decryption. To be able to synchronize after the loss of only a single byte or bit, a single byte or bit must be encrypted at a time. CFB can be used this way when combined with a [[shift register]] as the input for the block cipher.
| |
| | |
| To use CFB to make a self-synchronizing stream cipher that will synchronize for any multiple of x bits lost, start by initializing a shift register the size of the block size with the initialization vector. This is encrypted with the block cipher, and the highest x bits of the result are XOR'ed with x bits of the plaintext to produce x bits of ciphertext. These x bits of output are shifted into the shift register, and the process repeats with the next x bits of plaintext. Decryption is similar, start with the initialization vector, encrypt, and XOR the high bits of the result with x bits of the ciphertext to produce x bits of plaintext. Then shift the x bits of the ciphertext into the shift register. This way of proceeding is known as CFB-8 or CFB-1 (according to the size of the shifting).<ref name="AESBlockDocumentation">[http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf NIST: Recommendation for Block Cipher Modes of Operation]</ref>
| |
| | |
| In notation, where S<sub>i</sub> is the ith state of the shift register, a << x is ''a'' shifted up ''x'' bits, head(a, x) is the x highest bits of a and n is number of bits of IV:
| |
| | |
| :<math>C_i = \mbox{head}(E_K (S_{i-1}), x) \oplus P_i</math>
| |
| | |
| :<math>P_i = \mbox{head}(E_K (S_{i-1}), x) \oplus C_i</math>
| |
| | |
| :<math>S_i = \ ((S_{i-1} << x) + C_i) \mbox{ mod } 2^n</math>
| |
| | |
| :<math>S_{0} = \ \mbox{IV}</math>
| |
| | |
| If x bits are lost from the ciphertext, the cipher will output incorrect plaintext until the shift register once again equals a state it held while encrypting, at which point the cipher has resynchronized. This will result in at most one blocksize of output being garbled.
| |
| | |
| Like CBC mode, changes in the plaintext propagate forever in the ciphertext, and encryption cannot be parallelized. Also like CBC, decryption can be parallelized. When decrypting, a one-bit change in the ciphertext affects two plaintext blocks: a one-bit change in the corresponding plaintext block, and complete corruption of the following plaintext block. Later plaintext blocks are decrypted normally.
| |
| | |
| CFB shares two advantages over CBC mode with the stream cipher modes OFB and CTR: the block cipher is only ever used in the encrypting direction, and the message does not need to be padded to a multiple of the cipher block size (though [[ciphertext stealing]] can also be used to make padding unnecessary).
| |
| | |
| ===Output feedback (OFB)===
| |
| {{Infobox
| |
| |name =
| |
| |bodystyle =
| |
| |title =
| |
| |titlestyle =
| |
| |image =
| |
| |imagestyle =
| |
| |caption =
| |
| |captionstyle =
| |
| |headerstyle = background:#ccf;
| |
| |labelstyle = background:#ddf;
| |
| |datastyle =
| |
| | |
| |header1 = OFB
| |
| |label1 =
| |
| |data1 =
| |
| |header2 =
| |
| |label2 =
| |
| |data2 = Output feedback
| |
| |header3 =
| |
| |label3 = Encryption parallelizable:
| |
| |data3 = No
| |
| |header4 =
| |
| |label4 = Decryption parallelizable:
| |
| |data4 = No
| |
| |header5 =
| |
| |label5 =
| |
| |data5 =
| |
| | |
| |belowstyle = background:#ddf;
| |
| |below =
| |
| }}
| |
| The ''output feedback'' (OFB) mode makes a block cipher into a synchronous [[stream cipher]]. It generates [[keystream]] blocks, which are then [[XOR]]ed with the plaintext blocks to get the ciphertext. Just as with other stream ciphers, flipping a bit in the ciphertext produces a flipped bit in the plaintext at the same location. This property allows many [[Error-correcting code|error correcting codes]] to function normally even when applied before encryption.
| |
| | |
| Because of the symmetry of the XOR operation, encryption and decryption are exactly the same:
| |
| | |
| :<math>C_j = P_j \oplus O_j</math>
| |
| | |
| :<math>P_j = C_j \oplus O_j</math>
| |
| | |
| :<math>O_j = \ E_K (I_{j})</math>
| |
| | |
| :<math>I_j =\ O_{j-1}</math>
| |
| | |
| :<math>I_{0}= \ \mbox{IV}</math>
| |
| | |
| [[File:OFB encryption.svg]]
| |
| | |
| [[File:OFB decryption.svg]]
| |
| | |
| Each output feedback block cipher operation depends on all previous ones, and so cannot be performed in parallel. However, because the plaintext or ciphertext is only used for the final XOR, the block cipher operations may be performed in advance, allowing the final step to be performed in parallel once the plaintext or ciphertext is available.
| |
| | |
| It is possible to obtain an OFB mode keystream by using CBC mode with a constant string of zeroes as input. This can be useful, because it allows the usage of fast hardware implementations of CBC mode for OFB mode encryption.
| |
| | |
| Using OFB mode with a partial block as feedback like CFB mode reduces the average cycle length by a factor of <math>2^{32}</math> or more. A mathematical model proposed by Davies and Parkin and substantiated by experimental results showed that only with full feedback an average cycle length near to the obtainable maximum can be achieved. For this reason, support for truncated feedback was removed from the specification of OFB.<ref>{{cite book |first=D. W. |last=Davies |first2=G. I. P. |last2=Parkin |chapter=The average cycle size of the key stream in output feedback encipherment |title=Advances in Cryptology, Proceedings of CRYPTO 82 |pages=263–282 |year=1983 |location=New York |publisher=Plenum Press |isbn=0306413663 }}</ref><ref>http://www.crypto.rub.de/its_seminar_ws0809.html</ref>
| |
| | |
| ===Counter (CTR)===
| |
| {{Infobox
| |
| |name =
| |
| |bodystyle =
| |
| |title =
| |
| |titlestyle =
| |
| |image =
| |
| |imagestyle =
| |
| |caption =
| |
| |captionstyle =
| |
| |headerstyle = background:#ccf;
| |
| |labelstyle = background:#ddf;
| |
| |datastyle =
| |
| | |
| |header1 = CTR
| |
| |label1 =
| |
| |data1 =
| |
| |header2 =
| |
| |label2 =
| |
| |data2 = Counter
| |
| |header3 =
| |
| |label3 = Encryption parallelizable:
| |
| |data3 = Yes
| |
| |header4 =
| |
| |label4 = Decryption parallelizable:
| |
| |data4 = Yes
| |
| |header5 =
| |
| |label5 =
| |
| |data5 =
| |
| | |
| |belowstyle = background:#ddf;
| |
| |below =
| |
| }}
| |
| :''Note: CTR mode (CM) is also known as ''integer counter mode'' (ICM) and ''segmented integer counter'' (SIC) mode''
| |
| | |
| Like OFB, counter mode turns a [[block cipher]] into a [[stream cipher]]. It generates the next [[keystream]] block by encrypting successive values of a "counter". The counter can be any function which produces a sequence which is guaranteed not to repeat for a long time, although an actual increment-by-one counter is the simplest and most popular. The usage of a simple deterministic input function used to be controversial; critics argued that "deliberately exposing a cryptosystem to a known systematic input represents an unnecessary risk."<ref>{{cite book |first=Robert R. |last=Jueneman |chapter=Analysis of certain aspects of output feedback mode |title=Advances in Cryptology, Proceedings of CRYPTO 82 |pages=99–127 |year=1983 |location=New York |publisher=Plenum Press |isbn=0306413663 }}</ref> By now, CTR mode is widely accepted, and problems resulting from the input function are recognized as a weakness of the underlying block cipher instead of the CTR mode.<ref>Helger Lipmaa, Phillip Rogaway, and David Wagner. Comments to NIST concerning AES modes of operation: CTR-mode encryption. 2000</ref> Along with CBC, CTR mode is one of two block cipher modes recommended by Niels Ferguson and Bruce Schneier.<ref>Niels Ferguson, Bruce Schneier, Tadayoshi Kohno, Cryptography Engineering, page 71, 2010</ref>
| |
| | |
| CTR mode has similar characteristics to OFB, but also allows a random access property during decryption. CTR mode is well suited to operate on a multi-processor machine where blocks can be encrypted in parallel. Furthermore, it does not suffer from the short-cycle problem that can affect OFB.<ref>http://www.quadibloc.com/crypto/co040601.htm</ref>
| |
| | |
| Note that the [[cryptographic nonce|nonce]] in this diagram is the same thing as the [[initialization vector]] (IV) in the other diagrams. The IV/nonce and the counter can be combined together using any lossless operation (concatenation, addition, or XOR) to produce the actual unique counter block for encryption.
| |
| | |
| [[File:CTR encryption 2.svg]]
| |
| | |
| [[File:CTR decryption 2.svg]]
| |
| | |
| ==Error propagation==
| |
| Before the widespread use of [[message authentication codes]] and [[authenticated encryption]], it was common to discuss the "error propagation" properties as a selection criterion for a mode of operation. It might be observed, for example, that a one-block error in the transmitted ciphertext would result in a one-block error in the reconstructed plaintext for ECB mode encryption, while in CBC mode such an error would affect two blocks.
| |
| | |
| Some felt that such resilience was desirable in the face of random errors (e.g., line noise), while others argued that error correcting increased the scope for attackers to maliciously tamper with a message.
| |
| | |
| However, when proper integrity protection is used, such an error will result (with high probability) in the entire message being rejected. If resistance to random error is desirable, [[error-correcting code]]s should be applied to the ciphertext before transmission.
| |
| | |
| ==Authenticated encryption==
| |
| {{Main|Authenticated encryption}}
| |
| A number of modes of operation have been designed to combine [[secrecy]] and [[authentication]] in a single cryptographic primitive. Examples of such modes are [[XCBC mode|XCBC]],<ref>[[Virgil D. Gligor]], Pompiliu Donescu, "Fast Encryption and Authentication: XCBC Encryption and XECB Authentication Modes". Proc. Fast Software Encryption, 2001: 92-108.</ref> [[IACBC mode|IACBC]], [[IAPM mode|IAPM]],<ref>Charanjit S. Jutla, "Encryption Modes with Almost Free Message Integrity", Proc. Eurocrypt 2001, LNCS 2045, May 2001.</ref> [[OCB mode|OCB]], [[EAX mode|EAX]], [[CWC mode|CWC]], [[CCM mode|CCM]], and [[Galois/Counter Mode|GCM]]. [[Authenticated encryption]] modes are classified as single pass modes or double pass modes. Unfortunately for the cryptographic user community, many of the single pass [[authenticated encryption]] algorithms (such as [[OCB mode]]) are patent encumbered.
| |
| | |
| In addition, some modes also allow for the authentication of unencrypted associated data, and these are called [[AEAD block cipher modes of operation|AEAD]] (Authenticated-Encryption with Associated-Data) schemes. For example, EAX mode is a double pass AEAD scheme while OCB mode is single pass.
| |
| | |
| ==Other modes and other cryptographic primitives==
| |
| Many more modes of operation for block ciphers have been suggested. Some have been accepted, fully described (even standardized), and are in use. Others have been found insecure, and should never be used. Still others don't categorize as confidentiality, authenticity, or authenticated encryption - for example [[key feedback mode]] and [[One-way_compression_function#Davies.E2.80.93Meyer|Davies-Meyer]] hashing.
| |
| | |
| [[NIST]] maintains a list of proposed modes for block ciphers at [http://csrc.nist.gov/groups/ST/toolkit/BCM/modes_development.html Modes Development].<ref name="AESBlockDocumentation" /><ref>[http://csrc.nist.gov/groups/ST/toolkit/BCM/modes_development.html NIST: Modes Development]</ref>
| |
| | |
| Disk encryption often uses special purpose modes specifically designed for the application. Tweakable narrow-block encryption modes ([[LRW]], [[disk encryption theory#XEX|XEX]], and [[XTS mode|XTS]]) and wide-block encryption modes ([[Disk_encryption_theory#CBC-mask-CBC (CMC) and ECB-mask-ECB (EME)|CMC]] and [[Disk_encryption_theory#CBC-mask-CBC (CMC) and ECB-mask-ECB (EME)|EME]]) are designed to securely encrypt sectors of a disk. (See [[disk encryption theory]])
| |
| | |
| Block ciphers can also be used in other [[cryptographic protocol]]s. They are generally used in modes of operation similar to the block modes described here. As with all protocols, to be cryptographically secure, care must be taken to build them correctly.
| |
| | |
| There are several schemes which use a block cipher to build a [[cryptographic hash function]]. See [[one-way compression function]] for descriptions of several such methods.
| |
| | |
| [[Cryptographically secure pseudorandom number generator]]s (CSPRNGs) can also be built using block ciphers.
| |
| | |
| [[Message authentication code]]s (MACs) are often built from block ciphers. [[CBC-MAC]], [[One-key MAC|OMAC]] and [[PMAC (cryptography)|PMAC]] are examples.
| |
| | |
| ==See also==
| |
| | |
| {{col-begin}}
| |
| {{col-break}}
| |
| * [[Disk encryption]]
| |
| * [[Message authentication code]]
| |
| * [[Authenticated encryption]]
| |
| * [[One-way compression function]]
| |
| {{col-break}}
| |
| {{Portal|Cryptography}}
| |
| {{col-end}}
| |
| | |
| ==References==
| |
| {{Reflist|30em}}
| |
| | |
| {{Cryptography navbox | block | hash}}
| |
| | |
| {{DEFAULTSORT:Block Cipher Modes Of Operation}}
| |
| [[Category:Block cipher modes of operation| ]]
| |
| [[Category:Cryptographic algorithms]]
| |