Secret Key Encryption

1
Secret Key Encryption
Encrypting a large message Electronic Code Book
(ECB)
message
m1 m2 m3 m4
m5 m6
Secret
E E E
E E E
c1 c2 c3
c4 c5 c6
2
Secret Key Encryption
Decrypting a large message Electronic Code Book
(ECB)
c1 c2 c3
c4 c5 c6
Secret
D D D
D D D
m1 m2 m3 m4
m5 m6
message
3
Secret Key Encryption
En/Decrypting a large message Electronic Code
Book (ECB) Problems Two same message blocks
encrypt to the same cipher blocks ex
switch or copy salary block 1. Two cipher
blocks can be switched 2. One cipher block
can be copied to another 3. No built-in
integrity or authentication check
4
Secret Key Encryption
Encrypting a large message Cipher Block Chaining
(CBC) 1st attempt r1...r6 are random
message
m1 m2 m3 m4
m5 m6
r1 r2 r3
r4 r5 r6
?
?
?
?
?
?
?
Secret
E E E
E E E
c1 c2 c3
c4 c5 c6
5
Secret Key Encryption
En/Decrypting a large message Cipher Block
Chaining (CBC) - 1st attempt Problems 1. Not
efficient one random number for every message
block 2. Attacker can rearrange blocks with
predictable effect on resulting laintext.
For example, just remove one block or
swap two blocks - result can still be decrypted
and receiver does not know the
difference. 3. If an attacker knows the value
of any message block mi, then can change
it in a predictable way by modifying ri.
6
Secret Key Encryption
Encrypting a large message Cipher Block Chaining
(CBC) IV is a random number
message
m1 m2 m3 m4
m5 m6
IV
?
?
?
?
?
?
?
Secret
E E E
E E E
c1 c2 c3
c4 c5 c6
7
Secret Key Decryption
Decrypting a large message Cipher Block Chaining
(CBC) IV is a random number
message
m1 m2 m3 m4
m5 m6
IV
?
?
?
?
?
?
?
Secret
D D D D
D D
c1 c2 c3
c4 c5 c6
8
Secret Key Encryption
En/Decrypting a large message Cipher Block
Chaining (CBC) Problems 1. Must use random
IV suppose weekly messages differ in one spot
(because someone's salary is adjusted).
Then it may be possible to determine
whose salary it was that changed. Or, commander
orders troops to hold for several days
then attack enemy knows something up. 2.
Attacker can rearrange blocks with predictable
effect on resulting plaintext. For
example, if m1...mn and c1...cn are known, all
decryptions are known. Then any sequence
of ci has predictable effect on message. 3.
If an attacker knows the value of any message
block mi, then can change it in a
predictable way by modifying ri.
Hello 7834
8 7835
9
Secret Key Encryption
Encrypting a large message Output Feedback Mode
(OFB) IV is a random number
IV
K E
K E
K E
discard
discard
discard
?
?
?
m3
m1
m2
c3
c1
c2
10
Secret Key Encryption
Encrypting a large message Cipher Feedback Mode
(CFB) IV is a random number
IV
K E
K E
K E
discard
discard
discard
?
?
?
m3
m1
m2
c3
c1
c2
11
Secret Key Encryption
En/Decrypting a large message Output/Cipher Block
Chaining (OFB/CFB) Discussion 1. In OFB
one-time pad can be generated before message is.
Not so for CFB 2. In CFB error in
transmission will synchronize after pad flushes
through shift. Not so for OFB or CBC where
rest of transmission is garbled. 3. No
block rearrangement attack on CFB although
sections can be rearranged at the cost of
garbling some of the text.
12
Secret Key Encryption
Encrypting a large message Counter Mode (CTR)
IV2
IV
IV1
K E
K E
K E
?
?
?
m3
m1
m2
c3
c1
c2
13
Secret Key Encryption
En/Decrypting a large message Counter Mode (CTR)
Discussion 1. Like OFB, one-time pad is
generated before the message is.
Encryption is simple with exclusive-or 2. Like
CBC, can decrypt beginning from any point in the
ciphertext. Useful for encrypting random
access files. 3. If different data is used
with same key and IV, exclusive-oring the
ciphertexts of the messages gives the
exclusive-or of the plaintexts. This is
also a problem with OFB.
14
Generating Message Authentication Code (MAC)
Suppose message is sent in the clear
m1 m2 m3 m4
m5 m6
?
?
?
?
?
Secret
E E E
E E E
c1 c2 c3
c4 c5 residue
Only send the residue as the check on the message
the plaintext message (no confidentiality)
15
Generating Message Authentication Code (MAC)
Integrity plus confidentiality
m1 m2 m3 m4
m5 m6
IV
?
?
?
?
?
?
K
E E E
E E E
c1 c2 c3
c4 c5 c6
CBC residue
16
Generating Message Authentication Code (MAC)
Integrity plus confidentiality
m1 m2 m3 m4
m5 m6
IV
?
?
?
?
?
?
K
E E E
E E E
c1 c2 c3
c4 c5 c6
CBC residue
Huh? Send last block twice? Tamperer merely
sends tampered message and just repeats its last
block!!
17
Generating Message Authentication Code (MAC)
Integrity plus confidentiality
m1 m2 m3 m4
m5 c5
?
?
?
?
?
Secret
E E E
E E E
c1 c2 c3
c4 c5 residue
C6 is the residue.
18
Generating Message Authentication Code (MAC)
Integrity plus confidentiality
m1 m2 m3 m4
m5 c5
?
?
?
?
?
Secret
E E E
E E E
c1 c2 c3
c4 c5 residue
C6 is the residue. But actually the residue is
0!!
19
Generating Message Authentication Code (MAC)
Integrity plus confidentiality
m1 m2 m3 m4
m5 CRC
?
?
?
?
?
Secret
E E E
E E E
c1 c2 c3
c4 c5 residue
C6 is the residue. Cyclic redundancy check is
used.
20
Generating Message Authentication Code (MAC)
Integrity plus confidentiality
m1 m2 m3 m4
m5 CRC
?
?
?
?
?
Secret
E E E
E E E
c1 c2 c3
c4 c5 residue
C6 is the residue. Cyclic redundancy check is
used. No good if CRC is too short!
21
Generating Message Authentication Code (MAC)
To use CBC for both message integrity and
encryption, use different keys for the residue
and ciphertext!