Block Cipher Modes of

Operation

Alberto Grand

Politecnico di Torino
Computer Systems Security – prof. Antonio Lioy
What are modes of operation?

Block ciphers only allow to encrypt entire blocks.

What if our message is longer/shorter than the
block size?
We use modes of operation!

Algorithms that exploit a block cipher to provide a service
(e.g. confidentiality, authentication)

5 NIST-recommended modes providing confidentiality:
ECB, CBC, CFB, OFB, CTR

CMAC may be considered a block cipher mode of operation
providing authentication.

2
Electronic Codebook (ECB)

Associates each possible plaintext block to a
ciphertext block, like a codebook.

Hello world! aY1\:?§h24(r

Requires padding

Encryption/decryption of multiple blocks in parallel

A 1-bit error in a ciphertext block garbles the
corresponding decrypted block.
3
Deficiencies of ECB

Problems when the original message contains regular

data patterns, because always encrypted in the same
way.

Only suitable for 1-block-sized data (e.g. a key)

“The securest thing you can do with ECB is not use it!”
4
Cipher Block Chaining (CBC)

Allows the same plaintext blocks to be encrypted to

different ciphertext blocks.

Encrypted blocks are “chained” through XORing.

Requires an initialisation vector (IV)
Hello world q%1aX l’3z1$

IV
CIPHER-1 CIPHER-1

CIPHER CIPHER IV

q%1aX l’3z1$ Hello world

5
Features of CBC

No parallel encrypting , while parallel decrypting is

possible.

A 1-bit error affects two blocks:

the corresponding block is garbled

the corresponding bit is flipped in the next block

Problem with the IV: 1-bit error only flips 1 bit in
the 1st block, no garbled block. Hard to detect!

Solutions:

encipher the IV

don’t transmit the IV, but compute it from a known value

use authentication!
6
Propagating CBC (PCBC)

It’s a variation of CBC designed to propagate errors.

It also involves the previous plaintext block in the
XOR operation.

Is error propagation desirable? It depends!

NO if transmission errors

YES if intentional, malicious changes

Used in Kerberos v.4, but abandoned starting from
v.5 because inversion of two adjacent blocks does
not affect subsequent blocks.

7
 Cipher Feedback (CFB)

Turns a block cipher into a stream cipher, message

size need not be multiple of block size.

Very similar to CBC (ciphering and XORing are
swapped).
IV IV

CIPHER CIPHER CIPHER CIPHER

Hello world q%1aX l’3z1$

q%1aX l’3z1$ Hello world

8
Features of CFB

No parallel encrypting of multiple blocks – although

some form of pipelining is possible.

Parallel decryption is possible

Only the forward function is used.

A 1-bit error :

flips corresponding bit in current segment

may garble the next ⌈b/s⌉ segments

This is highly noticeable, so CFB is less exposed
to the risk of deliberate bit changes.

9
OpenPGP with CFB

Widespread standard for exchanging encrypted e-

mail messages.

A variant of CFB is used for symmetric
cryptography:

a random block R is enciphered and used as an IV

the first 2 bytes of R are replicated in the 2nd block for
integrity checks

Leak of information! About 215 set-up attempts +
about 215 attempts per block enable an attacker to
discover the first 2 bytes of any block.

PGP stands for “Pretty Good Privacy”!
10
 Output Feedback (OFB)

Turns a block cipher into a stream cipher.

It features the iteration of the forward cipher on an
IV.

IV IV

CIPHER CIPHER CIPHER CIPHER

Hello world q%1aX l’3z1$

q%1aX l’3z1$ Hello world

11
Features of OFB (i)

Neither encryption nor decryption can be performed

in parallel due to block chaining.

If IV available prior to ciphertext, keystream blocks
can be pre-computed.

IV needs to be a nonce, otherwise know-plaintext
attack is possible (under same key):

an attacker who knows the ith plaintext block can easily
reconstruct the ith keystream block

he can then understand the ith block of every message

12
Features of OFB (ii)

A 1-bit error in a ciphertext block only produces a

bit-specific error in the corresponding block:

good for error correcting codes, which work even when
applied before encryption

bad because it’s hardly noticeable!

A 1-bit error in the IV causes all blocks to be
garbled.

13
 Counter (CTR)

Turns a block cipher into a stream cipher.

Keystreams blocks are generated by encrypting a
set of counter blocks.

CTR block #1 CTR block #2 CTR block #1 CTR block #2

CIPHER CIPHER CIPHER CIPHER

Hello world q%1aX l’3z1$

q%1aX l’3z1$ Hello world

14
Features of CTR (i)

Both encryption and decryption can be performed

fully in parallel on multiple blocks.

Provides true random access to ciphertext blocks.

If the initial counter block is available, keystream
blocks may be computed prior to receiving the
ciphertext .

It’s simple!

No inverse cipher function is required for decryption.

It is becoming increasingly used.

15
Features of CTR (ii)

Assurance is required that:

counters do not repeat within a single message

counters do not repeat across all messages under a given
key

Done through an incrementing function.

Usually, first b-m bits are a message nonce,
following m bits are incremented (message length <
2m blocks).

Alternatively, counters are concatenated (total
length of all messages < 2m blocks)

16
Padding: pros and cons

Increases amount of data to be sent with no

increase of transmitted information.

With regular data pattern, padding with random
values makes cryptanalysis more difficult.

When padding scheme in known, it may expose
exchange of messages to timing attacks.

OpenSSL prior to v.0.9.6c with CBC-MAC

MAC is located at the end, padding is needed

Message only evaluated if padding is correct

Attacker may systematically find out bits starting from
second-to-last block.
17
Ciphertext Stealing (CTS)

Sometimes padding is unacceptable

limited bandwidth

exchange of many messages that would require padding

We want to avoid extra data, but cipher blocks need
entire blocks!

Solution: use CTS!

by accomplishing some extra operations, enables to
produce as many output data as given in input

we pay in terms of complexity and execution time

we still cannot encyrpt very short messages (< 1 block).

Usually not worth it!
18
Related-mode attacks (i)

Attacks against a given block cipher mode of

operation:

we must know which mode is being used

we need an oracle of another mode, but with the same
underlying cipher

19
Related-mode attacks (ii)

Using ECB against CTR

MU intercepted Ci and C0

He chooses P’i = C0 + i

C’i = CIPHk(P’i)

Since Ci = CIPHk(C0 + i) ⊕ Pi he can compute Pi =

Ci ⊕ C’i.

Only one chosen plaintext query is required.

20
The CMAC Mode for
Authentication
What is CMAC?

The 5 modes of operation provide confidentiality,

but we need authentication and integrity.

We must use a mode for authentication!

it implies integrity

A MAC algorithm provides stronger assurance of
data integrity than a checksum.

CMAC exploits the CBC mode of operation to chain
cipherblocks and obtain a value which depends on
all previous blocks.

22
Once upon time…

…there was an insecure mode for authentication

named CBC-MAC:

only provided security for messages whose length was a
multiple of the block size

attacker could change the whole message (except last
block) without notice when CBC was used for encryption
with the same key.

Black & Rogaway made it secure for arbitrary-length
messages using 2 extra keys (XCBC).

Iwata & Kurosawa derived the extra keys from the
shared secret (OMAC, OMAC1 = CMAC).

23
Subkey generation

2 subkeys K1, K2 are generated from the key

Can be computed once and stored (must be secret!)

Rb is a value related to the block size

Rb = 012010000111 when b = 128

Rb = 05911011 when b = 64
L ⃪ CIPHk (0b)
if MSB1(L) = 0 then K1 ⃪ L << 1
else K1 ⃪ (L << 1) ⊕ Rb
if MSB1(K1) = 0 then K2 ⃪ K1 << 1
else K2 ⃪ (K1 << 1) ⊕ Rb

Finite-field mathematics are involved!

24
CMAC generation

if Mlen = 0 then n ⃪ 1
else n ⃪ ⌈M
⌈ len / b⌉⌉
if M*n complete then Mn ⃪ M*n ⊕ K1
else Mn ⃪ (M*n ‖10j) ⊕ K1
C0 ⃪ 0b
for i ⃪ 1 to n do
Ci ⃪ CIPHk (Ci-1 ⊕ Mi)
T ⃪ MSBTlen(Cn)

Formatting of the message does not need to

complete before starting CBC encryption.

25
CMAC verification

Receiver may decrypt data with the appropriate

algorithm.

He then applies CMAC generation process to the
data.

He compares the generated MAC with the one he
received:

if identical, message is authentic

if not, in-transit errors or attack!

26
Length of the MAC (i)

When verification fails, we are sure the message is

inauthentic.

But when it succeeds, we are not 100% sure it is
authentic!

MU may have simply guessed the right MAC for a message

His chances of succeeding are 1/2Tlen

Longer MACs provide higher assurance, but use
more bandwidth/storage space.

If attacker can make more than one attempt his
chances increase!

27
Length of the MAC (ii)

For most applications, 64 bits are enough.

NIST provides guidance. Two parameters:

MaxInvalids : maximum number of attempts before system
halts

Risk : highest acceptable probability that an inauthentic
message is mistakenly trusted.

Tlen ≥ log2 (MaxInvalids / Risk)

e.g. MaxInvalids = 1
Risk = 0.25
⇒ Tlen = 2 bits

28
Message span of the key (i)

It’s the total number of messages to which CMAC is

applied with the same key.

Affects security against attacks based on detecting
2 distinct messages that lead to the same MAC.

We call this event a collision.

This happens because possible messages are much more
than possible MACs.

It should not occur during the lifetime of a key.

Message span should be limited!

29
Message span of the key (ii)

Probability says that a collision is expected among a

set of 2b/2 messages.

For general purpose applications:

no more than 248 messages when b = 128

no more than 221 messages when b = 64

For higher level of security:

no more than 248 message blocks when b = 128 (222 GB)

no more than 221 message blocks when b = 64 (16 MB)

Sometimes message span is time-limited.

30
Protection vs. replay attacks

No protection against replay attacks is ensured by

CMAC:

Malicious user may intercept a message with its correct
MAC and send it at a later time.

It’s perfectly valid!

Such protection must be provided by protocol or
application that uses CMAC for authentication:

sequential number

timestamp

message nonce

etc.

31
Any questions?

32