CT-­‐460

 
Network  &  Informa5on  Security  

Block  Ciphers  Modes  of  Opera5on  

Stream  Ciphers  (RC4)  
Lecture  21-­‐26  

Dr.  Muhammad  Mubashir  Khan  

[email protected]    

March    2013  

Department  of  Computer  Science  &  IT,  NED  University  of  Engineering  &  Technology      
 Message Padding

• The plaintext message is broken into blocks, P1, P2,

P3, ...
• Most probably the last block remains incomplete
• Needs some extra bits (padding bits) to complete the
block
• Several padding schemes
– To add null bytes to the plaintext to bring its length up to a multiple of the
block size
– To add number indicating the size of the pad
– To add number indicating the size of the plaintext
The last two schemes may require an extra block.
 Block Ciphers Modes of Operation
• The  way  in  which  the  block  cipher  scheme  is  implemented  
1. ECB  (Electronic  Code  Book)  
2. CBC  (Cipher  Block  Chaining)  
3. PCBC  (Propaga5ng  Cipher  Block  Chaining)  
4. CFB  (Cipher  Feedback)  
5. OFB  (Output  Feedback)  
6. CTR  (Counter)  
ECB  -­‐  Electronic  Code  Book  
•iden5cal  plaintext  
blocks  are  encrypted  
into  iden5cal  
ciphertext  blocks  
 ECB  -­‐  Disadvantages  
•    Same  (repe55ve)  encrypted  informa5on  can  be  observed  very  easily  
•    Suscep5ble  to  replay  aXacks  
•    Does  not  hide  paXern  informa5on.    

Encrypted  with  ECB   Encrypted  with  other  modes  

•    Not  recommended  to  use  in  security  protocols  
•    Applica-ons:    
Encrypt  small  amount  of  informa5on    
Temporary  encryp5on  keys      
 CBC  –  Cipher  Block  Chaining  
Most  commonly  used  mode  of  opera5on   Encryp-on  is  sequen-al  (i.e.,  it  
Invented  by  IBM  in  1976   cannot  be  parallelized)  bcz  
every  5me  Ci-­‐1  is  needed  for  Ci    
Repeated plaintext
blocks are encrypted
differently.  

IV  must  be  known  to  both  the  

sender  &  receiver.  

IV  is  either  a  fixed  value  or  is  

sent  encrypted  in  ECB  mode   Each  ciphertext  block  is  
before  the  rest  of  ciphertext.   dependent  on  all  plaintext  
blocks  processed  up  to  
that  point.  
 CBC  -­‐  Decryp5on  

Decryp5ng  with  the  

incorrect  IV  causes  
the  first  block  of  
plaintext  to  be  
corrupted  but  
subsequent  plaintext   A  plaintext  block  can  
blocks  will  be  correct.   be  recovered  from  
two  adjacent  blocks  
of  ciphertext.    
As  a  consequence,  
decryp-on  can  be  
parallelized.  
Propaga5ng  cipher-­‐block  chaining  (PCBC)  

Encryp5on  

PCBC  is  used  in  Kerberos  v4  

Propaga5ng  cipher-­‐block  chaining  (PCBC)  
if  two  adjacent  ciphertext  
Decryp5on   blocks  are  interchanged,  
this  does  not  affect  the  
decryp5on  of  subsequent  
blocks.  
Cipher  Feedback  (CFB)  
Encryp5on  
 Cipher  Feedback  (CFB)  
Same  Encryp5on  
Algorithms  for  Decryp5on  
Decryp5on  
 Stream  Cipher  Implementa5on  of  CFB  
• Using  the  Block  Cipher  (e.g.  DES)  as  a  Stream  Cipher  
• Eliminates  the  need  to  pad  a  Message  to  be  an  integral  
number  of  Blocks  
• Can  be  operated  in  real  5me  (e.g.  a  stream  of  characters)  
• Plaintext  is  divided  into  segments  s  of  any  length  less  than  
the  block-­‐size  b  
• The  input  to  the  encryp5on  func5on  is  a  b-­‐bit  shic  register  
that  is  ini5ally  set  to  IV  
• A  sequence  of  keys  k1, k2, k3  …  is  generated  each  of  size  s-­‐
bits  
 Stream  Cipher  Implementa5on  of  CFB  
Input  is  a  b-­‐bit                     Encryp5on  process   S-­‐bits  are  shiced  
shic-­‐register  that  is   lec  
ini5ally  set  to  IV  

Lecmost  s-­‐bits  
serve  as  a  key  for  
the  first  round,  
which  is  XORed  
with  plaintext   k1 k2
segment  

=    P1  (xor)  Ss(  E(K,IV)  )    

s-­‐bits  ciphertext  segment   Ss  means  s-­‐bits  
from  lec  side  (msb)  
 Stream  Cipher  Implementa5on  of  CFB  
Decryp5on  process  

Same  process  
except  C  is  
XORed  with  
K1  instead  of  
P  
k1 k2

=    C1  (xor)  Ss(  E(K,IV)  )    

s-­‐bits  plaintext  segment   Ss  means  s-­‐bits  
from  lec  side  (msb)  
 Stream  Cipher  Implementa5on  of  CFB  
• Disadvantage:  Bit  errors  in  the  transmission  of  C1  
propagate  to  the  following  ciphertext  segments  C2,  C3  …  
• Advantage:  Less  vulnerable  to  message  stream  
modifica5on  aXack  because  a  minor  modifica5on  in  a  
single  cipher  segment  propagates  to  many  following  
segments  (easy  to  detect)    
 Output  Feedback  (OFB)  
• Same  as  CFB  Mode  except  that  the  Output  of  the  
encryp5on  func5on  is  fed  to  the  input  of  the  shic  register  
Encryp5on  process  

Shic  Register   Shic  Register  

Shic  Register  

S-­‐bits  from  msb   S-­‐bits  from  msb   S-­‐bits  from  msb  

 Output  Feedback  (OFB)  
• Same  Encryp5on  Func5on  is  applied  to  generate  keys  k1,  k2,  
…  
Decryp5on  process  

Shic  Register   Shic  Register  

Shic  Register  

S-­‐bits  from  msb   S-­‐bits  from  msb   S-­‐bits  from  msb  

 Output  Feedback  (OFB)  
• Advantage:  Bit  errors  in  the  transmission  of  C1  do  not  
propagate  to  the  following  ciphertext  segments  C2,  C3  …  
• Disadvantage:    
– Vulnerable  to  message  stream  modifica5on  aXack  because  Eve  
can  modify  bits  in  a  cipher  segment  to  modify  the  corresponding  
plaintext  segment  
– A  clever  Eve  may  apply  necessary  changes  in  the  checksum  
por5on  of  the  message  to  hide  modifica5on  detec5on    
 Counter  Mode  (CTR)  
• Applica-ons:    
– ATM  (Asynchronous  Transfer  Mode)  network  security,  IPSec,  

• Features:  
– Any  block  can  be  processed  without  following  the  cipher  block  sequence  (No  
chaining)  
– Different  Counter  value  for  every  (plaintext/ciphertext)  block  
– Similar  Encryp5on/Decryp5on  processes  (Simple  Structure)  
– Parallel  Encryp5on/Decryp5on  of  blocks  is  possible  (Improves  Hardware/
Socware  efficiency)    
– BeXer  processing  throughput  if  the  outputs  of  counter  execu5on  are  prepared  
in  advance  
– Decryp5on  key  scheduling  needs  not  be  implemented  (Same  Encryp5on/
Decryp5on  algorithms)  
 Ini5alized   Incremented   Incremente
to  some   by  1  or  any   d  by  1  or  
value   number     any  number    

P1   O1   P2   O2   Pn   On  

C1=  P1  ⊕  O1   C2=  P2  ⊕  O2   Cn=  Pn⊕  On  

Same  
sequence  of  
counters  as  for  
encryp5on  

O1   O2   On  
C1   C2   Cn  

P1=  C1  ⊕  O1   P2=  C2  ⊕  O2   Pn=  Cn⊕  On  

From  NIST  SP800-­‐38A  Recommenda5on    
 Stream  Cipher  

Key  should   Must  not  

have  a  large   be  reused  
period  (as  
random  as  
possible)  

Can  be  a  
stream  of  
bits,  or  
bytes  or  
any  size  …  
 RC4  
• Ron Rivest designed in 1987 for RSA Security.
• Kept as a trade secret until leaked out in 1994.
• The most popular stream cipher.
• Important features
– Simple and fast
– Efficient implementations in both software and hardware
– very easy to develop.
• With a 128 bits key, the period is > 10100
• Applications:
– SSL/TLS standards (for secure Web communication),
– IEEE 802.11 wireless LAN standard, (in WEP)
– Microsoft Point-to-Point Encryption, (for encrypting data
across Point-to-Point Protocol (PPP) and virtual private network (VPN)
links.)
– and many others.
 RC4  Internal  Structure  
• A  key  stream  is  generated  by  using  a  secret  internal  
state  consis5ng  of  
• A  permuta5on  of  all  256  possible  bytes  (denoted  by  "S”)  
• Two  8-­‐bit  index-­‐pointers  (denoted  by  "i”  &  "j”)  
• The  permuta5on  is  ini5alized  with  a  variable  length  
key,  typically  between  40  and  256  bits,  using  the  
Key  Scheduling  Algorithm  (KSA)  
• The  stream  of  bits  is  generated  using  Pseudo-­‐
random  Genera5on  Algorithm  (PRGA)  
 Key  Scheduling  Algorithm  (KSA)  
for i from 0 to 255!
S[i] := i!
endfor!
j := 0!
for i from 0 to 255!
j := (j + S[i] + key[i mod keylength]) mod 256!
swap values of S[i] and S[j]!
endfor!

• The  key-­‐scheduling  algorithm  is  used  to  ini5alize  the  permuta5on  in  
the  array  "S."    
• "keylength"  is  the  number  of  bytes  in  the  key  (1  ≤  keylength  ≤  256)  
– Typically  b/w  5  to  16,  corresponding  to  a  key  length  of  40  –  128  bits.    
• First,  the  array  "S"  is  ini5alized  to  the  iden5ty  permuta5on.    
• S  is  then  processed  for  256  itera5ons  in  a  similar  way  to  the  main  
PRGA,  but  also  mixes  in  bytes  of  the  key  at  the  same  5me.  
 Lookup  Stage  of  RC4  

The  output  byte  is  selected  by  looking  up  the  values  of  S(i)  and  S(j),  
adding  them  together  modulo  256,  and  then  looking  up  the  sum  in  
S;  S(S(i)  +  S(j))  is  used  as  a  byte  of  the  key  stream,  K.  
 Pseudo-­‐random  Genera5on  Algorithm  (PRGA)  
i := 0!
j := 0!
while GeneratingOutput:!
i := (i + 1) mod 256!
j := (j + S[i]) mod 256! XOR (Plaintext byte)
swap values of S[i] and S[j]!
K := S[(S[i] + S[j]) mod 256]!
output K!
endwhile!
• For  as  many  itera5ons  as  are  needed,  the  PRGA  modifies  the  state  
and  outputs  a  byte  of  the  key-­‐stream    
• Increments  i,  looks  up  the  ith  element  of  S,  S[i],  and  adds  that  to  j,  
• Exchanges  the  values  of  S[i]  and  S[j],    
• Uses  the  sum  S[i]  +  S[j]  (modulo  256)  as  an  index  to  fetch  a  third  
element  of  S,  (the  keystream  value  K)    
• Each  element  of  S  is  swapped  with  another  element  at  least  once  
every  256  itera5ons  
• Memory  usage  
• 256  bytes  of  memory  for  the  state  array,  S[0]  through  S
[255],    
• k  bytes  of  memory  for  the  key,  key[0]  through  key[k-­‐1],  
and  integer  variables,  i,  j,  and  K.  
 Programming  Assignment  
• Make  a  program  for  RC4