Cryptography Reference
In-Depth Information
Block Cipher Modes — Details
In what follows
E
k
is the enciphering function for the block cipher
E
using
the key
k
, whereas
D
k
=
E
−
1
denotes the decryption function.
k
Electronic Code Book (ECB)
We begin with the simplest of the modes. In ECB mode, we input a sequence
m
j
for
j
1, of 64-bit plaintext blocks, each of which is enciphered with the
same key, producing a string of ciphertext blocks
c
j
. In other words,
≥
enciphering is
E
k
(
m
j
)=
c
j
and deciphering is
E
−
1
(
c
j
)=
m
j
.
k
The problem with this is that two identical plaintext blocks get sent to identical
ciphertext blocks, which can be exploited by a cryptanalyst. Some experts feel
that this weakness is su0cient to render it insecure for any use, while others
feel that it is ideal for sending small amounts of data such as the sending of a
DES key. It certainly should not be used for sending large amounts of data in
any case. The aforementioned weakness of ECB is overcome in the next mode.
Cipher Block Chaining (CBC)
In CBC mode, we first let
IV
be an initialization vector (meaning a 64-bit
input bitstring), set
c
0
=
IV
, and let
k
be the 64-bit input key. Given a sequence
m
j
of 64-bit plaintext blocks, for
j
≥
1, we recursively define
m
j
), and decryption by
m
j
=
E
−
1
k
encryption by
c
j
=
E
k
(
c
j
−
1
⊕
(
c
j
)
⊕
c
j
−
1
.
Thus, the weakness of ECB mode is eliminated by the modulo 2 addition of
plaintext blocks with previous ciphertext blocks, thereby randomizing the plain-
text with the previous ciphertext. Essentially, this means that we have “chained
together” the sequence of enciphering plaintext blocks. This obscures the rela-
tionship between the plaintext and ciphertext, substantially reducing the data
for a cryptanalyst to use effectively.
Next is the not-so-obvious problem of how to choose
IV
. Most texts rec-
ognize the problems with leaking information about
IV
, and therefore suggest
keeping it as secure as the key, since a cryptanalyst can derive information from
it by posing as a sender using the
man-in-the-middle attack
.
3.7
However, few
cite the best solution to this problem. We should
not
have a
fixed
IV
or even a
randomized
IV
since there remains the problem (the one for which it is deemed
necessary to keep
IV
a secret), namely, either method requires that the recip-
ient of the message has to know this
IV
. In the case of a fixed
IV
we return
to the ECB problem in encryption of the first block of each message. With
the randomized
IV
, we require a secure randomizer at hand, for each message,
which adds more effort in the use of the cipher, since as we will discover later,
3.7
To describe this attack, we introduce another of our cryptographic cast of characters,
Mallory
,
the malicious active attacker
. (This is as opposed to Eve, our
passive
eavesdropper.)
The principal idea in the man-in-the-middle attack is that Mallory assumes a position between
Alice and Bob. Mallory can stop all or parts of messages being sent between them and
substitute his own data. In this way, he impersonates Alice and/or Bob who believe they are
communicating with each other, while they are really talking to Mallory.
Search WWH ::
Custom Search