Cryptography Reference
In-Depth Information
Adding Support for AEAD Mode Ciphers
TLS 1.0 defi ned two cipher modes: block and stream. The primary reason for the
distinction is that block ciphers need an IV and padding whereas block ciphers
don't. TLS 1.2 describes a third cipher mode —
Authenticated Encryption with
Associated Data
(AEAD) — that is often described as combining the authentica-
tion with the encryption in one fell swoop. I fi nd this description somewhat
misleading; AEAD ciphers encrypt the data and then MAC it, just like block
and stream ciphers do. However, the main difference is that an AEAD cipher
describes both a protection and an authentication method that must be used
as an inseparable unit.
Maximizing Throughput with Counter Mode
Recall from Chapter 2 that the simplest way to apply a block cipher is the
electronic code book
(ECB) mode: chop the input into blocks and process each
one according to the block cipher itself. This mode has some problems, though,
because identical input blocks become identical output blocks. Because most
block ciphers operate on relatively short block sizes, an attacker can spot a lot of
similarities in a large block of plaintext encrypted with a single key.
Cipher block
chaining
(CBC), the preferred mode of SSL and TLS, combats this by XORing
each block, before encryption, with the encrypted prior block. Yet another mode,
output feedback
(OFB), inverts CBC and, rather than encrypting the plaintext and
then XORing it with the initialization vector, encrypts the initialization vector
over and over again, XORing it with the plaintext and turning a block cipher
into a stream cipher.
STREAM CIPHERS VERSUS BLOCK CIPHERS
Stream ciphers have some advantages in some contexts. With stream ciphers,
there's no padding, so the ciphertext length is the same as the plaintext
length. On the other hand, this can be a vulnerability as well. If the ciphertext
is as long as the plaintext, a passive eavesdropper can determine the length of
the plaintext, which is a problem in many contexts. In HTTPS, for instance, the
browser usually sends a fi xed-length block of header and preamble, with
the only variable-length part of the request being the page being requested. If
an eavesdropper knows the length of the plaintext, he can likely narrow down
the actual requested page to a short list. Block ciphers have an advantage
because the padding doesn't necessarily have to be the minimum amount that
makes a full block; if you need three bytes of padding to satisfy an eight-byte
block, you can choose to provide 3, 11, 19, 27, and so on up to 251 blocks of
padding to frustrate such an attack.
Search WWH ::
Custom Search