Cryptography Reference
In-Depth Information
operating modes, padding, and key generation. Moreover, you will learn about
an interesting cryptanalytic attack (the insertion attack against stream ciphers),
and a useful trick.
5.1.1 Operating Modes: ECB, CBC, CFB, and OFB
Together with the DES standardization, four operating modes were defined for
this algorithm. Rather than concerning DES in particular, they are applicable
to all block algorithms. While a block algorithm per se can transform only
one
plaintext block into
one
ciphertext block (and vice versa), these operating
modes specify how a
sequence
of plaintext blocks should be encrypted. While
the ECB and CBC modes function as block ciphers, the CFB and OFB modes
only use the block algorithm to define a stream cipher.
ECB: Electronic Codebook Mode
You've already come to know the ECB mode, just not by its name: plain-
text blocks are transformed successively into the corresponding ciphertext
blocks — that's all. The name is due to the fact that ciphering is done as if
we were traditional spies using a codebook, and replacing the sensitive words
by other words based on a rigid scheme. Except that, in our sense, these 'words'
correspond to plaintext blocks, and the codebook would be rather extensive, for
example, when using DES with 2
64
(18 trillion) entries; in addition, we would
use a different one for each key.
ECB is the simplest way of embedding a block algorithm into a program, but
also the most insecure. Why?
Assume you want to send somebody a secret drawing. You don't know that
your application works very weakly in this respect: it scans the drawing line
by line and creates only the bit values 0 and 1 for 'white' and 'black', similar
to a fax machine, but without compression. The rough manual drawing might
be composed of relatively few strokes. The bit stream created would contain
long sequences of zero bits, interrupted by few bits with value 1. You use, say,
DES to encrypt this bit stream and send it over a channel, unaware of the fact
that an attacker is listening. This attacker sees that one ciphertext block occurs
much more frequently than all others. That's probably the encryption of 64
zero bits, he thinks instantly; the other blocks contain at least one 1-bit. With a
resolution of 180 dpi (corresponding to a dot size of 0.14 mm), the attacker can
easily make out the blackening in the drawing, except for a horizontal deviation
of approximately 9 mm and a vertical deviation of 0.14 mm. That's very useful
for the attacker!
