Cryptography Reference
In-Depth Information
5.1 Encryption with Block Ciphers: Modes of Operation
In the previous chapters we introduced how DES, 3DES and AES encrypt a block
of data. Of course, in practice one wants typically to encrypt more than one single
8-byte or 16-byte block of plaintext, e.g., when encrypting an e-mail or a computer
file. There are several ways of encrypting long plaintexts with a block cipher. We
introduce several popular modes of operation in this chapter, including
Electronic Code Book mode (ECB),
Cipher Block Chaining mode (CBC),
Cipher Feedback mode (CFB),
Output Feedback mode (OFB),
Counter mode (CTR).
The latter three modes use the block cipher as a building block for a stream cipher.
All of the five modes have one goal: They encrypt data and thus provide confi-
dentiality for a message sent from Alice to Bob. In practice, we often not only want
to keep data confidential, but Bob also wants to know whether the message is re-
ally coming from Alice. This is called authentication and the Galois Counter mode
(GCM), which we will also introduce, is a mode of operation that lets the receiver
(Bob) determine whether the message was really sent by the person he shares a key
with (Alice). Moreover, authentication also allows Bob to detect whether the cipher-
text was altered during transmission. More on authentication is found in Chap. 10.
The ECB and CFB modes require that the length of the plaintext be an exact
multiple of the block size of the cipher used, e.g., a multiple of 16 bytes in the
case of AES. If the plaintext does not have this length, it must be padded. There
are several ways of doing this padding in practice. One possible padding method
is to append a single “1” bit to the plaintext and then to append as many “0” bits
as necessary to reach a multiple of the block length. Should the plaintext be an
exact multiple of the block length, an extra block consisting only of padding bits is
appended.
5.1.1 Electronic Codebook Mode (ECB)
The
Electronic Code Book (ECB)
mode is the most straightforward way of encrypt-
ing a message. In the following, let
e
k
(
x
i
) denote the encryption of plaintext block
x
i
with key
k
using some arbitrary block cipher. Let
e
−
k
(
y
i
) denote the decryption
of ciphertext block
y
i
with key
k
. Let us assume that the block cipher encrypts (de-
crypts) blocks of size
b
bits. Messages which exceed
b
bits are partitioned into
b
-bit
blocks. If the length of the message is not a multiple of
b
bits, it must be padded to
a multiple of
b
bits prior to encryption. As shown in Fig. 5.1, in ECB mode each
block is encrypted separately. The block cipher can, for instance, be AES or 3DES.
Encryption and decryption in the ECB mode is formally described as follows:
