Block Cipher Modes

Block Ciphers can be used in a variety of ways, with different secrecy properties and error recovery properties. DES in Tcl in prompted me to add some information about the four commonly used modes.

Block ciphers are encryption/decryption methods that work on fixed sized blocks of plaintext and ciphertext, hence the name blockcipher. There are a lot of different block ciphers in existence, and these modes apply to almost all of them.

- Pascal Scheffers

Electronic Codebook Mode (ECB)

This is the simplest mode of operation. Each plaintext block is encrypted/decrypted individually. Resulting in a cipher text that is the same for each given plaintext and key. In this mode, no error propagation occurs, as all blocks are independant. In this mode an opponent can change the order of the ciphertext blocks or even remove them, replay them without causing failure of decryption.

This mode is to be used with extreme caution, as it is very vulnerable to a whole host of attacks.

Cipher Blockchaining Mode (CBC)

This mode uses an Initialization Vector (IV) and chains all blocks together by XORing the output of the encryption block with the next plaintext block. This causes decryption to be dependant on the previous block and, so a single bit error in a block will cause failure of decryption in subsequent block as well.

The IV does not need to be secret and must be communicated to the receiver. It is important that the IV is different for each new plaintext. It should be generated such that a malicious use has no influence on its value. An unpredictable IV may be desirable for some applications.

Encryption:

 set IV [expr rand($blocksize)]
 set lastblock $IV
 foreach block [split_in_blocks $blocksize $plaintext] {
   set lastblock [encrypt $key [expr $lastblock ^ $block]]
   append ciphertext $lastblock
 }

Decryption:

 set lastblock $IV
 foreach block [split_in_blocks $blocksize $ciphertext] {
   append plaintext [expr $lastblock ^ [decrypt $key $block]]
   set lastblock $block
 }

As a slight modification to this mode, the IV can be encrypted using the blockcipher and transmitted as the first ciphertext block. However, if the IV was chosen well (i.e. fully random) this does not add extra security for most applications.

Cipher Feedback Mode (CFB)

This mode allows transmission of messages of less bits than the blocksize (for example used for interactive terminal sessions). In other words, it allows the DES block cipher to be used as a stream cipher. It has error propagation properties similar to CBC.

CFB works by encrypting an initialization vector to make an output block, then exclusive ORs consecutive bits of the output block with consecutive bits of plaintext to make the ciphertext. Once one block's worth of ciphertext is produced, it becomes the input to the block cipher to make another output vector, and the process repeats itself.

                          key
                           |
                           v
                   +--------------+  
               +-->| block cipher |---+
               |   +--------------+   |
               |                      |
               |                      v
   plaintext --(-------------------->(X)--+--> ciphertext
               |                          |
               +--------------------------+

[add sample code]

Output Feedback Mode (OFB)

This mode is similar to cipher feedback with the exception that errors do not propagate. It is also more vulnerable to attack than cipher feedback. In output feedback, the output of the DES block cipher is fed back as the input to produce the next block. Consecutive bits of the block cipher output are exclusive ORed with the plaintext to produce the ciphertext.

The algorithms for encryption and decryption are identical.

                         key
                          |
                          v
                   +--------------+  
               +-->| block cipher |---+
               |   +--------------+   |
               |                      |
               +----------------------+
                                      |
                                      v
   plaintext ----------------------->(X)---> ciphertext

[add sample code]

See also the info for Trfcrypt [L1 ].