Cryptography: the mode of operation
when you encrypt long message…
If two plain text blocks are same → corresponding cipher text blocks will be same → expose vulnerability when message is long and have same text blocks.
What we want
We want to make the output different even for two identical text blocks.
Mode of operation
- A typical (proper) block cipher algorithm has two inputs. 1) plain text, 2) random number. (ECB only works on plain text, without chaining thus weak)
- If we want to make the output different even for two identical blocks, we need to make the input to the block cipher algorithm different.
- The way of doing this is called, the mode of operation.
What’s important is the usage of 1)chaining and 2)additional random number (salt)
Two categories of Mode of Operation
- Apply a block cipher algorithm on plain text → ECB, CBC
- Apply a block cipher algorithm on random number→ CFB, OFB, CTR
CFB, OFB, CTR mode turn a block cipher into a stream cipher!!
- No longer do we need to wait until enough data (plain text) are available to fill a cipher block.
- We can encrypt the plain text bit by bit; this is because the plain text is XORed with the outcome from the cipher block, and XOR is a bit-wise operation.
Initialization Vector, Nonce, and Counter
Chaining solves the problem of the same cipher block encrypted from the same plaintext block. However, if you just use the key and plaintext, the entire cipher text you encrypted yesterday will look exactly the same as the entire cipher text you encrypted today. How we can make two cipher texts different when the plain text is exactly the same?
To solve this, we use “additional salt” on top of the key and plaintext. This additional salt can be
- Initialization Vector: CBC(block cipher), CFB(stream cipher), OFB(stream cipher)
- Nonce and Counter: CTR(stream cipher)
- ECB, CBC → need padding because cipher algorithm on a plain text
- CFB, OFB, CTR → don’t need padding because cipher algorithm on a key and simple XOR to a plain text.
Yet another category for the Mode of Operation!
Authenticated encryption and GCM mode
To protect the message integrity, the sender needs to generate a Message Authentication Code (MAC) from the cipher text using a secret shared by the sender and the receiver. (Typically different key from the encryption key)
HMAC is widely used but it has a downside. → We need two operations, 1) encrypting data, 2)generating MAC.
GCM to the rescue!
The motivation behind the authenticated encryption is to combine these two separate operations into one encryption mode.
The mode not only provides encryption, it also generate MAC. The mode that can achieve authenticated encryption includes GCM (Galois/Counter mode), CCM(Counter with CBC-MAC), OCB mode(Offset Codebook mode).
- GCM combines the counter mode of encryption with the new Galois mode of authentication.
- The top part is counter-mode (CTR) operation. The bottom part is for generating the authentication tag.
- In the GCM mode, additional data can be included at the beginning when the authentication tag is generated. These are not fed into the cipher algorithm part, so they are not encrypted, but their integrity is preserved. → This is called associated data.
- For example, packet headers should be left in the clear to allow the network or system to function properly; therefore, they cannot be encrypted, but their integrity still needs to be preserved, so adversaries cannot change these field.
- GCM allows associated data to be included in the beginning of the authentication and authentication tag is generated.