In this final article in a 3-part series on symmetric key encryption technology, we look at the use of encryption modes with symmetric block ciphers, including the need for padding and initialization vectors.
When encrypting multiple blocks of data using a block cipher, there are various encryption modes that may be employed, each having particular advantages and disadvantages. We will look at some of these here.
ECB (Electronic Code Book) mode
This is the simplest mode, whereby each block of data is simply encrypted with the same key. There is thus a one-to-one mapping between the plaintext block and corresponding ciphertext block for any particular key, analogous to looking up the plaintext in a (very large!) code book and reading off the matching ciphertext. Multiple blocks can therefore be encrypted in parallel. However, this mode leaks information about the plaintext and is thus rarely used. Also, the plaintext data must be padded to an integral number of blocks.
The plaintext may be padded in a number of different ways, and it is up to the sender and recipient to agree. The most popular is PKCS#5 or PKCS#7 padding, which adds between 1 and n whole bytes, where n is the cipher block length (in bytes), with the value of each byte equal to the number of bytes added. Another popular method is ANSI X9.23, which also adds between 1 and n whole bytes, where all padding bytes are zero except for the last one, which is equal to the number of bytes added.
Where the plaintext is not an integral number of bytes, bit padding may be used such that the first bit is a 1 followed by as many 0s as necessary to fill the block.
CBC (Cipher Block Chaining) mode
CBC tries to improve on ECB by making the encryption of each block dependent not just on the key but also on ciphertext of the previous block. Each block of ciphertext thus depends on all the plaintext blocks processed up to that point, which prevents parallelization of the encryption process. Another downside is that any error can propagate to the subsequent block. Furthermore, CBC is also vulnerable to what is known as a “bit flipping” attack. As with ECB, padding of the last block is necessary.
To randomize the ciphertext of the first block (and thus make each ciphertext unique, even if the plaintext message is repeated), an “Initialization Vector” (IV) is used. The IV is a random number known to both the encrypting and decrypting systems and should only be used once.
CFB (Cipher Feedback) mode
CFB is similar to CBC but has the advantage of being self-synchronizing – if one or more blocks are lost, it doesn’t affect the decryption of the remaining blocks. Also, the encryption and decryption functions are identical, and it doesn’t require the plaintext data to be padded (i.e. the ciphertext is the same length as the plaintext).
OFB (Output Feedback) mode
OFB turns a block cipher into a synchronous stream cipher. Based on an IV and the key, it generates keystream blocks which are then simply XORed with the plaintext data. As with CFB, the encryption and decryption processes are identical, and no padding is required.
CTR (Counter) mode
CTR shares many characteristics with OFB, but it generates the next keystream block by encrypting successive values of a counter (which must be synchronized at both ends). CTR mode does not propagate transmission errors and lends itself to parallelization.
Many other modes have been developed for specific use case, for example LRW, XEX, CMC, EME and XTS for disk encryption. Each has it advantages and disadvantages in terms of security, usability and performance.
Whilst encryption protects the integrity of a message, it doesn’t necessary protect the authenticity or integrity of the message – i.e. that it really comes from the alleged sender and that it hasn’t been altered in any way (or replayed). Whilst separate authentication mechanisms may be used, this tends to be difficult and error prone.
The solution is to use an authenticated encryption mode that simultaneously combines confidentiality, authenticity and integrity, such as OCB, CCM, EAX or GCM. When encrypting a plaintext message using one of these modes, the result is both a ciphertext message and a message authentication code (MAC). The decryption process also generates a MAC, which is compared to the MAC in the message to validate its authenticity and integrity. A sequence number can be included to protect against replay attacks (where an attacker captures a ciphertext message and replays it to the recipient, potentially causing a transaction or command to be repeated).
OCB is encumbered by a patent, whilst the performance of CCM is less than ideal. EAX has certain benefits over CCM but, like CCM, is a two-pass scheme and thus slow. As a result, GCM has come to the fore, an unencumbered one-pass scheme that combines strong security with performance and efficiency, making it the encryption mode of choice for most applications today.