In this final article in a 3-part series on symmetric key encryption technology, we look at the use of encryption modes with symmetric block ciphers, including the need for padding and initialization vectors.
When encrypting multiple blocks of data using a block cipher, there are various encryption modes that may be employed, each having particular advantages and disadvantages. We will look at some of these here.
ECB (Electronic Code Book) mode
This is the simplest mode, whereby each block of data is simply encrypted with the same key. There is thus a one-to-one mapping between the plaintext block and corresponding ciphertext block for any particular key, analogous to looking up the plaintext in a (very large!) code book and reading off the matching ciphertext. Multiple blocks can therefore be encrypted in parallel. However, this mode leaks information about the plaintext and is thus rarely used. Also, the plaintext data must be padded to an integral number of blocks.
The plaintext may be padded in a number of different ways, and it is up to the sender and recipient to agree. The most popular is PKCS#5 or PKCS#7 padding, which adds between 1 and n whole bytes, where n is the cipher block length (in bytes), with the value of each byte equal to the number of bytes added. Another popular method is ANSI X9.23, which also adds between 1 and n whole bytes, where all padding bytes are zero except for the last one, which is equal to the number of bytes added.
Where the plaintext is not an integral number of bytes, bit padding may be used such that the first bit is a 1 followed by as many 0s as necessary to fill the block.
CBC (Cipher Block Chaining) mode
CBC tries to improve on ECB by making the encryption of each block dependent not just on the key but also on the ciphertext of the previous block. So, each block of ciphertext depends on all the blocks of plaintext that have been processed up to that point. This means that the encryption process can't be done in parallel. Another downside is that any error can propagate to the subsequent block. Furthermore, CBC is also vulnerable to what is known as a “bit flipping” attack. As with the ECB, padding of the last block is necessary.
To randomize the ciphertext of the first block (and thus make each ciphertext unique, even if the plaintext message is repeated), an “Initialization Vector” (IV) is used. The IV is a random number known to both the encrypting and decrypting systems and should only be used once.
CFB (Cipher Feedback) mode
CFB is similar to CBC but has the advantage of being self-synchronizing—if one or more blocks are lost, it doesn’t affect the decryption of the remaining blocks. Also, the encryption and decryption functions are identical, and it doesn’t require the plaintext data to be padded (i.e., the ciphertext is the same length as the plaintext).
OFB (Output Feedback) mode
OFB turns a block cipher into a synchronous stream cipher. Based on an IV and the key, it generates keystream blocks which are then simply XORed with the plaintext data. As with CFB, the encryption and decryption processes are identical, and no padding is required.
CTR (Counter) mode
CTR shares many characteristics with OFB, but it generates the next keystream block by encrypting successive values of a counter (which must be synchronized at both ends). CTR mode does not propagate transmission errors and lends itself to parallelization.
Many other modes have been developed for specific use cases, for example LRW, XEX, CMC, EME and XTS for disk encryption. Each has its advantages and disadvantages in terms of security, usability, and performance.
Whilst encryption protects the integrity of a message, it doesn’t necessarily protect the authenticity or integrity of the message, i.e., that it really comes from the alleged sender and that it hasn’t been altered in any way (or replayed). While separate authentication mechanisms may be used, this tends to be difficult and error-prone.
The solution is to use an authenticated encryption mode
that simultaneously combines confidentiality, authenticity, and integrity, such as OCB, CCM, EAX, or GCM. When encrypting a plaintext message using one of these modes, the result is both a ciphertext message and a message authentication code (MAC). The decryption process also generates a MAC, which is compared to the MAC in the message to validate its authenticity and integrity. A sequence number can be used to protect against replay attacks, which happen when an attacker gets a hold of a ciphertext message and sends it to the recipient again, which could cause a transaction or command to be sent more than once.
OCB is encumbered by a patent, while the performance of CCM is less than ideal. EAX has certain benefits over CCM but, like CCM, is a two-pass scheme and thus slow. As a result, GCM has come to the fore, an unencumbered one-pass scheme that combines strong security with performance and efficiency, making it the encryption mode of choice for most applications today.