Cryptography

&
Network Security
UNIT 1
UNIT I
• Cryptography and Security
• Ciphers & Secret Messages
• Attacks and Services
• Mathematical Tools
• Substitution and Permutation
• Modular Arithmetic
• Euclid’s Algorithm
• Conventional/ Symmetric Algorithms
• Block Cipher Modes of Operations
• Feistel Structure –
• DES, Triple DES, Strengths
Introduction
• We live in a world of information
• Need to keep these information safe
• Protect information from unauthorized access
• For we have Cryptography
Cryptology
• An area of Mathematics
• Cryptography + Cryptanalysis
• Cryptography derived from the Greek words
• Kryptos – Hidden/Secret
• Graphein – To write
• Cryptography is the science of secret writing
• Cryptanalysis break the security algorithm and
leak information
Cryptography

• Study of Mathematical Techniques

• Related to the aspects of information security
such as
• confidentiality ,
• integrity,
• availability and
• authentication
Information Security
• The protection afforded to an automated
information system to attain the objectives
• Preserving the integrity, availability and
confidentiality of information system resources
(hardware, software, firmware, information/data, and
telecommunications)
Key Security Concepts/Goals
Objectives/Goals of Cryptography
• Confidentiality
• Keep the information hidden from all except authorized one
• Only authorized user understand/ use the message
• Integrity
• Ensure information is not altered
• Protect from unauthorized modifications
• Availability
• Available to authorized users
• Non repudiation
• Prevent an entity from denying previous action
• Authentication
• Receiver identifies who is the sender of the message
Aspects of information security:

• 3 aspects
• security attack – Any action that compromises the security
information owned by an organization / individual.
• security mechanism – A process ( a device incorporating such a
process) that is designed to detect, prevent or recover from a
security attack.
• security service - intended to counter security attacks . service
enhances the security of the data processing systems and the
information transfers of an organization.
Threat and Attacks

•Threat– A possible and unwanted event that cause harm to the

system . Threat exploit a vulnerability
•Vulnerability - a weakness in a system
•Attack - An intelligent act to avoid security services and violate
the security policy of a system.
•An attack on system security derives from an intelligent threat.
Passive Attacks
Active Attacks
Attacks
Threat to Confidentiality/ Passive
Attacks

•Snooping– An unauthorized person intercept the

communication and use the data ( solution : Encipherment)
•Eavesdropping - Secretly listen to conversation
•Traffic Analysis– Analyze the traffic – monitor traffic flow to
determine location and identity of communicating hosts and
could observe the frequency and length of messages being
exchanged
Threat to Integrity/ Active Attacks
•modification of messages– Alter(modify or delete) message in
transit to produce an unauthorized effect.
•Masquerade/ Spoofing– Acting one entity as other– act as
bank and collect card number and pin.
•Replay - previous messages replayed by attacker
•Repudiation – Later claimed any in communication that he was
not the sender/receiver
•denial of service - prevents or inhibits the normal use of
services or facilities.
Security Service
• Enhance security of information systems
• Counter security attacks
• X.800:
• Service provided by a protocol layer
• Ensures security of the systems or data in transit
• RFC 2828:
• A processing or communication service provided by a system
• Give protection to system resources
 Security Services (X.800)
• Authentication - Ensure that communicating entity is the one
claimed
• have both peer-entity( sender/Receiver) & data origin
(source/data) authentication
• Access Control – protect resource from unauthorized use.
• Data Confidentiality –protection of data from unauthorized
disclosure
• Data Integrity - assurance that data received is as sent by an
authorized entity
• Non-Repudiation - protection against denial by one of the parties
in a communication
• Availability – resource accessible/usable
Security Mechanism
security mechanism – A process designed to detect,
prevent or recover from a security attack.
• no single mechanism that will support all services required
Security Mechanisms (X.800)
• Specific security mechanisms:
• Encipherment
• digital signatures
• access controls
• data integrity
• authentication exchange
• traffic padding
• routing control

• Pervasive security mechanisms:

• trusted functionality, security labels, event detection, security
audit trails, security recovery
Model for Network Security
Model for Network Security
• The model requires
1. Design a suitable algorithm for the security transformation
2. generate the secret information (keys)
3. develop methods to distribute and share the secret information
4. specify a protocol to use the transformation and secret information
for a security service
Model for Network Access Security
Model for Network Access Security
• The model requires
1. Select appropriate gatekeeper functions to identify users
2. Implement security controls to ensure only authorised users
access designated information or resources
Modulo Arithmetic/ Clock Arithmetic
• All most all cryptographic algorithms are based on modulo arithmetic .
• Takes two inputs and produce one output.
• a(mod n ) = a/n and write the remainder r
• n is called modulus and r is residue
• The output r ε Zn = {0,1,2,3, , n-1}
Examples
• 9(mod 5) = 4
• -7(mod 5) = -2 is not in Z5 = {0,1,2,3, 4}
• it is 5-2 = 3 in Z5
• Congruence - having the same remainder when divided by a specified
integer
• 2(mod 10) = 2, 12(mod10) = 2, 22(mod 10) = 2 , instead of equality we use Ξ
• So 2 Ξ 12(mod 10), 2 Ξ 22(mod 10), 2 Ξ 32 (mod 10), etc
modulo arithmetic
Properties
• (A + B) mod C = (A mod C + B mod C) mod C
• (A - B) mod C = (A mod C - B mod C) mod C
• (A * B) mod C = (A mod C * B mod C) mod C
 modulo arithmetic
• The additive inverse of a number A is the number ,when added
that number to A, then result is zero.
• A + (-A) (mod n) = 0
• 2(mod5) = 2, additive inverse of 2 under modulo 5 is obtained by
• 2(mod5) = 2 + Something ( mod 5 ) Ξ 0 ( mod 5)
• The additive inverse of a number a εZn = {0,1,2,3, , n-1} is n-a
• Every element has additive inverse
• Multiplicative inverse of a number a is the number ,
when multiplied that to a, the result is one.
• A X (inverse) (mod n)= 1
• Every element does not have multiplicative inverse
• An integer a in Zn has multiplicative inverse if gcd(a,n) = 1(mod n)
Euclid Algorithm
• A method to evaluate the gcd of two numbers
Algorithm
• For Any two integers a and b with a,b > 0 and a > b
• There exist a unique pair of integers q and r such that
a=qb+r , 0<= r < b

Put a=r0 and b=r1

r0 = q2r2 + r3
r0 = q1r1 + r2 …….
Last non zero remainder is taken as gcd.
Euclid Algorithm
• GCD ( 16,9 )
• 16 = 1 X 9 + 7
• 9 = 1X 7 + 2
• 7 =3X2+1
• 2=2X1+0
• Last non zero remainder is 1
• Therefore GCD ( 16,9) = 1
Modulo Arithmetic
• To find the inverse of a number
Find gcd of the numbers under modulo,
Express it as linear equation
Find the Inverse
• Find 9 inverse under modulo 16
GCD ( 16,9) = 1
1 = 7 – 3X 2
= 7 – 3[9-7]
…….
1 = 4X 16 – 7 X 9
1 ( mod 16 ) =4X 16 (mod 16) – 7 X 9(mod 16)
so 9 inverse = -7 ie 16-7 = 9
Modulo Arithmetic
Find the gcd of 7 and 5
GCD ( 7,5 )= 1
Find the inverse of 49 mod 970
GCD ( 49, 970 ) = 1
49 inverse = 99
Cryptography - components
Plain text – Original Message readable by an attacker . Fed as input to the
Encryption algorithm
Encryption Algorithm– Performs mathematical operations on plain text to
scramble it
Key – Sequence that controls the operation and behavior of the
cryptographic algorithm. Input to encryption algorithm and a value
independent of plaintext
Cipher text – Message altered to be unreadable by anyone except the
intended recipients. Output from the algorithm
Decryption algorithm– Encryption algorithm run in reverse.
Key space – Total number of possible values of keys in a crypto algorithm
Substitution and Permutation
• Classical Symmetric Ciphers
• Substitution Cipher
• Transposition Cipher
• Substitution – Each element in the plain text mapped to
another element - Convert one letter to another
• Transposition – Rearranging the elements in the plain text –
Word jumble
Substitution and Permutation
• Substitution Cipher
– Mono Alphabetic Cipher
– Poly Alphabetic Cipher
• Mono Alphabetic Cipher– The relation ship between symbol in a
plain text with a symbol in cipher text is one to one.
• Poly Alphabetic Cipher – The relation ship between symbol in
a plain text with a symbol in cipher text is one to many. A
character in Plain text have different substitutes
 Conventional Symmetric Encryption Algorithms

Mono Alphabetic Ciphers

1. Ceaser Cipher
2. Additive cipher/ Shift Cipher
3. Multiplicative Cipher
4. Affine Cipher/Linear Cipher

Poly Alphabetic Ciphers

1. Auto Key Cipher
2. Vigenere Cipher
3. Vernam Cipher
4. Play Fair Cipher
Ceaser Cipher
• Earliest known substitution cipher
• Replaces each letter by 3rd letter on
• Example:
meet me after the toga party
PHHW PH DIWHU WKH WRJD SDUWB
• C= P + 3 (mod 26)
• P = C- 3 (mod 26)
Ceaser Cipher
• Easy to implement
• Easy to intercept
• Frequency Analysis is possible
• If plain text is repeating cipher text is also repeating
Shift cipher (Additive Cipher)
• Generalization of ceaser cipher
• Encryption C=P+K (mod 26) - (shift right)
• Decryption P = C- K (mod 26) - shift left
• The Key Space [0 .. 25]
– Encrypt Hello with key 15
– WTAAD
– H=7+15(mod 26)=22=W
– And so on
– Mathematically a number is given to each alphabet, alphabets are wrapped
around
Shift cipher (Additive Cipher)
• P = CRYPTOGRAPHY IS FUN
• K = 11
• C = NCJAVZRCLASJTDQFY
• C →2; 2+11 mod 26 = 13 →N
• R →17; 17+11 mod 26 = 2 →C
Examples
• Decrypt DATG using the key 19
Shift cipher - Cryptanalysis

• Brute force attack through exhaustive key search,

• key space is small (<= 26 possible keys).
• Count relative letter frequencies
• If plain text is repeating cipher text is also repeating
• Easy to break
Multiplicative Cipher
• Encryption C= P * K (mod 26)
• Decryption P = C * K-1 (mod 26)
• The Key Space:[0 .. 25]
– Encrypt Hello with key 7
– XCZZU
Linear Cipher(Affine Cipher)
The Linear cipher which encrypts message using the formula
C = A .P + B (mod m)
 m is number of letter in alphabet
 A and B are Keys in range 0,1,…,m-1
 P is numerical equivalent of corresponding plain text character
• If restricted to 26 letter alphabet then called Affine Cipher - C
= A .P + B (mod 26)
• Decryption P = A-1 .C - B (mod 26)
Linear Cipher(Affine Cipher)
• Encrypt ITS COOL with A= 5 and B = 8
• WZUSAAL
Linear Cipher(Affine Cipher)
• Encrypt ITS COOL with A= 5 and B = 8
• Encryption
• Plain Text I T S C O O L
8 19 18 2 14 14 11
• 5x + 8 48 103 98 18 78 78 63
• (5x+ 8)MOD26 22 25 20 18 0 0 11
• Cipher W Z U S A A L
So Cipher Text is W Z U S A A L
Linear Cipher(Affine Cipher)
• Decryption
HPCCXAQ A=5 and B= 8
P= A-1 .C - B (mod 26)
 Linear Cipher(Affine Cipher)
• Decryption
HPCCXAQ A=5 and B= 8
P= A-1 .C - B (mod 26)
• 5-1 (mod 26) = 21
• Cipher H P C C X A Q
• C 7 15 2 2 23 0 16
• C−8 -1 7 -6 -6 15 -8 8
• 21( C−8) -21 147 -126 -126 315 -168 168
• 21(C−8)MOD26 5 17 4 4 3 14 12
• Plain Text F R E E D O M
 Linear Cipher(Affine Cipher)
• Small key domain so vulnerable to Brute force attack
• Frequency analysis is possible
• Guessing key attack
• Known plain text attack
 Linear Cipher(Affine Cipher)
C = A .P + B (mod m)
• Additive Cipher is a special case of Affine cipher if A = 1
• Multiplicative Cipher is a special case of Affine cipher if B= 0
 Auto Key Cipher
• Cipher text dependent on the corresponding
plaintext character and
• Its position in the plaintext.
 Auto Key Cipher
• Encrypt “ATTACK IS TODAY” with Key 12
Auto Key Cipher

12 19 12 19 2 12 18 0 11
12 0 19
0 19 19
A T T
 Vigenere Cipher

Based on the plaintext characters and the position of the characters in the
plaintext prepare the cipher text
Pick a keyword
Repeatedly write the keyword below the plaintext
one letter of the keyword associated with one letter of the
plaintext.
Prepare cipher text
Vigenere Cipher
• Encrypt the message “She is listening” using the 6-character
keyword “PASCAL”.
• The initial key stream is (15, 0, 18, 2, 0, 11).
Vigenere Cipher

• 7
• 15
• 18
• S
Vernam Cipher(One – Time Pad)
• Each plaintext symbol is encrypted with a randomly
chosen key.
• Invented by Vernam.
Transposition Cipher
• Rearranging the elements in the plain text – Word jumble
• transposition ciphers used in the past, are keyless.
• Now we have keyed Transposition Ciphers
Rail Fence Cipher
Text is written into a table column by column and then is
transmitted row by row.
Encrypt : “Meet me at the park”

Cipher Text is : MEMATEAKETETHPR

Rail Fence Cipher
Text is written into a table row by row then is
transmitted column by column.

“MMTAEEHREAEKTTP”.
Keyed Transposition Cipher
• Write Plain Text Characters of Width l, l is no of characters in key
Encrypt “ THIS IS COLUMNAR TRANSPOSITION” using key “APPLE”
Write number sequence A P P L E
T H I S I
1 4 5 3 2 - write alphabetical order
S A C O L
Cipher Text
U M N A R
TSUTPIILRSTSOANIHAMROOICNASN
T R A N S
P O S I T
I O N
1 4 5 3 2
Symmetric Ciphers
• Stream Cipher
• Block Cipher
Stream Ciphers
• Stream Ciphers encrypting one character at a time
• Vernam ciphers are examples for stream ciphers
Block Ciphers
• Keyed transposition ciphers
• block of plaintext is treated as a whole(Single Unit) & produce
a cipher text block of equal length.
• Plaintext symbols divided into group of size m (m > 1) and
encrypted together creating a group of cipher text of m.
• A single key is used to encrypt the whole block
• The key is made of multiple values.
• Modern ciphers are block ciphers
Hill Cipher
• Hill ciphers are block ciphers.
• If A is any invertible matrix (A inverse exist)
• C= A.P(mod m)
• P = A-1.C(mod m)
The key is made of m × m values ,considered as a single key
(Matrix).
• A-1 (mod m) = Adj(A)// A/(mod m)
Hill Cipher
• Encrypt “ATTACK AT DAWN” with key

• Here A is of order 3 , so divide the message into blocks with

size 3 – ATT, ACK, ATD, AWN
• If last block not include 3 char then padded with 0’s
Hill Cipher
• Encrypt MEETMEHERE with key

• A.p0 = c0, …..

• Cipher text:
(4,22,23,9,4,22,24,19,10,25) = EWXJEWYTKZ
Hill Cipher
• Decrypt EWXJEWYTKZ with key
Product Cipher – Play Fair Cipher
• English Alphabets arranged in a 5X5 Grid – Omit either I or J
• The Key for Playfair Cipher is a word
• Encrypt "Hide the gold in the tree stump“ using key “Playfair
example”
P L A Y F
• Construct 5X5 grid
I R E X M
B C D G H
K N O Q S
T U V W Z

• First Filled with key word – avoid duplicates

Product Cipher – Play Fair Cipher
• Write Digrams from Message
• Hi de th eg ol di nt he tr ee st um p
• EE is repeating so use filler x to avoid duplicate
• Hi de th eg ol di nt he tr ex es tu mp
• Rules
• If both letter in digram in same row then replace the letter with letter to right
• If both letter in digram in same Col then replace the letter with letter below it
• Other wise replaced by one letter in its row , in the col of other letter of the
pair

• First Filled with key word – avoid duplicates

Product Cipher – Play Fair Cipher

• Hi de th eg ol di nt he tr ex es tu mp
• HI = BM
• DE = OD
• TH = ZB
• EG = XD
• OL = NA
• DI = BE
• NT = KU
• HE = DM
• TR = UI
• EX = XM , ES= MO, TU = UV, MP = IF
Product Cipher – Play Fair Cipher

• Encrypt BALLOON using key word MONARCHY

• Encrypt SECRET MESSAGE using Keyword as key

• NORDKUNKQZPCND
Feistel Cipher Structure
• Horst Feistel introduced the feistel cipher
• All conventional block encryption algorithms including
data encryption standard (DES) are based on Feistel
Cipher Structure.
Feistel Cipher Structure
• The plaintext is divided into two halves.

• Then the two halves pass through n rounds of processing

Each round i has input Li-1 and Ri-1 derived from the previous
round and a sub-key Ki derived from the Key K

• All rounds have the same (Identical )structure

• A substitution is performed on the left half of the data by a round function F

• Then XOR the output of that function and the left half of the data.

• Finally combine Left half and right half to produce the cipher block.
Feistel Cipher Structure
Design Features -Feistel Cipher
 Block Size: normally 64 bits, (larger block means greater security)
 Key Size:56-128 bits.
 Number of Rounds: a single round offers inadequate security, a
typical size is 16 rounds.
 Sub-key Generation Algorithms: greater complexity should lead to a
greater difficulty of cryptanalysis.
 Round function: Again, greater complexity - means greater
resistance to cryptanalysis.
 Fast Software encryption/Decryption: the speed of execution of
the algorithm is important.
 Ease of Analysis: to be able to develop a higher level of assurance as
to its strength
 Decryption: use the same algorithm with reversed keys.
Data Encryption Standard
• A proposal from IBM
• Accepted by NIST
• A combination of Substitution and Transposition
• So Product Cipher
• A symmetric key block cipher algorithm
DES Characteristics
• DES divide Plaintext into 64 bits blocks
• Last block padded with 0’s if necessary
• Initial Key length is 64 , then select 56 by avoiding each
8th bit
• 16 rounds
• 16 sub-keys generated, one used in each round
 DES Processing
1. 64 bit block passes through initial permutation ,
rearrange the bits and produce permuted output.
2. Perform 16 rounds of permutation and
substitution to produce the 64 bit output ,
3. Divide that 64 bit into two 32 bit half's , swap it to
produce 64 bits
4. Apply another permutation (inverse of initial
permutation) to produce 64 bit cipher text
DES Key Generation

• Select 64 bit secret key

• Apply permuted choice 1 – Eliminate each 8 th
bit to reduce the key to 56 bits
• Perform left circular shift on the 56 bit key
• Apply permuted choice 2 – Select 48 bits from
56 – It is called a round key
• DES generate 16 separate round keys
Encryption & Key Generation
DES Encryption and Decryption
DES Operations in a Round
1. Plain text broken down into 64 bit blocks
2. Last block padded with 0’s if necessary
3. 64 bit block given as input to IP.
4. rearrange and produce permuted output
5. Output from IP divided into 2 halfs – L32 and R32
6. R32 given as input to an expansion box to expand it to 48 bits
7.The output from expansion box is XORed with 48 bit round key.
8. Given this 48 bit as input to compression s- box to select 32 bits
8. Selected 32 bits XOR ed with L32 to produce R32 for next round
9. R32 is taken as L32 for second round
DES Operations in a Round
DES cipher
round i input is Li-1, Ri-1
Li = Ri-1
L1 = R 0
L2 = R1 etc

Ri = (Li-1 XOR F(Ri-1 ,Ki))

R1= (L0 XOR F(R0 ,K1)) etc
 DES Strength
• Avalanche Effect
• A small change in plaintext/ key produces significant change in ciphertext
• consider two blocks of 64 zeros , rewrite 1 on the first position of second
block .
• Encrypt them both with DES: depending on the key, the result may have 34
different bits
• a change of one bit in the DES key may produce 35 different bits in the
encryption of the same plaintext
• Completeness Effect
• each bit in cipher text depends many bits in plaintext
• Confusion
• Hide relation between ciphertext and key
• Diffusion
• Hide relation ship between cipher text and plain text
 DES Cryptanalysis
• No of keys is 2 56 So Brute Force attack is difficult
• First Published attack on DES is differential cryptanalysis
• Differential Cryptanalysis - chosen plaintext attack
-Perform attack with Plaintext,
ciphertext pair
- Try to find key from chosen pair
- Requiring 247 chosen plaintexts
• - Proved insecure in 1998, but it
will cost $250000 & 3 days
• Linear cryptanalysis – Statistical method – Known Plain Text
attack
• With known difference in PT search for Difference in Output
• find linear approximations and Still impractical method
DES Cryptanalysis "
weak keys and semi-weak keys
• DES Weak Keys – Produce 16 identical Round Keys
• DES Semi Weak Keys – Produce 2 Different Round keys, Each one used in 8
rounds
• These weak and semi weak keys are not considered "fatal flaws" of DES.
• There are 256 possible keys for DES, of which four are weak and twelve are semi
weak.
• If Weak keys used decryption is same as double encryption
• Algorithms with Weak Keys include – DES, IDEA, RC4, Blowfish, ……
Triple DES
Multiple encryption with DES
a relatively simple method of increasing the key size of DES to protect
against attacks
 Block Cipher modes of Operation

• A mode of operation is a technique for enhancing the effect of a

cryptographic algorithm.
• A technique for adapting the algorithm for an application.
• These modes are use with any symmetric block cipher.
• Mode of operation applying to a sequence of data blocks of any size
• Five "modes of operation" have been defined by NIST.
5 modes of Operation

•Electronic Codebook Book (ECB)

•Cipher Block Chaining (CBC)
•Cipher Feedback (CFB) mode.
•Output Feedback (OFB) mode
•Counter (CTR) mode
Electronic Codebook Book (ECB)
 Electronic Codebook Book (ECB)
Advantages
• Simplest mode, suitable for short amount of data.
• Plain text divided into equal sized blocks
• Same key is used for encryption and decryption.
• Encryption and Decryption performed one block at a time.
Limitations
• message repetitions reflects in ciphertext .
• Weak - weakness is due to the encrypted message blocks
being independent.
• Need a secure channel for key exchange
• Cipher Block Chaining (CBC)
• Message is broken into blocks
• Use Initial Vector (IV) to start process
• Linked together in encryption operation
• Previous cipher blocks is chained with current
plaintext.
Ci = EK(Pi XOR Ci-1)
C-1 = IV
uses: bulk data encryption, authentication
• Cipher Block Chaining (CBC)
Cipher Block Chaining (CBC)
• a ciphertext block depends on all blocks before it
• any change to a block affects all following ciphertext
blocks.
• Need Initialization Vector (IV)
must be known to sender & receiver
if sent in clear, attacker can change bits
IV must either be a fixed value
must be sent encrypted in ECB mode before
rest of message
Issues in Block Mode
Message Padding
•To handle a possible last short block ,not as large as
blocksize
•pad with non-data value (eg nulls).
•pad last block along with count of pad size
• eg. [ b1 b2 b3 0 0 0 0 5]
• means have 3 data bytes, then 5 bytes pad+count

•Padding is not possible in all the cases

•If cipher text stored in the buffer allotted for plain text.
•Allow ciphertext stealing – apply block mode without
padding
• Issues in Block Mode
Ciphertext Stealing
•Altering processing of last two blocks
•Padding the last block with high order bits in second
last block
•block n-1 ,n bits
•Block n , m bits , m<n
•Encrypt block pn-1 with k.
•Select first m bits from Cn-1 and store in place of Cn
•Remaining last n – m bits padded at the end of pn
•Encrypt pn to produce Cn-1
Ciphertext Stealing
Modes of Operation
• block modes encrypt entire block
• But real time data need to operate on smaller units
• convert block cipher into stream cipher
• cipher feedback (CFB) mode
• output feedback (OFB) mode
• counter (CTR) mode
• use block cipher as some form of pseudo-random
number generator
• Cipher Feed Back mode(CFB)
message is treated as a stream of bits
added to the output of the block cipher
standard allows any number of bit (1,8, 64 or 128 etc) to be feed
back ,denoted CFB-1, CFB-8, CFB-64, CFB-128 etc
most efficient to use all bits in block (64 or 128)
Ci = Pi XOR selected s bits from[ EK(IV/Ci-1)]
C-1 = IV
Pi = Pi XOR selected s bits from[ EK(IV/Ci-1)]

Input to encryption function – b bit shift register

Initially set with IV
• Cipher Feed Back Mode
Advantages and Limitations of CFB
• appropriate when data arrives in bits/bytes
• No fixed length for message
• most common stream mode
• Block cipher is used in encryption mode at both ends
• errors propagate
Output FeedBack (OFB)
• message is treated as a stream of bits
• output of cipher is added to message
• output is then feed back (hence name)
• feedback is independent of message
• can be computed in advance
Oi = EK(Oi-1)
Ci = Pi XOR Oi
O-1 = IV
• uses: stream encryption on noisy channels
Advantages and Limitations of OFB
needs an IV which is unique for each use
if ever reuse attacker can recover outputs
bit errors do not propagate
more vulnerable to message stream modification
sender & receiver must remain in sync
only use with full block feedback
subsequent research has shown that only full block
feedback (ie CFB-64 or CFB-128) should ever be used
Counter (CTR)
• a “new” mode
• similar to OFB
• Encrypts the counter value
• XOR the encrypted counter value with message block
• must have a different key & counter value for every plaintext
block (never reused)
Oi = EK(i)
Ci = Pi XOR Oi
• uses: high-speed network encryptions
Advantages and Limitations of CTR
• efficiency
• can do parallel encryptions in h/w or s/w
• can preprocess in advance of need
• good for bursty high speed links
• random access to encrypted data blocks
• provable security (good as other modes)
• but must ensure never reuse key/counter values, otherwise
could break