Modes of Operation
by: burt rosenberg
at: university of miami
date: sep 2019
NAME
encrypt
SYNOPSIS
encrypt.py [-dv] [-m _mode_] [-n _nonce_] [-p _padding_] key
DESCRIPTION
Encrypt standard-in to standard-out using AES-128.
The key is an ascii string interpreted as a byte string, padded with nulls
or truncated to the key length of 16 bytes.
The input is padded to a multiple of the block size, 16 bytes, using PKCS#7 or
optionally another padding standard. The encryption is by counter mode, or optionally
by another mode.
OPTIONS
-h help
-d decrypt
-m the mode to use, one of cntr (default) cbc, ofb or ecb.
-n the IV to use aka the nonce. if omitted algorithm uses a random nonce (recommended)
-p the padding to use, one of pkcs (default), iso or zero
-v verbose
NEW OPTIONS (after 2019)
-h help
-d decrypt
-m the mode to use, one of cntr (default) cbc, ofb or ecb.
-n endian, either "big" or "little"
-p the padding to use, one of pkcs (default), iso or zero
-R no randomness. The IV and key are set to zero, and the key argument is ignored
-v verbose
HISTORY
Introduced in csc609/507-201 september 2019
BUGS
No specification for ecb/zero mode on an empty message.
No endianness specification for counter mode.
Interface changed and some options were renamed.
Goals
-
To understand the basic encryption framework for CPA-strong encryption.
-
The understand and experiment with standard encryption modes.
-
The understand and experiment with standard blocking padding methods.
-
To gain experience with a current, state of the art, block cipher.
-
To understand the limitations and weaknesses of this class of cipher schemes.
The block cipher we will use is AES, the Advanced Encryption Standard (AES).
AES is the result of a world wide competition for a cipher to replace DES, the
Digital Encryption Standard, as the NIST recognized standard cipher. As an
entry in the competition, the cipher was called Rijndael, after the inventors.
Because that is hard to spell, it was also known as Rain-Doll.
Please implement all modes and paddings of the encrypt.py description above.
I have adapted a publicly available python implementation of Rain-Doll, despite
the fact that it would be wiser to have included a standard Python package implementing
the cipher. However, I wanted just the core code, as transparently written as possible,
ad simply support simple block encryption. Cryptography libraries would also include
implementations of modes, paddings, and more advanced features, that I do not want
to highlight at this time.
Modes of Operation
m0 m1 m2
| | |
| | |
+-+ +-+ +-+
|E| |E| |E|
+-+ +-+ +-+
| | |
| | |
c1 c2 c3
**** ECB Mode ****
IV m0 m1 m2
| | | |
+-----(+) +--(+) +--(+)
| | | | | |
| +-+ | +-+ | +-+
| |E| | |E| | |E|
| +-+ | +-+ | +-+
| | | | | |
| +---+ +---+ +--- ...
| | | |
c0/IV c1 c2 c3
**** CBC Mode ****
IV
|
+----+ +----+ +----+
| | | | | |
| +-+ | +-+ | +-+
| |E| | |E| | |E|
| +-+ | +-+ | +-+
| | | | | |
| +---+ +---+ +--- ...
| | | |
| (+)--m0 (+)--m1 (+)--m2
| | | |
c0/IV c1 c2 c3
**** OFB MODE ****
IV
|
+----+--|+1|--+--|+1|--+-- ...
| | | |
| +-+ +-+ +-+
| |E| |E| |E|
| +-+ +-+ +-+
| | | |
| (+)--m0 (+)--m1 (+)--m2
| | | |
c0/IV c1 c2 c3
**** COUNTER MODE ****
Electronic code book (ECB)
- Simplest form but beware, not CPA secure.
- Decryption needed, cannot use a hash function.
- An autokey cipher – it self-synchronizes.
- Encryption/decryption can be done in parallel
- Not malleable
- Should not be used.
Cipher block chaining (CBC)
- Very common method, used for MACS
- Decryption needed, cannot use a hash function.
- An autokey cipher – it self-synchronizes.
- Encryption/decryption cannot be done in parallel
- Mildly malleable, helps verify that order of blocks
Output Feedback (OFB)
- Encryption box is never used in decryption. A hash function can be used.
- Needs to be synchronized, not autokey.
- Encryption/decryption cannot be done in parallel
- Easily malleable
- Models a pseudorandom string with the iterated encrypting by a strong cipher.
Counter Mode
- Newer mode, becoming very popular
- Encryption box is never used in decryption. A hash function can be used.
- Needs to be synchronized, not autokey
- Encryption/decryption can be done in parallel
- Easily malleable
Padding schemes
PKCS#7 padding using the rules:
- There is always at least one byte of padding.
- If the input is a perfect multiple of the block size, then a last block
entirely of padding is added.
- The pad value is the number of bytes of padding.
ISO padding using the rules:
- There is always at least one byte of padding.
- If the input is a perfect multiple of the block size, then a last block
entirely of padding is added.
- The first pad value is 0x80, then all 0x00.
Zero padding using the rules:
- May not be perfectly reversable.
- If the input is a perfect multiple of the block size, then no padding added.
- As an exception, if the size is 0, pad up to the block size.
- Padding value is all 0x00.
- Take no action to unpad (leave the zeros).