Implementing Electronic Card Payment Systems (Artech House Computer Security Series)

E.2 Modes of operation

When using a block cipher, it is not recommended to split the data into blocks and encrypt every block separately. Depending on the application, several modes of operations were proposed [4], namely the electronic codebook mode (ECB), the cipher block chaining mode (CBC), the cipher feedback chaining mode (CFB), and the output feedback chaining mode (OFB). For the purpose of this book, we describe only the first two operation modes.

In ECB each block of plaintext is encrypted independently of the other blocks that form a message, C _i = E ( K )[ P _i ], i = 1, , t . The decryption is also carried out independently and is described by the relation P _i = E ^{ˆ’ 1} ( K )[ C _i ], i = 1, , t . The following remarks apply to the ECB mode:

• Reordering the ciphertext blocks will result in the reordering of the plaintext blocks. This fact allows an attacker the possibility of computing a ciphertext message corresponding to an eligible plaintext message without the need of K , but relying only on a given set of cryptograms.

• For the same key K , the same plaintext block is always transformed in the same ciphertext block, a fact that can be exploited in a dictionary attack.

• The errors do not propagate, in the sense that a simple or multiple bit error within a ciphertext block will only affect the decryption of the block in which the error appears.

• The ECB mode is suitable for encrypting messages with a length that is smaller than or equal to the block size. The ECB mode is useful for the key derivation process, where the derived key equals the length of the block size (see Section E.5).

In the CBC mode the encryption operation on the current plaintext block is chained with the ciphertext block of the previous encryption operation. The first encryption operation is chained to an initial vector IV , since there is no previous operation, C ₁ = E ( K )[ P ₁ XOR IV ]. The other ciphertext blocks are computed as C _i = E ( K )[ P _i XOR C _{i ˆ’ 1} ], i = 2, , t . The decryption process of the first ciphertext block is computed with the formula P ₁ = E ^{ˆ’ 1} ( K )[ C ₁ ] XOR IV . The other ciphertext blocks are computed as P _i = E ^{ˆ’ 1} ( K )[ C _i ] XOR C _{i ˆ’ 1} , i = 2, , t . The following properties characterize the CBC mode:

• The chaining operation makes the ciphertext blocks dependent on all preceding blocks, which counter the reordering of ciphertext blocks.

• Using different values of the initial vector IV prevents the same plaintext encrypting to the same ciphertext.

• Due to the chaining, the errors propagate, in the sense that a simple or multiple bit error within a ciphertext block will affect the decryption of the block in which the error appears and that of the succeeding ciphertext block.

• If it happens that two ciphertext blocks created with a block cipher in the CBC mode under the same key are equal, then it is easy to compute the bit-wise XOR of the two corresponding plaintext blocks. In other words, if this happens, then information about plaintext leaks. Indeed, if one looks to the output C _i , then after 2 ^{n /2} outputs one can expect a match C _i = C _j with a high probability. This is the reason why the block size influences the security of the block cipher. Then P _i XOR C _{i ˆ’ 1} = P _j XOR C _{j ˆ’ 1} , which further leads to P _i XOR P _j = C _{i ˆ’ 1} XOR C _{j ˆ’ 1} . Note that this is not due to any weakness of the underlying block cipher, but is rather a consequence of the way the CBC mode is constructed .