Block Ciphers

A Block Cipher is an algorithm which is used in conjunction with a cryptosystem in order to package a message into evenly distributed 'blocks' which are encrypted one at a time.

Definitions

Common Block Ciphers

Mode Formulas Ciphertext
ECB Yi = F(PlainTexti, Key) Yi
CBC Yi = PlainTexti XOR Ciphertexti-1 F(Y, key); Ciphertext0 = IV
PCBC Yi = PlainTexti XOR (Ciphertexti-1 XOR PlainTexti-1) F(Y, key); Ciphertext0 = IV
CFB Yi = Ciphertexti-1 Plaintext XOR F(Y, key); Ciphertext0 = IV
OFB Yi = F(Key, Ii-1);Y0=IV Plaintext XOR Yi
CTR Yi = F(Key, IV + g(i));IV = token(); Plaintext XOR Yi

Note

In this case i represents an index over the # of blocks in the plaintext. F() and g() represent the function used to convert plaintext into ciphertext.

Electronic Codebook (ECB)

ECB is the most basic block cipher, it simply chunks up plaintext into blocks and independently encrypts those blocks and chains them all into a ciphertext.

ECB Encryption ECB Decryption

Flaws

Because ECB independently encrypts the blocks, patterns in data can still be seen clearly, as shown in the CBC Penguin image below.

Original Image ECB Image Other Block Cipher Modes
Tux ECB Tux Other Tux

Cipher Block Chaining (CBC)

CBC is an improvement upon ECB where an Initialization Vector is used in order to add randomness. The encrypted previous block is used as the IV for each sequential block meaning that the encryption process cannot be parallelized. CBC has been declining in popularity due to a variety of

CBC Encryption CBC Decryption

Note

Even though the encryption process cannot be parallelized, the decryption process can be parallelized. If the wrong IV is used for decryption it will only affect the first block as the decryption of all other blocks depends on the ciphertext not the plaintext.

Propogating Cipher Block Chaining (PCBC)

PCBC is a less used cipher which modifies CBC so that decryption is also not parallelizable. It also cannot be decrypted from any point as changes made during the decryption and encryption process "propogate" throughout the blocks, meaning that both the plaintext and ciphertext are used when encrypting or decrypting as seen in the images below.

PCBC Encryption PCBC Decryption

Counter (CTR)

Note

Counter is also known as CM, integer counter mode (ICM), and segmented integer counter (SIC)

CTR mode makes the block cipher similar to a stream cipher and it functions by adding a counter with each block in combination with a nonce and key to XOR the plaintext to produce the ciphertext. Similarly, the decryption process is the exact same except instead of XORing the plaintext, the ciphertext is XORed. This means that the process is parallelizable for both encryption and decryption and you can begin from anywhere as the counter for any block can be deduced easily.

CTR Encryption CTR Decryption

Security Considerations

If the nonce chosen is non-random, it is important to concatonate the nonce with the counter (high 64 bits to the nonce, low 64 bits to the counter) as adding or XORing the nonce with the counter would break security as an attacker can cause a collisions with the nonce and counter. An attacker with access to providing a plaintext, nonce and counter can then decrypt a block by using the ciphertext as seen in the decryption image.

Padding Oracle Attack

A Padding Oracle Attack sounds complex, but essentially means abusing a block cipher by changing the length of input and being able to determine the plaintext.

Requirements

Execution

  1. If we have two blocks of ciphertext, C1 and C2, we can get the plaintext P2
  2. Since we know that CBC decryptionis dependent on the prior ciphertext, if we change the last byte of C1 we can see if C2 has correct padding
  3. If it is correctly padded we know that the last byte of the plaintext
  4. If not, we can increase our byte by one and repeat until we have a successful padding
  5. We then repeat this for all successive bytes following C1 and if the block is 16 bytes we can expect a maximum of 4080 attempts which is trivial