Académique Documents
Professionnel Documents
Culture Documents
and
the CMAC Mode for Authentication
Alberto Grand
December 20, 2007
Abstract
A block cipher is a symmetric key cipher which operates on fixed-
length groups of bits. Whenever the input plaintext exceeds the block
size, a so called “mode of operation” must be employed along with
the block cipher. A block cipher mode, or mode, for short, is an algo-
rithm that features the use of a symmetric key block cipher algorithm
to provide an information service, such as confidentiality or authenti-
cation. The first part of this article aims at outlining five NIST recom-
mended modes of operation which provide confidentiality (but do not
ensure message integrity): Electronic Codebook (ECB), Cipher Block
Chaining (CBC), Cipher Feedback (CFB), Output Feedback (OFB)
and Counter (CTR). The second part of the article focuses on a mes-
sage authentication code (MAC) algorithm based on a symmetric key
block cipher, the CMAC algorithm. The CMAC authentication mode
is also one of the seven modes which may be used with NIST’s ap-
proved encryption algorithms.
1
Contents
1 Cipher block modes of operation 3
1.1 Five confidentiality modes of operation . . . . . . . . . . . . . 3
1.1.1 Electronic Codebook (ECB) . . . . . . . . . . . . . . . 3
1.1.2 Cipher Block Chaining (CBC) . . . . . . . . . . . . . . 5
1.1.3 Cipher Feedback (CFB) . . . . . . . . . . . . . . . . . 7
1.1.4 Output Feedback (OFB) . . . . . . . . . . . . . . . . . 11
1.1.5 Counter (CTR) . . . . . . . . . . . . . . . . . . . . . . 12
1.2 Generation of Initialization Vectors . . . . . . . . . . . . . . . 15
1.3 Padding-related issues . . . . . . . . . . . . . . . . . . . . . . 15
1.3.1 Padding techniques . . . . . . . . . . . . . . . . . . . . 15
1.3.2 Ciphertext stealing (CTS) . . . . . . . . . . . . . . . . 16
1.4 Related-mode attacks . . . . . . . . . . . . . . . . . . . . . . . 18
1.4.1 Exploiting an ECB Oracle to attack the CTR mode . . 18
1.4.2 Exploiting a CBC Oracle to attack the CTR mode . . 18
References 26
2
1 Cipher block modes of operation
1.1 Five confidentiality modes of operation
1.1.1 Electronic Codebook (ECB)
The Electronic Codebook (ECB) is the simplest, and the most insecure, of
the five modes of operation hereby described. Each input block is processed
independently of all others. The algorithm lies, for each and every block,
in a permutation over the set of all input blocks. The term codebook is
used because, for a given key, there is a unique ciphertext for every block
of plaintext. Therefore, we can imagine a gigantic codebook in which there
is an entry for every possible plaintext pattern showing its corresponding
ciphertext.
This mode of operation requires that the input plaintext size be a multiple
of the block size; if this is not the case, padding must be added to the last
input block. Padding techniques, along with possible drawbacks, will be
furtherly discussed.
The mode of operation is defined as follows:
3
Figure 2: ECB decryption.
single bit error in a ciphertext block may produce an error in any bit posi-
tion of the decrypted block, with an expected error rate of 50% (depending,
however, on the underlying block cipher).
On the other hand, identical plaintext blocks always get encrypted into
identical ciphertext blocks. This is a serious weakness of the ECB mode of
operation, because it results in data patterns being scarcely hidden. To some
extent, message confidentiality is even compromised. An example of how
ineffectively data patterns in the plaintext are handled is given in Figure 3.
Protocols which do not provide integrity protection are also more exposed
to replay attacks when the ECB mode is used.
The ECB mode is ideal for a short amount of data, such as an encryption
key. Thus, if we want to transmit a DES key securely, ECB is the appropriate
mode to use.
4
1.1.2 Cipher Block Chaining (CBC)
To overcome the security deficiencies of ECB, we would like a technique in
which the same plaintext block, if repeated, produces different ciphertext
blocks. The Cipher Block Chaining (CBC) mode of operation features the
combining (hence the word “chaining”) of each plaintext block with the pre-
vious ciphertext block by means of XORing. This way our requirement is
satisfied.
The CBC mode requires an initialization vector (IV), which is combined
with the first plaintext block. The IV does not need to be secret, but it
must be unpredictable and its integrity must be preserved; the generation of
IVs will be discussed later on. Like the ECB mode, the CBC mode requires
padding when the plaintext size is not an integer multiple of the block size
in use.
The mode of operation is the following:
In CBC encryption, the input block to each forward cipher operation (but
the first one) depends on the previous encrypted block; therefore, it is not
possible to perform such operations in parallel. Each CBC decryption opera-
tion, however, only takes as inputs ciphertext blocks, thus allowing multiple
operations to occur in parallel. For the same reason, random access to the
blocks is possible when decrypting.
5
Figure 5: CBC decryption.
Due to block chaining, bit errors in a single ciphertext block cause cor-
ruption of the corresponding decrypted block and of its successor. A one-bit
change may produce errors in any bit position of the current decrypted block
and inverts the corresponding bit in the following block.
A specific problem exists concerning the IV. An exposed IV might allow a
man-in-the-middle (MITM) to change the IV value in-transit. Changing the
IV changes only the deciphered plaintext for the first block, without garbling
the second block. Any or all bits of the first block plaintext can be changed
systematically with complete control. In marked contrast, when ciphertext
is changed in CBC mode, it does change the next block plaintext bit-for-bit,
but it also garbles the plaintext for the current block and so is easily detected.
An obvious solution to prevent deliberate MITM changes to the first
block by altering the IV is to encipher the IV. Another possibility is to
use a message number value known to both parties to produce the IV by
means of ciphering. Techniques to reset the message number and maintain
synchronization would of course be required.
We must, however, bear in mind that CBC does not provide integrity, but
only confidentiality. If higher assurance of message integrity are required,
authentication (which ensures integrity) might be necessary.
6
Since a single-bit error in a cipherblock thus affects all subsequent blocks,
the entire message is very likely to be rejected. Whether this is a desirable
feature for a mode of operation largely depends on the application. In some
cases, a one-bit change may indicate a possible attack; it is therefore most
preferrable to discard the entire message. On the other hand, when bit errors
are more likely to be introduced by the transmission line, rather than by a
malicious user, resilience of the data may be favourable.
The PCBC mode of encryption has not been formally published as a fed-
eral or national standard, and it does not have widespread general support. It
was used in Kerberos v4, but was abandoned starting from version 5 because
the exchange of two adjacent blocks does not affect subsequent blocks.
As a matter of fact, when Ci and Ci+1 are received in order:
7
a keystream. The CFB mode of operation is very close to the CBC mode.
It entails the feedback of ciphertext segments which are ciphered to gener-
ate output blocks; the latter are then XORed with the plaintext to produce
ciphertext (whereas in the CBC mode the XOR operation precedes the ci-
phering). For this mode of operation the plaintext size need not be a multiple
of the block size. As a matter of fact, a further parameter s, named the seg-
ment size, is considered; it can assume any value between 1 and the block
size b. The plaintext is thus decomposed into n segments Pj# , which are
encrypted into n ciphertext segments Cj# .
The algorithm operates as follows:
CFB encryption: I1 = IV
#
Ij = LSBb−s (Ij−1 )||Cj−1 for j = 2...n
Oj = CIP Hk (Ij ) for j = 1...n
Cj# = Pj# ⊕ M SBs (Oj ) for j = 1...n
CFB decryption: I1 = IV
#
Ij = LSBb−s (Ij−1 )||Cj−1 for j = 2...n
Oj = CIP Hk (Ij ) for j = 1...n
Pj# = Cj# ⊕ M SBs (Oj ) for j = 1...n
8
Figure 7: CFB decryption.
the b − s least significant bits of the previous input block are concatenated
with the previous ciphertext segment to form the current input block. This
operation is equivalent to shifting the previous input block to the left by s
positions and replacing the s least significant bits of the result with the last
ciphertext segment.
In CFB encryption, just like CBC encryption, the input block to each ci-
pher operation depends on the result of the previous one. Although encryp-
tion cannot be executed in parallel on multiple blocks, a form of pipelining
is possible, since the only encryption step that requires the actual plaintext
is the last. This is useful when low latency between the arrival of plaintext
and the output of the corresponding ciphertext is required (e.g., in some
applications of streaming media).
Decryption can be performed in parallel.
A further advantage of the CFB mode is that the cipher function is only
ever used in the forward direction.
The CFB mode of operation relates to bit errors in the opposite way with
respect to the CFB mode. A single-bit error in a ciphertext block results in
an error in the same bit position of the corresponding decrypted block and
may affect the following db/se segments in an unpredictable way. Bit errors
in the IV affect, at a minimum, the decryption of the first ciphertext segment
and possibly following segments, depending on the position of the rightmost
bit error in the IV; in general, a bit error in the i th position (counting from
the left) affects the decryption of the first di/se segments.
The CFB mode is exposed to the risk of intentional introduction of bit
errors in specific bit positions when it is used with an underlying block cipher
which does not provide data integrity. Unlike other modes of operation,
however, the existence of such errors may be inferred by their randomizing
9
effects on the following ciphertext segments.
The insertion or deletion of bits into a ciphertext segment spoils the
synchronization of the segment boundaries. The decryption of the subsequent
segments will almost certainly be incorrect until synchronization is restored.
When the 1-bit CFB mode (i.e., the CFB mode with a segment size of 1 bit)
is used, the synchronization is automatically restored after b + 1 segments.
For other values of s the synchronization must be restored manually.
10
1.1.4 Output Feedback (OFB)
The Output Feedback (OFB) mode of operation, just like CFB, converts the
underlying block cipher into a stream cipher. It features the iteration of
the forward cipher function on an IV to generate keystream blocks, which
are combined with the plaintext blocks by means of XORing. The plaintext
size is not requested to be an integer multiple of the block size. The last
block may be a partial block of size u; in that case, it is XORed with the u
most significant bits of the last keystream block to produce the last (partial)
ciphertext block.
It is defined as follows:
OFB encryption: I1 = IV
Ij = Oj−1 for j = 2...n
Oj = CIP Hk (Ij ) for j = 1...n
Cj = Pj ⊕ Oj for j = 1...n − 1
Cn∗ = Pn∗ ⊕ M SBu (On )
OFB decryption: I1 = IV
Ij = Oj−1 for j = 2...n
Oj = CIP Hk (Ij ) for j = 1...n
Pj = Cj ⊕ Oj for j = 1...n − 1
Pn∗ = Cn∗ ⊕ M SBu (On )
11
Figure 9: OFB decryption.
The OFB requires the IV to be a nonce, i.e. that the IV be unique for every
message that is encrypted with a given key. When this requirement is not
met, the confidentiality of the encrypted message may be compromised. If a
plaintext block is known to a malicious user, the latter can easily reconstruct
the corresponding keystream block from the ciphertext block. Reusage of
the same IV therefore enables the malicious user to gain knowledge of the
corresponding block of information by simply XORing the ciphertext block
with the keystream block. The same holds when any of the input blocks
to the forward cipher is designated as the IV for the encryption of another
message under the same key.
Bit errors within a ciphertext block only affect the decryption of that block;
flipping a bit in the ciphertext produces a flipped bit in the plaintext at the
same location. This property is useful, in that it allows many error correcting
codes to function normally even when applied before encryption. However,
OFB is less resistant to message stream modification attacks. An attacker
may in fact systematically change bits of his choosing in every block and
correspondingly alter the checksum part of the message in such a way that
the modifications will not be detected by an error-correcting code.
Conversely, bit errors in the IV affect the decryption of all ciphertext
blocks.
12
that do not repeat for a long time. An actual counter is the simplest and
most popular of such functions. The property that all counter blocks must
be different does not apply to a single message: across all of the messages
that are encrypted under a given key, counters must be distinct.
Given a sequence of counters T1 , T2 , ..., Tn , the CTR mode is defined as
follows:
13
The CTR mode can operate with input plaintexts whose size is not an
integer multiple of the block size b. In that case, the last block Cn∗ will be a
partial block.
Both CTR encryption and decryption work on counter blocks and plain-
text/ciphertext blocks independent from one another; multiple forward ci-
pher functions can thus be performed in parallel, providing greater hard-
ware efficiency than all other modes of operation. The only limitation is the
amount of parallelism that can be achieved on a given machine.
In addition, the CTR mode provides true random access to any particular
ciphertext block. The forward cipher function can also be applied to each of
the counters in advance, so that decryption can start as soon as ciphertext
blocks are available.
A further advantage of the CTR mode is its simpicity, since the cipher
algorithm is only needed for encryption, while simple XOR operations are
used for decryption. This matters most when the decryption algorithm differs
substantially from the encryption algorithm, as it does for AES.
In order to ensure the uniqueness of each counter block, two aspects must
be taken into account. First, an appropriate incrementing function that
generates the counter blocks from any initial counter block must guarantee
that counters do not repeat within a given message. Second, the initial
counter blocks for every message must be chosen in such a way that counter
blocks do not repeat across all messages that are encrypted under a given
key.
14
This approach requires that the total number of blocks, across all messages,
be at most 2m ; care should also be taken to ensure the proper sequencing of
the messages.
A second approach lies in the assignment of a unique identifier (i.e., a
nonce) to every message. The nonce is a (b−m)-bit string that is incorporated
in every counter block of a given message. To ensure that it is used only once,
it should be time-variant or generated with enough random bits to guarantee
a probabilistically insignificant chance of collision. The incrementing function
is applied to the remaining m bits. The nonce and the actual counter can be
subsequently concatenated, added or XORed to produce the unique counter
block.
15
number of bytes. For the above padding method, the padding bits can be
removed unambiguously, provided that the receiver can determine that the
message is indeed padded. In order to ensure that the receiver does not mis-
takenly remove bits from an unpadded message, the sender may be required
to pad every message, even though the last block is already complete. In
that case, an entire block of padding is added.
16
workaround to this problem. The goal is achieved at the cost of an increased
complexity of the encryption and decryption process. The encryption and
decryption algorithms for the ECB mode only are described below.
Encryption:
3. Dn = Pn ||LSBb−m (En−1 )
Decryption:
3. Pn = M SBm (Dn )
During encryption, all plaintext blocks except the last one are encrypted
normally. After the second-to-last block has been encrypted, the m most
significant bits are taken to create the last partial ciphertext block. The
remaining bits are then appended to the last incomplete plaintext block and
the block thus obtained is enciphered to create the second-to-last ciphertext
block. This way we transmit as many bits as were in the original message.
The receiver normally decrypts all blocks except the last one. The m
most significant bits of the plaintext block obtained from the decryption
of the second-to-last ciphertext block give the last plaintext block, whereas
the remaining b − m bits are concatenated to the last ciphertext block and
decrypted, yielding the second-to-last plaintext block.
17
1.4 Related-mode attacks
Block ciphers are often proposed with several variants, in terms of a different
secret key size and corresponding number of rounds. The so called “related-
cipher attack” model refers to a situation in which some ciphers are related,
in the sense that they are exactly identical to each other, differing only in the
key size and most often also in the total number of rounds. The knowledge
that one cipher is being used and the availability of an oracle which provides
the forward and inverse cipher functions of a related cipher can be exploited
in order to attack the exchange of information enciphered using the first
cipher.
The concept has then been extended to a larger class of related models,
in particular to cipher encryptions with different block cipher modes of oper-
ation, but with the underlying block cipher being identical. This new model
has been named a “related-mode attack” model. It has been shown that
when an adversary has access to an oracle for any one mode of operation
(ECB, CBC, CFB, OFB, CTR), then almost all other related cipher modes
can be easily attacked. Examples of such attacks are briefly outlined in the
following paragraphs. Further examples may be found in [6].
18
to find Pi . On the whole, two CP queries under CBC are required to obtain
a block enciphered under CTR.
19
2.2.1 Description
In the Cipher Block Chaining MAC, the message is encrypted with some
underlying block cipher algorithm using the CBC mode of operation and zero
IV, so as to create an interdependence between each block and its predecessor.
As a consequence, a change to any of the plaintext bits will cause the final
encrypted block to change in a way that cannot be predicted or counteracted
without knowing the key to the block cipher. The final ciphertext block is
taken as the message authentication code (MAC) for the current message.
2.2.2 Weaknesses
Given a secure underlying block cipher, the CBC-MAC mode for authenti-
cation is secure for fixed-length messages (i.e., when the two parties agreed
on a message length and any message of a different length will be discarded,
as considered inauthentic). However, it is not secure for variable-length mes-
sages. An attacker who knows two distinct messages, m0 and m00 , with their
associated CBC-MACs, t0 and t00 , can produce a third message m∗ , whose
CBC-MAC will also be t00 . This is done by simply XORing the first plaintext
block of m00 with t0 and then chaining m0 with the thus modified m00 :
As a matter of fact, when the receiver computes the CBC-MAC over the
received message m∗ , the first block of m00 will be XORed with the last ci-
phertext block of m0 , which is in fact t0 . XORing of two identical bit-vectors
yields the zero vector, which results, in practice, in computing the CBC-MAC
over m00 only, “undoing” all past history (represented by m0 ):
The MAC verification will therefore succeed and the message will be mistak-
enly accepted as authentic.
Another security problem of the CBC-MAC arises when the same key is
used for CBC encryption and CBC-MAC. Although reuse of a key for dif-
ferent purposes is bad practice in general, in this particular case the mistake
may lead to an unparallaled attack.
20
Suppose a message m = m1 km2 k...kmq is encrypted using the CBC mode
under the key k, yielding the ciphertext c1 kc2 k...kcq . We here assume that
the IV for the encryption is obtained by forward-ciphering a bit-vector (e.g.,
a nonce), which we will call m0 . The same key is then used to produce a
CBC-MAC t for the IV and the message. An attacker may now change every
bit before the last ciphertext block cq , and the MAC will still be valid. This
is because t = CIP Hk (mq ⊕cq−1 ) = cq , so as long as the last ciphertext block
remains unaltered, the CBC-MAC verification will succeed. This is also the
reason why inexperienced users often make such a gross mistake: it allows
to encrypt the message and compute its MAC in a single pass, increasing
performance by a factor of two. This also shows that the CBC-MAC cannot
be used as a collision resistant one-way function: given a key, it is trivial to
find a different message which maps to the same MAC.
21
polynomials of degree b having the minimum possible number of nonzero
terms. If we let that polynomial be ub + cb−1 ub−1 + ... + c2 u2 + c1 u + c0 ,
then Rb is the bit string cb−1 cb−2 ...c2 c1 c0 . The generation of K1 and K2 is
essentially equivalent to multiplication by u and u2 , respectively, within the
Galois field that is determined by this polynomial.
22
Figure 12: Two cases of CMAC generation.
The verification of the MAC involves two steps. Prior to verification, the
received data must be decrypted using the appropriate mode of operation
and underlying algorithm. The CMAC algorithm is applied to the decrypted
data and a MAC is generated. The result is then compared with the received
MAC. Upon successful comparison, the verification process terminates suc-
cesfully.
23
care should be taken to ensure that the maximum number of unsuccessful
CMAC verifications on a given system be limited.
24
the key, relative to the block size of the underlying block cipher. For a given
block size b, a collision is expected to exist among a set of 2b/2 messages. The
message span of a key should therefore be reasonably limited, with respect
to the value of the data involved in the exchange.
Sometimes the limit for the message span of a given key may be established
by restraining the time span during which the key remains in use (i.e., its
cryptoperiod).
25
References
[1] Morris Dworkin. Recommendation for Block Cipher Modes of Operation.
Methods and techniques. NIST Special Publication 800-38A, 2001.
http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
26