Cryptography: Theory and Practice:The Data Encryption Standard

Cryptography: Theory and Practice by Douglas Stinson CRC Press, CRC Press LLC ISBN: 0849385210   Pub Date: 03/17/95

3.4.1 DES Modes of Operation

Four modes of operation have been developed for DES: electronic codebook mode (ECB), cipher feedback mode (CFB), cipher block chaining mode (CBC) and output feedback mode (OFB).

ECB mode corresponds to the usual use of a block cipher: given a sequence x₁x₂ . . . of 64-bit plaintext blocks, each x_i is encrypted with the same key K, producing a string of ciphertext blocks, y₁y₂ . . ..

In CBC mode, each ciphertext block y_i is x-ored with the next plaintext block x_i+1 before being encrypted with the key K. More formally, we start with a 64-bit initialization vector IV, and define y₀ = IV. Then we construct y₁, y₂, . . . from the rule y_i = e_K(y_i-1 ⊕ x_i), i ≥ 1. The use of CBC mode is depicted in Figure 3.4.

Figure 3.4  CBC mode

Figure 3.5  CFB mode

In OFB and CFB modes, a keystream is generated which is then x-ored with the plaintext (i.e., it operates as a stream cipher, cf. Section 1.1.7). OFB is actually a synchronous stream cipher: the keystream is produced by repeatedly encrypting a 64-bit initialization vector, IV. We define z₀ = IV, and then compute the keystream z₁z₂ . . . from the rule z_i = e_K(z_i-1), i ≥ 1. The plaintext sequence x₁x₂ . . . is then encrypted by computing y_i = x_i ⊕ z_i, i ≥ 1.

In CFB mode, we start with y₀ = IV (a 64-bit initialization vector) and we produce the keystream element z_i by encrypting the previous ciphertext block. That is, z_i = e_K (y_i-1), i≥ 1. As in OFB mode, y_i = x_i ⊕ z_i, i ≥ 1. The use of CFB is depicted in Figure 3.5 (note that the DES encryption function e_K is used for both encryption and decryption in CFB and OFB modes).

There are also variations of OFB and CFB mode called k-bit feedback modes (1 ≤ k ≤ 64). We have described the 64-bit feedback modes here. 1-bit and 8-bit feedback modes are often used in practice for encrypting data one bit (or byte) at a time.

The four modes of operation have different advantages and disadvantages. In ECB and OFB modes, changing one 64-bit plaintext block, x_i, causes the corresponding ciphertext block, y_i, to be altered, but other ciphertext blocks are not affected. In some situations this might be a desirable property. For example, OFB mode is often used to encrypt satellite transmissions.

On the other hand, if a plaintext block x_i is changed in CBC and CFB modes, then y_i and all subsequent ciphertext blocks will be affected. This property means that CBC and CFB modes are useful for purposes of authentication. More specifically, these modes can be used to produce a message authentication code, or MAC. The MAC is appended to a sequence of plaintext blocks, and is used to convince Bob that the given sequence of plaintext originated with Alice and was not tampered with by Oscar. Thus the MAC guarantees the integrity (or authenticity) of a message (but it does not provide secrecy, of course).

We will describe how CBC mode is used to produce a MAC. We begin with the initialization vector IV consisting of all zeroes. Then construct the ciphertext blocks y₁, . . . , y_n with key K, using CBC mode. Finally, define the MAC to be y_n. Then Alice transmits the sequence of plaintext blocks, x₁ . . . x_n, along with the MAC. When Bob receives x₁, . . . x_n, he can reconstruct y₁, . . . , y_n using the (secret) key K, and verify that y_n is the same as the MAC that he received.

Note that Oscar cannot produce a valid MAC since he does not know the key K being used by Alice and Bob. Further, if Oscar intercepts a sequence of plaintext blocks x₁ . . . x_n, and changes one or more of them, then it is highly unlikely that Oscar can change the MAC so that it will be accepted by Bob.

It is often desirable to combine authenticity and secrecy. This could be done as follows: Alice first uses key K₁ to produce a MAC for x₁ . . . x_n. Then she defines x_n+1 to be the MAC, and she encrypts the sequence x₁ . . . x_n+1 using a second key, K₂, yielding y₁ . . . y_n+1. When Bob receives y₁ . . . y_n+1, he first decrypts (using K₂) and then checks that x_n+1 is the MAC for x₁ . . . x_n using K₁.

Alternatively, Alice could use K₁ to encrypt x₁ . . . x_n, obtaining y₁ . . . y_n, and then use K₂ to produce a MAC y_n+1 for y₁ . . . y_n. Bob would use K₂ to verify the MAC, and then use K₁ to decrypt y₁ . . . y_n.

Copyright © CRC Press LLC