(Continuation from Lecture 2) Review CBC mode. Why protect IV? -- Consider the decryption function above. Changing IV causes predictable changes in P0. Discuss the example of a general giving one of two commands: "withdraw" or "attack" in P0, represented as one bit. Can an attacker cause the "withdraw" command to change to "attack" command without knowing k, but knowing the IV? Is the appropriate mode for designing an encrypted file system? consider the cost of reads/writes of a block in the middle of an encrypted file. Is the CBC mode appropriate for streaming data securely over the net? consider what happens if the streamed encrypted data gets corrupted. Cipher Feedback Mode -------------------- C0 = P0 XOR E(k, IV) C1 = P1 XOR E(k, C0) ... Ci = Pi XOR E(k, C(i-1)) Decryption: P0 = C0 XOR E(k, IV) P1 = C1 XOR E(k, C0) ... Pi = Ci XOR E(k, C(i-1)) Nice thing: Any part of encrypted data can be decrypted without decrypting everything. Also, this does not require the use of D function! The above method can be converted to a stream cipher, operating at byte level, even if the block size is 8 bytes. At the XOR step: just use the most significant byte for XOR, discarding the rest. In the E function, initialize with IV into a shift register. Shift the register by 1 byte to the left and put in C(i-1) in the least significant byte. Leakage of IV: Less of a problem since IV is encrypted before XOR. Consider the same problem of building an encrypted file system and of streaming data securely. Is the CFB mode appropriate? Output Feedback Mode -------------------- C0 = P0 XOR E(K, IV) C1 = P1 XOR E(K, E(K, IV)) ... Essentially, IV is being used to generate a byte stream by repeated encryption. That is being XORed with plaintext to generate the ciphertext. This can be used as a stream cipher by using only 1 byte from the 2nd part of the equation. Decryption: P0 = C0 XOR E(K, IV) P1 = C1 XOR E(K, E(K, IV)) ... Advantage: Each Pi is independent of the previous values of Pj's. A bit error in one Ci does not affect the ability to decrypt other blocks. Tradeoffs between the various cipher modes for providing confidentiality. Which one would you use to encrypt files in a file system? Which one for encrypting streaming video? Stream ciphers: Work somewhat like one-time pads. Use a key k From k, generate an arbitrary length stream of bits. Ciphertext = plaintext XOR bitstream. In general, Let E be an encryption algoirthm. Let k = k1.k2.k3, .... (key stream) If E(k1,b1) = c1 and E(k2,b2) = c2 Then, for a stream cipher: E(k,b1.b2) = c1.c2