11.3.3 Cipher Block Chaining (CBC) Mode
11.3.3 Cipher Block Chaining (CBC) Mode
In the ECB mode of cipher operation, each plaintext block is independently encrypted. This is not the case any more with the CBC mode of cipher operation.
In the CBC mode, the input to the encryption algorithm at a certain stage is not straightforward. Let the plaintext be P. It is broken into n blocks, say, each 64 bits long. The last block may be padded if it is not exactly 64 bits long. Let the blocks be , respectively.
The CBC mode requires the use of a quantity called the initial vector for the first computation. The encryption steps are given below.
(2)
is the DES encryption function with key k. Å is the XOR operation performed bit by bit. A plaintext block is not independently encrypted. A plaintext block is XORed with the previous ciphertext block. Thus, there is a loop or feedback in the encryption process. There is no immediately preceding block for the first plaintext block. Therefore, a quantity called the IV is needed. According to [MvOV96], the IV or the initial vector in the CBC mode need not be secret. However, the IV’s integrity should be protected. That is, it should be impossible to change the IV by a malicious individual during transmission. This is because, it can be shown that known changes in IV allows a ill-motivated interceptor to make predictable changes to the first block of plaintext recovered. Using a secret IV prevents this possibility.
The ciphertext is
The ciphertext blocks, can be transmitted one by one or all together, or in any other fashion.
At the receiving end, the decryption process involves the following steps.
(3)
is the DES decryption function with key k. Here, it is the same IV as used at the sender’s end. is the plaintext block obtained after encryption. Thus, to obtain a plaintext block from the corresponding ciphertext block, one decrypts the corresponding ciphertext block and XORs the result of decryption with the previous ciphertext block. That is, in general, for the ith plaintext block, the decryption computation is performed as given below.
(4)
The first step in the decryption process uses the initial vector (IV). The decryption process given above actually works although it may not be obvious why at first glance. We can show it very easily in the following manner. Using the formula for the original encryption of the ith block, we get the following.
(5)
is DES decryption with key k, and is DES encryption with the same key k. If we encrypt a message and decrypt it right away, we get the original message. Thus,
(6)
Using this identity, we can write the following.
(7)
This is because a quantity XORed with itself produces all zero bits. This shows that the decrypted plaintext is the same as the original plaintext.
We do not discuss CFB and OFB in this book. ECB is easy, but researchers have shown that it can potentially be insecure for lengthy messages. This is why CBC is recommended for plaintext messages longer than 64 bits. Here are some of the salient properties of the CBC mode of operation [MvOV96].
Identical First Plaintext Blocks: If the same first plaintext block is encrypted with the same key using the same IV, the ciphertext block is the same. Thus, an interceptor may capture the first ciphertext blocks from several encoded messages and try to find if the first ciphertext blocks are the same across several messages. Changing the IV, or making the first plaintext block either a counter or random, takes away this possibility.
Chaining Dependencies: The ciphertext block depends on the plaintext block and all preceding plaintext blocks. Therefore, changing the order of the ciphertext blocks messes up decryption. To decrypt a ciphertext block correctly, the previous ciphertext block must be correctly identified. Thus, parallelization of encryption and decryption is not possible.
Propagation of Error: An error in transmission of a single bit in the ciphertext block causes ciphertext block and to be deciphered incorrectly. This is because the deciphered plaintext block depends on the ciphertext blocks and .
Recovery from Error: The CBC mode is self-synchronizing. In other words, an error in transmission in the ciphertext block causes ciphertext blocks and to be decrypted incorrectly. Blocks are decrypted correctly.
The following program is very similar to the program in Section 11.3.2 discussed earlier, that uses the ECB mode. The mode of cipher operation now is CBC. The program follows.
Program 11.10
#!/usr/bin/perl
#file desCbcEncrypt.pl
use Crypt::CBC;
use strict;
my $key = pack ("H*", "0123456789ABCDEF");
my $cipher = Crypt::CBC -> new ($key, "DES");
#set the encrypting mode; check if all required variables like key
#and cipher are set.
$cipher -> start ("encrypt");
my $ciphertext;
my $data1 = "My name is Jugal Kalita.\n";
$ciphertext = $cipher -> crypt ($data1);
my $data2 = "I work at the University of Colorado at Colorado Springs.\n";
$ciphertext .= $cipher -> crypt ($data2);
my $data3 = "Colorado Springs is at the foot of Pikes Peak.\n";
$ciphertext .= $cipher -> crypt ($data3);
$ciphertext .= $cipher -> finish ();
print "ciphertext = ", pack ("H*", $ciphertext), "\n";
open OUT, ">CIPHERTEXT";
print OUT $ciphertext;
#set the encrypting mode
$cipher -> start ("decrypt") or $cipher -> errstring ();
my $decryptedPlaintext = ($cipher ->crypt ($ciphertext));
$decryptedPlaintext .= $cipher -> finish ();
print "decrypted plaintext = $decryptedPlaintext\n";
The program encrypts a few strings sequentially to form the ciphertext. The ciphertext is stored in a file and printed on the screen as well. The ciphertext is later deciphered. Note that although the methods in Crypt::CBC and Crypt::ECB are similar, they may not be identical. Consult the current documentation on www.cpan.org or on your own system, to find the details. The output of the program is given below.
ciphertext = º}/dU|ÜÙëBJ¥
΢ÇÓ6!åX¡w(7Êym¿´xS«p$JæùBpiòO;Ä[y¦}ò½íà0þ°UÕ¶O|[
decrypted plaintext = My name is Jugal Kalita.
I work at the University of Colorado at Colorado Springs.
Colorado Springs is at the foot of Pikes Peak.