Operating mode (cryptography)
An operating mode or an operating mode is a method that describes how messages are encrypted with a block cipher . Only the combination of block cipher and operating mode enables messages that are longer than the block length to be encrypted. For this purpose, the message is usually divided into several blocks and brought to a suitable length by padding . An initialization vector (IV) can also randomize the method regardless of the key used.
Classic operating modes
Electronic code book mode
The simplest mode of operation is to encrypt each block independently of the others. This method is called Electronic Code Book Mode (ECB) and has the following properties.
- The same message blocks are also encrypted in the same way.
- Interchanging blocks in the cipher leads to the same interchanging of the blocks in the decrypted message.
- An error in a block only affects the decryption of that block.
We therefore advise against using the ECB mode, unless a single message block is to be encrypted only once.
Cipher Block Chaining Mode
The problems of the ECB can be remedied by linking a message block with the previous cipher block before encryption. An initialization vector is used for the first block. Since a cipher block now depends on all previous blocks, it is no longer possible to rearrange the blocks without impairing decryption. Since the encryption also depends on the initialization vector, two identical messages with different IVs are also encrypted differently. This mode also has the following properties.
- A change of a bit in a cipher block has the consequence that the corresponding plain text block is randomized, while exactly the same bit is changed in the plain text of the following block.
- An error in a block, e.g. B. when transmitting the encrypted text, only affects the corresponding and the following plain text block.
Cipher feedback mode
If messages whose length is not a multiple of the block length are also to be encrypted, the block cipher can be used in Cipher Feedback Mode (CFB) as a self-synchronizing stream cipher . An initialization vector is first encrypted and the result is added to the message. The resulting bits of the cipher are shifted into the plain text register and displace the same number of bits of the IV there. The result is encrypted again and added to the next message bits. As with CBC mode, a cipher bit depends on the message and the previous cipher bits. An error affects the encryption until the faulty bit has been pushed out of the plain text register.
Output feedback mode
In the output feedback mode, in contrast to the cipher feedback mode, not a cipher block, but the output of the encryption function is used as feedback. This avoids any error propagation and effectively operates the block cipher as a synchronous stream cipher ; the keystream is independent of the message. This also means that a different initialization vector has to be used for each message, since the entire keystream only depends on it.
A simplification of the output feedback mode is the counter mode, in which a sequence of natural numbers is encrypted instead of feedback. This makes it possible to decrypt a block without first having to decrypt the other blocks.
Authenticated Encryption Modes
Authenticated encryption modes are operating modes that also ensure message integrity. All three methods mentioned offer AEAD (Authenticated Encryption with Associated Data), i. H. they enable authentication not only of the encrypted data, but of any other data.
Counter mode with CBC-MAC
CCM is the combination of Counter Mode with a CBC-MAC . A disadvantage is that two block cipher operations are required for each message block.
Galois / Counter Mode
GCM is an authenticated encryption mode with associated data. The authentication is realized through multiplications running parallel to the encryption in the Galois body .
EAX stands for encrypt-then-authenticate-then-translate (encrypt then authenticate then translate). Like CCM, the mode requires two block cipher operations per message block, but otherwise has some technical advantages.
- Alfred J. Menezes, Paul C. van Ooschot, and Scott A. Vanstone: Handbook of Applied Cryptography . 5th edition. CRC Press, 2001, ISBN 0-8493-8523-7 , chap. 7th
- ↑ Handbook of Applied Cryptography, Remark 7.12