Which of the following ciphers is block cipher?

Block Ciphers

Block ciphers, if used properly, are an effective method for resisting adversarial attempts to read data, either data stored on disk or in transit on the network. A block cipher is one of the two common modern symmetric cipher types. It is distinguished from a stream cipher, because a block cipher performs operations on a chuck of data at once, whereas a stream cipher can operate on a single bit of plaintext at a time. The foremost example of a modern block cipher is the Advanced Encryption Standard [AES] [15]. AES is the primary cipher approved for use by the U.S. government to protect electronic data. It was certified in 2001, and has been something of a de facto standard cryptographic algorithm worldwide. It replaced the aging DES, also a block cipher, which was issued in 1977 [16]. There are too many block ciphers to list them all, but DES and AES are the two most famous examples.

A block cipher maps each possible input block of plaintext to an output block of ciphertext. For a cipher with 64-bit inputs and outputs, to write down this complete mapping would take about 269 bits [17, p. 60], or about 74 exabytes of memory. This is too much. But as we saw with historical substitution ciphers, a “short” block size makes breaking the cipher too easy. To efficiently use large enough input blocks without using infeasible amounts of memory, ciphers are used. A well-designed cipher will map an input value to an output value using the key in such a way that the mapping appears random unless one knows the key. Modern block ciphers tend to have block sizes of 128 bits or larger, because if the block size is too small there is the same problem as a small key space as described previously—the adversary can enumerate all the possible options and thus undermine the algorithm.

This book will not describe in any detail the operation of AES or DES. Briefly, each is composed of rounds. A round is a substitution phase followed by a transposition phase, each of which is conceptually the same as the substitution and transposition ciphers historically used. In this regard, the ciphers are quite simple. However, there are plenty of subtle mathematical attacks to defend against. This defense requires rigorous design of the algorithm in sometimes surprising ways. Designing a sound algorithm is extremely difficult for this reason. The general recommendation is that no modern organization should try to design its own cryptographic algorithm. AES is freely available and quite safe. Ten years after it was certified by NIST minor inroads were made against the algorithm, yet the paper itself states the advances “do not threaten the practical use of AES in any way” [18].

Just because the defender is using a secure block cipher does not mean it is automatically operated in a secure manner. Although each block of input is 128 bits, the message is almost certainly longer than that. There are multiple modes of operation with which to adapt the cryptographic algorithm to this situation [3]. Most have some interaction between the blocks in a message. For example, the value of the block i is combined with the key material used to encrypt block i+1, cryptographically linking the blocks to be in that order. This is preferable because it links the blocks together both as part of the same message and in the correct order.

To see why this is necessary, imagine a bank that sends its transactions encrypted via AES. If the account numbers are 128-bit numbers, and are always in the same place in the message, there can be trouble. If block 6 contains the account number to withdraw money from, and block 8 contains the account to deposit the money in to, then an adversary could make a deposit into someone’s account and wait. If he or she sees the transaction go out, the adversary could modify the message by swapping blocks 6 and 8. The adversary does not need to know the key used in the encryption to do this. As long as the blocks do not depend on each other, everything will decrypt properly and the victim’s account will likely be debited for the amount that the adversary asked to deposit.

In most computing equipment, block ciphers are the preferred symmetric encryption cipher. The ability to ingest blocks of data, perform both substitution and transposition, and then use the appropriate mode of operation to link the blocks together is a robust method for protecting data and resisting attacks. However, there will always be devices with resource constraints. Small devices such as embedded sensors and RFID [radio-frequency identification] tags lack the memory, computing power, and/or electrical power reserves for a block cipher. In these cases, it is advisable to use a stream cipher.

I.B.1. Basic Principles

Block ciphers are a type of encryption algorithm that process one block of plaintext at a time. Plaintext blocks of length m are generally mapped to ciphertext blocks of length m. The value m is referred to as the block size and is usually measured in bits. While stream ciphers usually process a bit or a byte of data at a time, block ciphers generally process at least 64 bits at a time. If the plaintext is larger than the block size of the encryption algorithm, multiple blocks of plaintext are encrypted into multiple blocks of ciphertext. This can be done using different modes of operation, two common ones being ECB and CBC

In electronic codebook [ECB] mode, the plaintext is divided into blocks of size specified by the algorithm. Each block is then encrypted into a ciphertext block. Using the same encryption key, identical plaintext blocks always encrypt into the same ciphertext block so data pattern analysis can be performed. For this reason, messages longer than one block are not recommended to be sent in ECB mode. Errors in a ciphertext block only affect the decryption of that block.

In cipher block chaining [CBC] mode, the plaintext is divided into blocks of size specified by the algorithm. An initialization vector [IV] the size of the block is also generated and this need not be secret. The first plaintext block is XORed with the IV before it is encrypted. The second and subsequent plaintext blocks are XORed with the ciphertext block that was created from the previous plaintext block and then encrypted. This removes the problem in ECB mode where every identical plaintext block always encrypts to the same ciphertext block. If an error occurs in one ciphertext block, it will affect the decryption of that block and the following one. The CBC process is shown in Fig. 1.

Two important principles of block ciphers are confusion and diffusion. Confusion tries to conceal any link between the key, plaintext, and ciphertext. A simple way to accomplish this is by using substitution. Diffusion hides statistical relationships by spreading out any redundancy in the plaintext over the ciphertext. This can be done by using permutations.

Product Ciphers

Modern block ciphers are divided into two categories. The first category of the cipher uses both invertible and noninvertible components. A Feistel cipher belongs to the first category, and DES is a good example of a Feistel cipher. This cipher uses the combination of S-boxes and P-boxes with compression and expansion [noninvertible].

The second category of cipher only uses invertible components, and Advanced Encryption Standard [AES] is an example of a non-Feistel cipher. AES uses S-boxes with an equal number of inputs and outputs and a straight P-box that is invertible.

Alternation of substitutions and transpositions of appropriate forms when applied to a block of plaintext can have the effect of obscuring statistical relationships between the plaintext and the ciphertext and between the key and the ciphertext [diffusion and confusion].

Block Ciphers

Before we go ahead into the design of AES, we should discuss what block ciphers are and the role they fill in cryptography.

The term block cipher actually arose to distinguish said algorithms from the normal stream ciphers that were commonplace. A cipher is simply a process to conceal the meaning of a message. Originally, these were in the form of simple substitution ciphers followed by stream ciphers, which would encode individual symbols of a message. In terms of practical use, this usually involved rotors and later shift registers [like LFSRs]. The theory seemed to be to find a well-balanced generator of a provably long period, and filter the output through a nonlinear function to create a keystream. Unfortunately, many relatively recent discoveries have made most LFSR-based ciphers insecure.

A block cipher differs from a stream cipher in that it encodes a grouping of symbols in one step. The mapping from plaintext to ciphertext is fixed for a given secret key. That is, with the same secret key the same plaintext will map to the same ciphertext. Most commonly used block ciphers have block sizes of either 64 or 128 bits. This means that they process the plaintext in blocks of 64 or 128 bits. Longer messages are encoded by invoking the cipher multiple times, often with a chaining mode such as CTR to guarantee the privacy of the message. Due to the size of the mapping, block ciphers are implemented as algorithms as opposed to as a large lookup table [Figure 4.1].

Early block ciphers include those of the IBM design team [DES and Lucifer] and eventually a plethora of designs in the 1980s and early 1990s. After AES started in 1997, design submissions to conferences drastically died off. The early series of block ciphers encoded 64-bit blocks and had short keys usually around 64 bits in length. A few designs such as IDEA and Blowfish broke the model and used much larger keys. The basic design of most ciphers was fairly consistent: find a somewhat nonlinear function and iterate it enough times over the plaintext to make the mapping from the ciphertext back to plaintext difficult without the key. For comparison, DES has 16 rounds of the same function, IDEA had 8 rounds, RC5 originally had 12 rounds, Blowfish had 16 rounds, and AES had 10 rounds in their respective designs, to name a few ciphers. [The current consensus is that RC5 is only secure with 16 rounds or more. While you should usually default to using AES, RC5 can be handy where code space is a concern.] By using an algorithm to perform the mapping, the cipher could be very compact, efficient, and used almost anywhere.

Technically speaking, a block cipher is what cryptographers call a Pseudo Random Permutation [PRP]. That is, if you ran every possible input through the cipher, you would get as the output a random permutation of the inputs [a consequence of the cipher being a bijection]. The secret key controls the order of the permutation, and different keys should choose seemingly random looking permutations.

Loosely speaking, a “good” cipher from a security point of view is one where knowing the permutation [or part of it] does not reveal the key other than by brute force search; that is, an attacker who gathers information about the order of the permutation does not learn the key any faster than trying all possible keys. Currently, this is believed to be the case for AES for all three supported key sizes.

Despite the fact that a block cipher behaves much like a random permutation, it should never be used on its own. Since the mapping is static for a given key the same plaintext block will map to the same ciphertext block. This means that a block cipher used to encrypted data directly leaks considerable data in certain circumstances.

Fortunately, it turns out since we assume the cipher is a decent PRP we can construct various things with it. First, we can construct chaining modes such as CBC and CTR [discussed later], which allow us to obtain privacy without revealing the nature of the plaintext. We can also construct hybrid encrypt and message authentication codes such as CCM and GCM [see Chapter 7, “Encrypt and Authenticate Modes”] to obtain privacy and authenticity simultaneously. Finally, we can also construct PRNGs such as Yarrow and Fortuna.

Block ciphers are particularly versatile, which makes them attractive for various problems. As we shall see in Chapter 5, “Hash Functions,” hashes are equally versatile, and knowing when to tradeoff between the two is dependent on the problem at hand.

Strong Encryption Algorithm [3DES]

DES and 3DES are block ciphers. This refers to an algorithm that takes a block of plaintext of a fixed length and changes it into a block of ciphertext [encrypted data] of the same length. The key length for DES is 64 bits total, but because 8 of the bits are used for parity information, the effective length is only 56 bits. With 3DES, the DES process is performed three times with different 56-bit keys, making the effective key length 168 bits. When using 3DES in encrypt-encrypt-encrypt [EEE] mode, 3DES works by processing each block as follows:

A block of plaintext is encrypted with key one.

The resulting block of ciphertext is encrypted with key two.

The result of step 2 is encrypted with key three.

When using 3DES in encrypt-decrypt-encrypt [EDE] mode, step 2 is run in decryption mode. When 3DES is decrypting a packet, the process is done in reverse order. 3DES offers you the best mode for data confidentiality.

RC2

RC2 is a symmetric block cipher designed by Ronald Rivest of RSA. RSA designed RC2 as a direct replacement for DES, improving on the performance and providing a variable key size. RC2 is commonly used in S/MIME secure email and is said to be two to three times as fast as DES. The complete RC2 specification is available at www.ietf.org/rfc/rfc2268.txt. Figure 4.8 and Figure 4.9 show examples using RC2 encryption. Like Rijndael, RC2 does not have any known weak keys and therefore does not support the IsWeakKey method.

RC2 is a widely used algorithm that allows a variety of key lengths, but you should be aware that security experts consider RC2 with smaller keys to be insecure. You should always use a 128-bit key, the maximum length available.

What is an example of a block cipher?

What are the types of block ciphers?

Is Caesar Cipher a block cipher?

Is AES a block or stream cipher?