To prevent Oscar from learning the contents of the message, called the plain-text P, it is encrypted. Alice and Bob decide on a secret key ks and an encryption algorithm which uses the key to mix up the message. The al-gorithm will of course have to be reversible. When Alice wants to send a message to Bob she encrypts the plaintext by using the algorithm under the
1Often you would see the third person given different names depending on how much is possible for him or her: Eve for an eavesdropper, Phyllis for a person in physical contact with the system, and so on. This report will use the name Oscar to cover for all of them.
Message M
Alice Bob
Oscar
Figure 3.1: Setting the scene
influence of ks, written as C =E(ks, P). C is called the ciphertext. When Bob receives the encrypted message he decrypts it by running it through the reversed algorithm again using ks to influence the result. Decryption is written as P =D(ks, C).
Plaintext P Ciphertext C = E(ks, P)
C = E(?, P) ⇒ P = ?
Oscar
Alice
C = E(ks, P) ⇒ Bob
P = D(ks, C) Figure 3.2: Secret key encryption
For secret key encryption two basic principles exists: Stream ciphers and block ciphers. Block ciphers has been more analyzed than stream ciphers, and they seem to be more applicable [7]. Therefore the rest of the description involving secret key encryption will focus on block ciphers, although a short description of stream ciphers will be given first.
3.2.1 Stream Ciphers
In stream ciphers a plaintext is treated as a stream of data, encrypting smaller quantities (bit or byte) of the message as soon as they are available. A typical stream cipher uses a keystream, which is a continuous stream of bits or bytes derived from the secret key. This is xor’ed with the plaintext to obtain the ciphertext. As the same keystream can be generated by a receiver ofC who knowsks, decryption is trivial.
3.2.2 Block Ciphers
In block ciphers a message is divided into blocks of data. A block is comprised of several bytes, and encryption cannot take place until all bytes in a block is ready. Each block is encrypted into a block of the same size.
In Figure 3.2 we see how Oscar is able to learn of C but not P. Even though he cannot know the real message, this might still leak some informa-tion to him. One example of this is traffic analysis: Oscar is able to listen to the communication in a system, he knows where a message originates from and where it is destined to, but does not know who are placed at the end of the lines when. Every time Oscar sees the same ciphertext he can with high probability conclude that it is the same two persons involved. This is especially true if the system carries many static messages.
To avoid the kind of traffic analysis just described two things can be done:
Change themode of operation or use a nonce.
There are four modes of operation for block ciphers (see also Figure 3.3):
Electronic Codebook (ECB) The EBC is the simplest mode, where each block is encrypted individually of each other. In this mode it is pos-sible for Oscar to perform the traffic analysis described above, since a plaintext is always encrypted to the same ciphertext.
Cipher Block Chaining (CBC) In CBC mode the ciphertext from the previous encryption is xor’ed with the plaintext for the present be-fore encryption. A specific plaintext will no longer automatically be encrypted to a specific ciphertext as this depends on the order of plain-texts. But now Alice and Bob always need to agree on what the last ciphertext was in order to communicate. If a message is lost during transmission Alice and Bob will come out of synchronization and the rest of the decrypted messages will not make sense. In this case they will have to agree to start over from some common point. However, if a message is just corrupted during transmission this will only have an impact on decryption of the message itself and the one following it.
Cipher Feedback (CFB), and Output Feedback (OFB) The two last modes, CFB and OFB, make it possible to transform a block cipher into a stream cipher. From Figure 3.3 it can be seen that the plaintexts are xor’ed with a keystream in order to produce the ciphertexts. In CFB the keystream depends on previous ciphertexts, but in OFB the keystream only depends on earlier parts of itself. The advantage of OFB is that if a ciphertext is corrupted during transmission it only influences the plaintext it is an encryption of - the rest of the messages
will be decrypted properly. On the other hand OFB makes messages more vulnerable to controlled modifications [7].
P2
Figure 3.3: The modes of block ciphers
Another way to limit Oscar’s traffic analysis is to stick to the basic ECB mode but include a nonce in the encryption scheme. Before encrypting a plaintext it is xor’ed with the nonce, which is a random number. After encryption the ciphertext is transmitted along with the used nonce, which makes it possible for the receiver to decode. Oscar now has to wait until he observes two transmissions with the same ciphertextand the same nonce before he is able to make the analysis - something which is unlikely to happen very often if the method for choosing nonces is implemented to distribute them evenly.