Recommendation For Block Cipher Modes Of Operation .
NIST Special Publication 800-38A2001 EditionRecommendation for BlockCipher Modes of OperationMethods and TechniquesMorris DworkinC O M P U T E RS E C U R I T Y
ii
C O M P U T E RS E C U R I T YComputer Security DivisionInformation Technology LaboratoryNational Institute of Standards and TechnologyGaithersburg, MD 20899-8930December 2001U.S. Department of CommerceDonald L. Evans, SecretaryTechnology AdministrationPhillip J. Bond, Under Secretary of Commerce for TechnologyNational Institute of Standards and TechnologyArden L. Bement, Jr., Directoriii
Reports on Information Security TechnologyThe Information Technology Laboratory (ITL) at the National Institute of Standards and Technology(NIST) promotes the U.S. economy and public welfare by providing technical leadership for the Nation’smeasurement and standards infrastructure. ITL develops tests, test methods, reference data, proof ofconcept implementations, and technical analyses to advance the development and productive use ofinformation technology. ITL’s responsibilities include the development of technical, physical,administrative, and management standards and guidelines for the cost-effective security and privacy ofsensitive unclassified information in Federal computer systems. This Special Publication 800-seriesreports on ITL’s research, guidance, and outreach efforts in computer security, and its collaborativeactivities with industry, government, and academic organizations.Certain commercial entities, equipment, or materials may be identified in this document in order to describe anexperimental procedure or concept adequately. Such identification is not intended to imply recommendation orendorsement by the National Institute of Standards and Technology, nor is it intended to imply that the entities,materials, or equipment are necessarily the best available for the purpose.National Institute of Standards and Technology Special Publication 800-38A 2001 EDNatl. Inst. Stand. Technol. Spec. Publ. 800-38A 2001 ED, 66 pages (December 2001)CODEN: NSPUE2U.S. GOVERNMENT PRINTING OFFICEWASHINGTON: 2001For sale by the Superintendent of Documents, U.S. Government Printing OfficeInternet: bookstore.gpo.gov — Phone: (202) 512-1800 — Fax: (202) 512-2250Mail: Stop SSOP, Washington, DC 20402-0001iv
AbstractThis recommendation defines five confidentiality modes of operation for use with an underlyingsymmetric key block cipher algorithm: Electronic Codebook (ECB), Cipher Block Chaining(CBC), Cipher Feedback (CFB), Output Feedback (OFB), and Counter (CTR). Used with anunderlying block cipher algorithm that is approved in a Federal Information Processing Standard(FIPS), these modes can provide cryptographic protection for sensitive, but unclassified,computer data.KEY WORDS: Computer security; cryptography; data security; block cipher; encryption;Federal Information Processing Standard; mode of operation.v
Table of Contents1PURPOSE . 12AUTHORITY . 13INTRODUCTION . 14DEFINITIONS, ABBREVIATIONS, AND SYMBOLS. 34.1DEFINITIONS AND ABBREVIATIONS . 34.2SYMBOLS . 54.2.1Variables . 54.2.2Operations and Functions. 55PRELIMINARIES. 75.15.25.35.46UNDERLYING BLOCK CIPHER ALGORITHM . 7REPRESENTATION OF THE PLAINTEXT AND THE CIPHERTEXT . 7INITIALIZATION VECTORS. 8EXAMPLES OF OPERATIONS AND FUNCTIONS . 8BLOCK CIPHER MODES OF OPERATION . 96.16.26.36.46.5THE ELECTRONIC CODEBOOK MODE. 9THE CIPHER BLOCK CHAINING MODE . 10THE CIPHER FEEDBACK MODE . 11THE OUTPUT FEEDBACK MODE . 13THE COUNTER MODE . 15APPENDIX A: PADDING . 17APPENDIX B: GENERATION OF COUNTER BLOCKS . 18B.1B.2THE STANDARD INCREMENTING FUNCTION . 18CHOOSING INITIAL COUNTER BLOCKS . 19APPENDIX C: GENERATION OF INITIALIZATION VECTORS . 20APPENDIX D: ERROR PROPERTIES . 21APPENDIX E: MODES OF TRIPLE DES. 23APPENDIX F: EXAMPLE VECTORS FOR MODES OF OPERATION OF THE AES . 24F.1ECB EXAMPLE VECTORS . 24F.1.1 ECB-AES128.Encrypt . 24F.1.2 ECB-AES128.Decrypt . 24F.1.3 ECB-AES192.Encrypt . 25F.1.4 ECB-AES192.Decrypt . 25F.1.5 ECB-AES256.Encrypt . 26F.1.6 ECB-AES256.Decrypt . 26F.2CBC EXAMPLE VECTORS . 27F.2.1 CBC-AES128.Encrypt . 27F.2.2 CBC-AES128.Decrypt. 27F.2.3 CBC-AES192.Encrypt . 28F.2.4 CBC-AES192.Decrypt. 28vi
F.2.5 CBC-AES256.Encrypt . 28F.2.6 CBC-AES256.Decrypt. 29F.3CFB EXAMPLE VECTORS . 29F.3.1 CFB1-AES128.Encrypt . 29F.3.2 CFB1-AES128.Decrypt . 31F.3.3 CFB1-AES192.Encrypt . 33F.3.4 CFB1-AES192.Decrypt . 34F.3.5 CFB1-AES256.Encrypt . 36F.3.6 CFB1-AES256.Decrypt . 37F.3.7 CFB8-AES128.Encrypt . 39F.3.8 CFB8-AES128.Decrypt . 41F.3.9 CFB8-AES192.Encrypt . 42F.3.10CFB8-AES192.Decrypt . 44F.3.11CFB8-AES256.Encrypt . 46F.3.12CFB8-AES256.Decrypt . 48F.3.13CFB128-AES128.Encrypt . 50F.3.14CFB128-AES128.Decrypt . 50F.3.15CFB128-AES192.Encrypt . 50F.3.16CFB128-AES192.Decrypt . 51F.3.17CFB128-AES256.Encrypt . 51F.3.18CFB128-AES256.Decrypt . 52F.4OFB EXAMPLE VECTORS . 52F.4.1 OFB-AES128.Encrypt . 52F.4.2 OFB-AES128.Decrypt. 53F.4.3 OFB-AES192.Encrypt . 53F.4.4 OFB-AES192.Decrypt. 54F.4.5 OFB-AES256.Encrypt . 54F.4.6 OFB-AES256.Decrypt. 55F.5CTR EXAMPLE VECTORS . 55F.5.1 CTR-AES128.Encrypt . 55F.5.2 CTR-AES128.Decrypt . 56F.5.3 CTR-AES192.Encrypt . 56F.5.4 CTR-AES192.Decrypt . 57F.5.5 CTR-AES256.Encrypt . 57F.5.6 CTR-AES256.Decrypt . 57APPENDIX G: REFERENCES. 59Table of FiguresFigure 1: The ECB Mode .9Figure 2: The CBC Mode .10Figure 3: The CFB Mode .12Figure 4: The OFB Mode .14Figure 5: The CTR Mode .16vii
1 PurposeThis publication provides recommendations regarding modes of operation to be used withsymmetric key block cipher algorithms.2 AuthorityThis document has been developed by the National Institute of Standards and Technology(NIST) in furtherance of its statutory responsibilities under the Computer Security Act of 1987(Public Law 100-235) and the Information Technology Management Reform Act of 1996,specifically 15 U.S.C. 278 g-3(a)(5). This is not a guideline within the meaning of 15 U.S.C. 278g-3 (a)(5).This recommendation is neither a standard nor a guideline, and as such, is neither mandatory norbinding on Federal agencies. Federal agencies and non-government organizations may use thisrecommendation on a voluntary basis. It is not subject to copyright.Nothing in this recommendation should be taken to contradict standards and guidelines that havebeen made mandatory and binding upon Federal agencies by the Secretary of Commerce underhis statutory authority. Nor should this recommendation be interpreted as altering or supersedingthe existing authorities of the Secretary of Commerce, the Director of the Office of Managementand Budget, or any other Federal official.Conformance testing for implementations of the modes of operation that are specified in thisrecommendation will be conducted within the framework of the Cryptographic ModuleValidation Program (CMVP), a joint effort of the NIST and the Communications SecurityEstablishment of the Government of Canada. An implementation of a mode of operation mustadhere to the requirements in this recommendation in order to be validated under the CMVP.3 IntroductionThis recommendation specifies five confidentiality modes of operation for symmetric key blockcipher algorithms, such as the algorithm specified in FIPS Pub. 197, the Advanced EncryptionStandard (AES) [2]. The modes may be used in conjunction with any symmetric key block cipheralgorithm that is approved by a Federal Information Processing Standard (FIPS). The fivemodes—the Electronic Codebook (ECB), Cipher Block Chaining (CBC), Cipher Feedback(CFB), Output Feedback (OFB), and Counter (CTR) modes—can provide data confidentiality.Two FIPS publications already approve confidentiality modes of operation for two particularblock cipher algorithms. FIPS Pub. 81 [4] specifies the ECB, CBC, CFB, and OFB modes of theData Encryption Standard (DES). FIPS Pub. 46-3 [3] approves the seven modes that arespecified in ANSI X9.52 [1]. Four of these modes are equivalent to the ECB, CBC, CFB, andOFB modes with the Triple DES algorithm (TDEA) as the underlying block cipher; the other1
three modes in ANSI X9.52 are variants of the CBC, CFB, and OFB modes of Triple DES thatuse interleaving or pipelining.Thus, there are three new elements in this recommendation: 1) the extension of the fourconfidentiality modes in FIPS Pub 81 for use with any FIPS-approved block cipher; 2) therevision of the requirements for these modes; and 3) the specification of an additionalconfidentiality mode, the CTR mode, for use with any FIPS-approved block cipher.2
4 Definitions, Abbreviations, and Symbols4.1Definitions and AbbreviationsBitA binary digit: 0 or 1.Bit ErrorThe substitution of a ‘0’ bit for a ‘1’ bit, or vice versa.Bit StringAn ordered sequence of 0’s and 1’s.Block CipherA family of functions and their inverse functions that is parameterizedby cryptographic keys; the functions map bit strings of a fixed length tobit strings of the same length.Block SizeThe number of bits in an input (or output) block of the block cipher.CBCCipher Block Chaining.CFBCipher Feedback.CiphertextEncrypted data.Confidentiality ModeA mode that is used to encipher plaintext and decipher ciphertext. Theconfidentiality modes in this recommendation are the ECB, CBC, CFB,OFB, and CTR modes.CTRCounter.Cryptographic KeyA parameter used in the block cipher algorithm that determines theforward cipher operation and the inverse cipher operation.Data Block (Block)A sequence of bits whose length is the block size of the block cipher.Data Segment(Segment)In the CFB mode, a sequence of bits whose length is a parameter thatdoes not exceed the block size.Decryption(Deciphering)The process of a confidentiality mode that transforms encrypted datainto the original usable data.ECBElectronic Codebook.Encryption(Enciphering)The process of a confidentiality mode that transforms usable data intoan unreadable form.3
Exclusive-ORThe bitwise addition, modulo 2, of two bit strings of equal length.FIPSFederal Information Processing Standard.Forward CipherFunction (ForwardCipher Operation)One of the two functions of the block cipher algorithm that is selectedby the cryptographic key.Initialization Vector(IV)A data block that some modes of operation require as an additionalinitial input.Input BlockA data block that is an input to either the forward cipher function or theinverse cipher function of the block cipher algorithm.Inverse CipherFunction (InverseCipher Operation)The function that reverses the transformation of the forward cipherfunction when the same cryptographic key is used.Least SignificantBit(s)The right-most bit(s) of a bit string.Mode of Operation(Mode)An algorithm for the cryptographic transformation of data that featuresa symmetric key block cipher algorithm.Most Significant Bit(s) The left-most bit(s) of a bit string.NonceA value that is used only once.OctetA group of eight binary digits.OFBOutput Feedback.Output BlockA data block that is an output of either the forward cipher function orthe inverse cipher function of the block cipher algorithm.PlaintextUsable data that is formatted as input to a mode.4
4.2Symbols4.2.1 VariablesbThe block size, in bits.jThe index to a sequence of data blocks or data segments ordered from leftto right.nThe number of data blocks or data segments in the plaintext.sThe number of bits in a data segment.uThe number of bits in the last plaintext or ciphertext block.CjThe j ciphertext block.th#The j ciphertext segment.Cn*The last block of the ciphertext, which may be a partial block.IjThe j input block.IVThe initialization vector.KThe secret key.OjThe j output block.PjThe j plaintext block.Cjthththth#The j plaintext segment.Pn*The last block of the plaintext, which may be a partial block.TjThe j counter block.Pjthth4.2.2 Operations and FunctionsX YThe concatenation of two bit strings X and Y.X YThe bitwise exclusive-OR of two bit strings X and Y of the same length.CIPHK(X)The forward cipher function of the block cipher algorithm under the key K appliedto the data block X.5
-1CIPH K(X)The inverse cipher function of the block cipher algorithm under the key K appliedto the data block X.LSBm(X)The bit string consisting of the m least significant bits of the bit string X.MSBm(X)The bit string consisting of the m most significant bits of the bit string X.[x]mThe binary representation of the non-negative integer x, in m bits, where x 2 .m6
5 Preliminaries5.1Underlying Block Cipher AlgorithmThis recommendation assumes that a FIPS-approved symmetric key block cipher algorithm hasbeen chosen as the underlying algorithm, and that a secret, random key, denoted K, has beenestablished among all of the parties to the communication. The cryptographic key regulates thefunctioning of the block cipher algorithm and, thus, by extension, regulates the functioning of themode. The specifications of the block cipher and algorithms and the modes are public, so thesecurity of the mode depends, at a minimum, on the secrecy of the key.A confidentiality mode of operation of the block cipher algorithm consists of two processes thatare inverses of each other: encryption and decryption. Encryption is the transformation of ausable message, called the plaintext, into an unreadable form, called the ciphertext; decryption isthe transformation that recovers the plaintext from the ciphertext.For any given key, the underlying block cipher algorithm of the mode also consists of twofunctions that are inverses of each other. These two functions are often called encryption anddecryption, but in this recommendation, those terms are reserved for the processes of theconfidentiality modes. Instead, as part of the choice of the block cipher algorithm, one of the twofunctions is designated as the forward cipher function, denoted CIPHK; the other function is then–1called the inverse cipher function, denoted CIPH K . The inputs and outputs of both functions arecalled input blocks and output blocks. The input and output blocks of the block cipher algorithmhave the same bit length, called the block size, denoted b.5.2Representation of the Plaintext and the CiphertextFor all of the modes in this recommendation, the plaintext must be represented as a sequence ofbit strings; the requirements on the lengths of the bit strings vary according to the mode:For the ECB and CBC modes, the total number of bits in the plaintext must be a multiple of theblock size, b; in other words, for some positive integer n, the total number of bits in the plaintextmust be nb. The plaintext consists of a sequence of n bit strings, each with bit length b. The bitstrings in the sequence are called data blocks, and the plaintext is denoted P1, P2, , Pn.For the CFB mode, the total number of bits in the plaintext must be a multiple of a parameter,denoted s, that does not exceed the block size; in other words, for some positive integer n, thetotal number of bits in the message must be ns. The plaintext consists of a sequence of n bitstrings, each with bit length s. The bit strings in the sequence are called data segments, and the###plaintext is denoted P 1, P 2, , P n.For the OFB and CTR modes, the plaintext need not be a multiple of the block size. Let n and udenote the unique pair of positive integers such that the total number of bits in the message is(n-1)b u, where 1 u b. The plaintext consists of a sequence of n bit strings, in which the bitlength of the last bit string is u, and the bit length of the other bit strings is b. The sequence is*denoted P1, P2, , Pn-1, P n, and the bit strings are called data blocks, although the last bit string,7
*P n , may not be a complete block.For each mode, the encryption process transforms every plaintext data block or segment into acorresponding ciphertext data block or segment with the same bit length, so that the ciphertext isa sequence of data blocks or segments. The ciphertext is denoted as follows: for the ECB and###CBC modes, C1, C2, , Cn; for the CFB mode, C 1, C 2, , C n; and, for the OFB and CTR modes,**C1, C2, , Cn-1, C n, where C n may be a partial block.The formatting of the plaintext, including in some cases the appending of padding bits to formcomplete data blocks or data segments, is outside the scope of this recommendation. Padding isdiscussed in Appendix A.5.3Initialization VectorsThe input to the encryption processes of the CBC, CFB, and OFB modes includes, in addition tothe plaintext, a data block called the initialization vector (IV), denoted IV. The IV is used in aninitial step in the encryption of a message and in the corresponding decryption of the message.The IV need not be secret; however, for the CBC and CFB modes, the IV for any particularexecution of the encryption process must be unpredictable, and, for the OFB mode, unique IVsmust be used for each execution of the encryption process. The generation of IVs is discussed inAppendix C.5.4Examples of Operations and FunctionsThe concatenation operation on bit strings is denoted ; for example, 001 10111 00110111.Given bit strings of equal length, the exclusive-OR operation, denoted , specifies the addition,modulo 2, of the bits in each bit position, i.e., without carries. Thus, 10011 10101 00110, forexample.The functions LSBs and MSBs return the s least significant bits and the s most significant bits oftheir arguments. For example, LSB3(111011010) 010, and MSB4(111011010) 1110.mGiven a positive integer m and a non-negative (decimal) integer x that is less than 2 , the binaryrepresentation of x in m bits is denoted [x]m. For example, [45]8 00101101.8
6 Block Cipher Modes of OperationThe mathematical specifications of the five modes are given in Sections 6.1-6.5, along withdescriptions, illustrations, and comments on the potential for parallel processing.6.1The Electronic Codebook ModeThe Electronic Codebook (ECB) mode is a confidentiality mode that features, for a given key,the assignment of a fixed ciphertext block to each plaintext block, analogous to the assignment ofcode words in a codebook. The Electronic Codebook (ECB) mode is defined as follows:ECB Encryption:Cj CIPHK(Pj)ECB Decryption:Pj CIPH K(Cj)for j 1 n.-1for j 1 n.In ECB encryption, the forward cipher function is applied directly and independently to eachblock of the plaintext. The resulting sequence of output blocks is the ciphertext.In ECB decryption, the inverse cipher function is applied directly and independently to eachblock of the ciphertext. The resulting sequence of output blocks is the plaintext.ECB EncryptionECB DecryptionPLAINTEXTCIPHERTEXTINPUT BLOCKINPUT BLOCKCIPHKCIPH-1KOUTPUT BLOCKOUTPUT BLOCKCIPHERTEXTPLAINTEXTFigure 1: The ECB ModeIn ECB encryption and ECB decryption, multiple forward cipher functions and inverse cipherfunctions can be computed in parallel.In the ECB mode, under a given key, any given plaintext block always gets encrypted to the9
same ciphertext block. If this property is undesirable in a particular application, the ECB modeshould not be used.The ECB mode is illustrated in Figure 1.6.2The Cipher Block Chaining ModeThe Cipher Block Chaining (CBC) mode is a confidentiality mode whose encryption processfeatures the combining (“chaining”) of the plaintext blocks with the previous ciphertext blocks.The CBC mode requires an IV to combine with the first plaintext block. The IV need not besecret, but it must be unpredictable; the generation of such IVs is discussed in Appendix C.Also, the integrity of the IV should be protected, as discussed in Appendix D. The CBC mode isdefined as follows:ENCRYPTDECRYPTINITIALIZATIONVECTOR-1P1 CIPH K(C1) IV;-1Pj CIPH K(Cj) Cj-1for j 2 n.PLAINTEXT 1PLAINTEXT 2PLAINTEXT n INPUT BLOCK 1INPUT BLOCK 2INPUT BLOCK nCIPHKCIPHKCIPHKOUTPUT BLOCK 1OUTPUT BLOCK 2OUTPUT BLOCK nCIPHERTEXT 1CIPHERTEXT 2CIPHERTEXT nCIPHERTEXT 1CIPHERTEXT 2CIPHERTEXT nINPUT BLOCK 1INPUT BLOCK 2INPUT BLOCK nCIPH-1KCIPH-1OUTPUT BLOCK 1OUTPUT BLOCK 2KCIPH-1KOUTPUT BLOCK n INITIALIZATIONVECTORfor j 2 n. CBC Decryption:C1 CIPHK(P1 IV);Cj CIPHK(Pj Cj-1) CBC Encryption:PLAINTEXT 1PLAINTEXT 2PLAINTEXT nFigure 2: The CBC ModeIn CBC encryption, the first input block is formed by exclusive-ORing the first block of theplaintext with the IV. The forward cipher function is applied to the first input block, and the10
resulting output block is the first block of the ciphertext. This output block is also exclusiveORed with the second plaintext data block to produce the second input block, and the forwardcipher function is applied to produce the second output block. This output block, which is thesecond ciphertext block, is exclusive-ORed with the next plaintext block to form the next inputblock. Each successive plaintext block is exclusive-ORed with the previous output/ciphertextblock to produce the new input block. The forward cipher function is applied to each input blockto produce the ciphertext block.In
cipher algorithms, such as the algorithm specified in FIPS Pub. 197, the Advanced Encryption Standard (AES) [2]. The modes may be used in conjunction with any symmetric key block cipher algorithm that is approved by a Federal Information Processing Standard (FIPS). The fiveFile Size: 369KB
CIPHER WORKSHEETS CAESAR CIPHER In cryptography, a Caesar cipher, also known as a Caesar shift cipher or shift cipher, is one of the simplest and most widely-known encryption techniques. It is a type of substitution cipher in which each letter in the plaintext is replaced by a letter some fixed number of positions further down the alphabet.
Bruksanvisning för bilstereo . Bruksanvisning for bilstereo . Instrukcja obsługi samochodowego odtwarzacza stereo . Operating Instructions for Car Stereo . 610-104 . SV . Bruksanvisning i original
MISSION: TO SIMULATE BLOCK CIPHER MODES OF OPERATION FOR AES IN MATLAB Simulation of the AES (Rijndael Algorithm) in MATLAB for 128 bit key-length. Simulation of the five block cipher modes of operation for AES as per FIPS publication. Comparison of the five modes based on Avalanche Effect. Future Work 2
Five Ways to Crack a Vigenère Cipher brought to you by The Mad Doctor ("madness") This is just a review of five nice ways to break a Vigenère cipher. It assumes that you are using a computer and can write simple code. The examples in this paper are in Python 3 (for Python 3, / and // behave differently, so be careful). The Vigenère cipher
10 tips och tricks för att lyckas med ert sap-projekt 20 SAPSANYTT 2/2015 De flesta projektledare känner säkert till Cobb’s paradox. Martin Cobb verkade som CIO för sekretariatet för Treasury Board of Canada 1995 då han ställde frågan
service i Norge och Finland drivs inom ramen för ett enskilt företag (NRK. 1 och Yleisradio), fin ns det i Sverige tre: Ett för tv (Sveriges Television , SVT ), ett för radio (Sveriges Radio , SR ) och ett för utbildnings program (Sveriges Utbildningsradio, UR, vilket till följd av sin begränsade storlek inte återfinns bland de 25 största
Hotell För hotell anges de tre klasserna A/B, C och D. Det betyder att den "normala" standarden C är acceptabel men att motiven för en högre standard är starka. Ljudklass C motsvarar de tidigare normkraven för hotell, ljudklass A/B motsvarar kraven för moderna hotell med hög standard och ljudklass D kan användas vid
AGMA American Gear Manufacturers Association AIA American Institute of Architects. AISI American Iron and Steel Institute ANSI American National Standards Institute, Inc. AREA American Railway Engineering Association ASCE American Society of Civil Engineers ASME American Society of Mechanical Engineers ASTM American Society for Testing and .
