Лекция: Прочиережимы
Возможны и другие режимы, хотя они используются нечасто. Сцепление блоков открытого текста (plaintext block chaining, PBC) похоже на СВС за исключением того, что операция XOR выполняется для с блока открытого текста и для предыдущего блока открытого текста, а не блока шифротекста. Обратная связь по открытому тексту (plaintext feedback, PFB) похожа на CFB за исключением того, что для обратной связи используется не шифротекст, а открытый текст. Существует также сцепление блоков шифротекста по различиям открытого те к-ста (cipher block chaining of plaintext difference, CBCPD). Я уверен, что можно найти еще таинственнее.
Если у криптоаналитика есть машина для поиска ключей грубой силой, то он сможет раскрыть ключ, если угадает один из блоков открытого текста. Некоторые из упомянутых странных режимов, по сути, являются дополнительным шифрованием перед использованием алгоритма шифрования: например, XOR текста и фиксированной секретной строки или перестановка текста. Почти все отклонения от стандартов помешают подобному криптоанализу.
9.11 Выбор режима шифра
Если вашей основной заботой являются скорость и простота, то ЕСВ является самым простым и самым быстрым способом использовать блочный шифр. Помимо уязвимости к вскрытию повтором, алгоритм в режиме ЕСВ проще всего криптоанализировать. Я не советую использовать ЕСВ для шифрования сообщений.
ЕСВ хорошо использовать для шифрования случайных данных, например, других ключей. Так как данные невелики по размеру и случайны, недостатки ЕСВ не существенны для такого применения.
Для обычного открытого текста используйте СВС, CFB или OFB. Конкретный режим зависит от ваших требований. В приведены безопасность и эффективность различных режимов .
Для шифрования файлов лучше всего подходит СВС. Значительно увеличивается безопасность, и при появлении ошибок в хранимых данных почти никогда не бывает сбоев синхронизации. Если ваше приложение -программное, то СВС почти всегда будет лучшим выбором.
Табл. 9-1. Краткий обзор режимов работы блочных шифров
ЕСВ: Security:
-Plaintext patterns are not concealed.
— Input to the block cipher Is not randomized; It Is the same as the plaintext. + More than one message can be encrypted with the same
— plaintext Is easy to manipulate; blocks can be removed, repeated, or Interchanged.
Efficiency: + Speed is the same as the block cipher.
— Clphertext Is up to one block longer than the plaintext, due to padding.
— No preprocessing is possible. *Processing is paraUelizable. Fault-tolerance:
-A ciphertext error affects one full block of plaintext.
— Synchronization error is unrecoverable.
CFB:
Security:
+ Plaintext patterns are concealed. + Input to the block cipher is randomized. + More than one message can be encrypted with the same key, provided that a different IV is used. +/- Plaintext is somewhat difficult to manipulate; blocks call be removed from the beginning and end of the message, bits of the first block can be changed, and repetition allows some controlled changes.
Efficiency: + Speed is the same as the block cipher.
— Ciphertext is the same size as the plaintext, not counting the IV.
+/- Encryption is not paraUelizable; decryption is paral- Idizable and has a random-access property.
— Some preprocessing is possible before a block is seen; the Previous ciphertext block can be encrypted. +/- Encryption is not paraUelizable; decry p-
tion is paral- felizable and has a random-access property.
F'auh-toterance:
-A ciphertext error affects the corresponding bit of plaintext and the next full block.
+ Synchronization errors of full block sizes are recoverable. I. -bit CFB can recover from the addition or loss of single bits.
cbc:
Security:
+ Plaintext patterns are concealed by XORing with previous ciphertext block.
+ Input to the block cipher is randomized by XORing with the previous ciphertext block.
+ More than one message can be encrypted with the same key.
+/- Plaintext is somewhat difficult to manipulate; blocks can be removed from the beginning and end of the message, bits of the first block can be changed, and repetition allows some controlled changes.
Efficiency: + Speed is the same as the block cipher.
— Ciphertext is up to one block longer than the plaintext, not counting the IV.
— No preprocessing is possible.
+/- Encryption is not paraUelizable; decryption is paral- lelizable and has a random-access property. Wau*-toterance:
— A ciphertext error affects one full block of plaintext and the corresponding bit in the next block.
— Synchronization error is unrecoverable. OFB/Counter: Security;
+ Plaintext patterns are concealed. + Input to the block cipher is randomized. + More than one message can be encrypted with the same key, provided that a different IV is used. — Plaintext is very easy to manipulate; any change in ciphertext directly affects the plaintext.
C*lclency: + Speed is the same as the block cipher.
— Ciphertext is the same size as the plaintext, not counting the IV. + Processing is possible before the message is seen.
-/+ OFB processing is not paraUelizable; counter processing is paraUelizable.
Fau*t-tolerance:
+ A ciphertext error affects only the corresponding bit of plaintext. — Synchronization error is unrecoverable.
CFB-specifically 8-bit CFB-is generally the mode ol choice for encrypting streams of characters when each cha r-acter has to be treated individually, as in a link between a terminal and a host. OFB is most often used in high-speed synchronous systems where error propagation is intolerable. OFB is also the mode of choice if preprocessing is r e-quired.
OFB is the mode of choice in a error-prone environment, because it has no error extension.
Stay away from the weird modes. One of the four basic modes-ECB, CBC, OFB, and CFB-is suitable for almost any application. These modes are not overly complex and probably do not reduce the security of the system. While it is possible that a complicated mode might increase the security of a system, most likely it just increases the complexity. None of the weird modes has any better error propagation or error recovery characteristics.
9.12 INTERLEAVING
With most modes, encryption of a bit (or block) depends on the encryption of the previous bits (or blocks). This can often make it impossible to parallelize encryption. For example, consider a hardware box that does encryption in CBC mode. Even if the box contains four encryption chips, only one can work at any time. The next chip needs the results of the previous chip before it starts working.
The solution is to interleave multiple encryption streams. (This is not multiple encryption; that's covered in Se c-tions 15.1 and 15.2). Instead of a single CBC chain, use four. The first, fifth, and every fourth block thereafter are e n-crypted in CBC mode with one IV. The second, sixth, and every fourth block thereafter are encrypted in CBC mode with another IV, and so on. The total IV is much longer than it would have been without interleaving.
Think of it as encrypting four different messages with the same key and four different IVs. These messages are all i nterleaved.
This trick can also be used to increase the overall speed of hardware encryption. If you have three encryption chips, each c a-pable of encrypting data at 33 megabits/second, you can interleave them to encrypt a single 100 megabit/second data channel.
Figure 9.16 shows three parallel streams interleaved in CFB mode. The idea can also work in CBC and OFB modes, and with any number of parallel streams. Just remember that each stream needs its own IV. Don't share.
9.13 BLOCK CIPHERS VERSUS STREAM CIPHERS
Although block and stream ciphers are very different, block ciphers can be implemented as stream ciphers and stream ciphers can be implemented as block ciphers. The best definition of the difference I've found is from Ranier Rueppel [1362.]:
Block ciphers operate on data with a fixed transformation on large blocks of plaintext data; stream ciphers ope rate with a time-varying transformation on individual plaintext digits.
Figure 9.16 Interleavingthtee CFB encryptions.
In the real world, block ciphers seem to be more general (i.e., they can be used in any of the four modes) and stream ciphers seem to be easier to analyze mathematically. There is a large body of theoretical work on the analysis and design of stream c i-phers-most of it done in Europe, for some reason. They have been used by the world's militaries since the invention of electronics. This seems to be changing; recently a whole slew of theoretical papers have been written on block cipher design. Maybe soon there will be a theory of block cipher design as rich as our current theory of stream cipher d esign.
Otherwise, the differences between stream ciphers and block ciphers are in the implementation. Stream ciphers that only e n-crypt and decrypt data one bit at a time are not really suitable for software implementation. Block ciphers can be easier to impl e-ment in software, because they often avoid time-consuming bit manipulations and they operate on data in computer-sized blocks. On the other hand, stream ciphers can be more suitable for hardware implementation because they can be implemented very eff i-ciently in silicon.
These are important considerations. It makes sense for a hardware encryption device on a digital communications channel to encrypt the individual bits as they go by. This is what the device sees. On the other hand, it makes no sense for a software encry p-tion device to encrypt each individual bit separately. There are some specific instances where bit- and byte-wise encryption might be necessary in a computer system-encrypting the link between the keyboard and the CPU, for example-but generally the encry p-tion block should be at least the width of the data bus.