Login »
markets.Some of the better known and widely used AES “modes” are: ECB/CBC/OFB/CFB/CTR/CCM/GCM/XTS.
A few words about ECB/CBC/OFB/CFB/CTR. These are approved modes of using a block cipher (like AES) and are covered in detail in NIST SP 800-38A (csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf). A nice picture of ECB/CBC/OFB/CFB can be found on page 229 of the Handbook of Applied Cryptography. ECB or Electronic Code Book is the base use of AES. A pure block cipher application where each transaction involves putting in a 128, 192, or 256-bit key and a 128-bit block of data, and sending it through the AES cipher with a 128-bit of data coming out. Either a 128-bit block of plaintext [3] data goes in with a key and a 128-bit block of ciphertext comes out, or the reverse. Nothing is saved between blocks. This is nice, but in truth AES-ECB is not very useful (safe) because it is susceptible to cryptographic attacks; it essentially breaks down to a simple substitution cipher, where a given 128-bit block of plaintext is always encrypted to the same 128-bit block of ciphertext, and thus can be statistically analyzed.
The CBC/CFB/OFB modes address this problem with ECB by introducing feedback between blocks of data, which means an initial value (cryptographic nonce [4]) is introduced. Now there are three inputs to get encryption or decryption started on a message: key, initial value, and data block; and each subsequent block takes feedback of some part of the previous AES operation as part of its input: key, feedback value, and data block. Each of CBC/CFB/OFB apply different feedback, and are suited to different applications.
CTR mode starts the same way as CBC/CFB/OFB with an initial value, but there is no feedback! This is very useful because it means that the operation can be pipelined – particularly useful for hardware implementations or multiprocessor machines where blocks can be processed in parallel. The way this is accomplished is by selecting an initial value (nonce) for what is called the counter (hence CTR), and defining an algorithm for incrementing the counter (the simplest and most common algorithm is add one at each step). For each block of data to be processed, the current value of the counter (128-bit) is fed into an AES-ECB unit together with the key being used, and the output 128-bit block from this, which is usually the output data, is XOR’d [5] with the input data block. For the next time through, the updated counter value is used. Note there is no feedback from the output to the input, so pipelining is possible. Another nice thing about AES-CTR mode is that it uses the same operation for both encryption and decryption, thus making AES-CTR implementations smaller than other AES mode implementations.
AES-CCM stands for AES-CTR with AES-CBC MAC which sort of makes an acronym if you look at it long enough. It is an example of an integrated cipher and MAC, which as we’ve stated before usually happen together in sound cryptographic systems. AES-CTR mode is as described above, and is applied to data for encryption. The interesting thing about this compound mode is that the MAC is generated by a novel use of AES-CBC. Essentially AES-CCM pushes the message through the AES cipher twice: once in AES-CTR mode to output the plaintext or ciphertext, and a second time through in AES-CBC mode with the final output block being the MAC. There’s a little more interaction than that, but at this level, it’s a pretty good idea of what goes on. There are some other uses of AES in a MAC mode (like CBC above), for instance AES-f9, and AES-XCBC.
AES-GCM stands for Galois Counter Mode AES. For the mathematically inclined, Galois Fields are Finite Fields i.e. fields with a finite number of members. Field properties allow operations that are very useful cryptographically. For the rest of us, AES-GCM was developed to answer the need for VERY high throughput MAC’s for VERY high data rate applications such as 10/40/100 Gbps Ethernet. The older hashes such as SHA are not very scalable to these sorts of data rates. AES-CTR mode as explained above is scalable as it is can be pipelined in hardware. In AES-GCM the MAC’s are produced using special structures called Galois Field Multipliers and as you can guess, they are multipliers that use Galois Field operations to produce their results. The key thing is that they are scalable, and can be selected to match the throughput requirement of the data. AES-GCM is used in IPsec, 1619.1 (tape encryption), MACsec (Ethernet port security) to mention a few, and these are typically multi-Gbps applications.
As seen above, AES shows its versatility, and the list of protocols that use some modes of AES continues to grow. This makes the AES-based solution selection process that much harder.
To be continued …
[3]Plaintext is unencrypted data. Ciphertext is encrypted data. Plaintext is encrypted to form ciphertext, or ciphertext is decrypted to recover plaintext. [4]Nonce n[ot to be used more than]once as a mnemonic. This is a random piece of data used to seed a cryptographic operation. [5]XOR is a logic operation where two like inputs produce a true output when the inputs differ. In binary, inputs of (1,1) or (0,0) produce an output of 0, while inputs of (1,0) or (0,1) produce an output of 1. Bit-wise XOR is very efficient in most systems.
