CS 465 - Block Cipher Modes Lab

Objectives

Use the AES tools that we created in the previous lab to get hands-on experience with several common block cipher modes.

Note: If your implementation of AES from Lab 1 is not complete, you may choose to use an existing AES implementation. There is an implementation avaiable here.

When you passoff, you will pass off using the pass off scripts, starting here.

ECB Mode

In the last lab, we used ECB mode for the fileCipher() and fileInvCipher() functions. ECB mode simply encrypts each block independently with the same key. For a graphical review of ECB click here: ECB Review.

CBC Mode

Write a program which encrypts and decrypts arbitrary files using CBC mode. For a review of CBC click here: CBC Review.

IV

Use a random number generator for the IV. For this lab any source of random numbers will do. Be aware, however, that not all random number generators are as secure as others. If you work on something like this in your professional career, be aware that you would want to use a cryptographically secure source of random numbers. Store the IV at the beginning of the ciphertext.

Padding

Read this Carefully! Incorrect padding is a very common error.

In most cases, the length of your message will not be an exact multiple of 16 bytes. So, the last block that you encrypt will always need to be padded.

For padding, use the convention described in class: "1" (ASCII 49) for one byte of padding, "22" for two bytes, ..., "999999999" for nine bytes, "AAAAAAAAAA" for 10 bytes, up to "GGGGGGGGGGGGGGGG" for 16 bytes of padding. (You still need to pad 16 bytes if the length of your message is a multiple of 16 bytes.) Notice that the character used to represent 9 bytes of padding is '9', but the character used to represent 10 bytes of padding is 'A'. These characters do not have consecutive ASCII values. Also, make sure you use upper case characters for the characters 'A' through 'G'.

Passoff Requirements for CBC mode:

• Your program must correctly encrypt/decrypt arbitrary files in CBC mode byte-for-byte. Here are some example files to work with:

  Key = hithisismysecret
  Initialization Vector = 1Y:SK^xkWo6{FiIn
  
  cbcPlain.bin
  (md5sum: 3a068dd6960ac741603fe6b5340d49c5)
  cbcCipher.bin
  (md5sum: 8015bb0aac21b5c30ac2e916064b8ae7)

• Given a large ciphertext, key, plaintext byte-offset and length, return the requested number of plaintext bytes beginning at the offset. Decrypting from the beginning is not allowed. Seek to the block in the ciphertext that has your offset and begin decryption from there (notice that all you will need is the block of ciphertext immediately prior to the block you decrypt) and stop when you have decrypted the requested chunk of text.
  
  (The byte offset that we provide you will be relative to where the data begins in the file. If we ask you to read byte 0, you would actually read byte 16 from the file, since the first 16 bytes will be the stored IV.)
• Modification attack: The file grades.enc (md5sum: 00a9d8f17398360ae4822680772cab07) is an AES-CBC ciphertext file listing various pieces of grade information. At offset 42 (where the first byte of the file is offset 0) of the corresponding plaintext resides the 3 byte string:
  
  " 0"
  

  This string, two spaces followed by ASCII 48, represents your score for this lab. Modify the ciphertext (not the plaintext) so that, when it (the ciphertext) is decrypted, the plaintext will read "100" beginning at offset 42. When you modify the ciphertext (not the plaintext) you do NOT encrypt/decrypt anything. For the attack, pretend you do not even know the key (otherwise, you could just decrypt/make the change/encrypt). After you perform the modification attack you should decrypt the ciphertext just to see if your attack worked. The same key and initialization vector have been used to encrypt the grades.enc as the other CBC example files. To see a diagram of how this attack works, scroll down to the third image in the CBC Review.

  On Linux machines you can open the file to edit it by typing the following: "khexedit grades.enc". Make your modifications and save the file. The decryption of other plaintext blocks will be ignored, but the one containing your grade must have only the modification specified.

  If you prefer the command line, you should take a look at xxd.

CTR Mode

Write a program which encrypts and decrypts arbitrary files using CTR mode. For a review of CTR mode click here: CTR Review. Note: Do not pad messages encrypted with CTR mode. Although you could pad for CTR mode, it is usually not done (the examples files have no padding). The ciphertext should be the same size as the plaintext (except for the 8 byte nonce at the beginning of the ciphertext). This is because what you encrypt (the nonce and counter) is always exactly 16 bytes.

Nonce

Your program must be able to choose a good 64-bit random nonce. Use it for the first 8 bytes of block cipher input, and store it at the beginning of the ciphertext. The second 8 bytes of input are the counter, beginning at 0 for the first block. The counter should be stored in Intel (little endian) byte order. For the example nonce used below, "UQOW$#+v", the hex values of the input for the first 13 blocks would be:

55 51 4f 57 24 23 2b 76 00 00 00 00 00 00 00 00 
55 51 4f 57 24 23 2b 76 01 00 00 00 00 00 00 00
55 51 4f 57 24 23 2b 76 02 00 00 00 00 00 00 00
55 51 4f 57 24 23 2b 76 03 00 00 00 00 00 00 00
55 51 4f 57 24 23 2b 76 04 00 00 00 00 00 00 00
55 51 4f 57 24 23 2b 76 05 00 00 00 00 00 00 00
55 51 4f 57 24 23 2b 76 06 00 00 00 00 00 00 00
55 51 4f 57 24 23 2b 76 07 00 00 00 00 00 00 00
55 51 4f 57 24 23 2b 76 08 00 00 00 00 00 00 00
55 51 4f 57 24 23 2b 76 09 00 00 00 00 00 00 00
55 51 4f 57 24 23 2b 76 0a 00 00 00 00 00 00 00
55 51 4f 57 24 23 2b 76 0b 00 00 00 00 00 00 00
55 51 4f 57 24 23 2b 76 0c 00 00 00 00 00 00 00
...

As some students have trouble setting the counter up, we have provided example code here: ctrCounterExample.txt.

Passoff Requirements for CTR mode:

• Your program must correctly encrypt/decrypt arbitrary files in CTR mode byte-for-byte. Here are some example files to work with:
  

  Key = hithisismysecret
  Nonce = UQOW$#+v
  
  ctrPlain.bin
  (md5sum: 26778be71d7e9bb536413547c14bc08b)
  ctrCipher.bin
  (md5sum: f9a2f87e5d5730177fbc92ae9891acce)

• Given a large ciphertext, key, plaintext byte-offset (where byte 0 is the first byte after the stored Nonce) and length, return the requested number of plaintext bytes beginning at the offset. Decrypting from the beginning is not allowed. Seek to the block in the ciphertext that has your offset and begin decryption from there.

  Note: Don't forget to set the counter to the correct value when you seek to an arbitrary block.

• Modification attack: The file gradesCTR.enc (md5sum: 9ab1eed19cd4fb89931ab2d9a6303d08) is an AES-CTR ciphertext file listing various pieces of grade information. At offset 42 of the corresponding plaintext resides the 3 byte string:
  
  " 0"

  This string, two spaces followed by ASCII 48, represents your score for this lab. Modify the ciphertext (not the plaintext) so that, when decrypted, the plaintext will read "100" beginning at offset 42. This is similar to the CBC attack, but even easier.