Earlier this week we considered ways to split the many choices of ciphers (or encryption algorithms): symmetric versus asymmetric, and block versus stream. The block symmetric ciphers do the heavy lifting, they are used for large data sets. But one block symmetric cipher can be operated in various modes, and the selection of mode depends on data characteristics and what you are trying to achieve. Mode selection has become more important with recent developments.
RC4 was designed in 1987, and it had a good run as the de facto standard cipher first for SSL and then for TLS. But in February 2015 RFC 7465 announced that TLS clients and servers must never use RC4. Also see RFC 7525 from May 2015, “Recommendations for Secure Use of TLS and DTLS.”
There aren’t a lot of stream ciphers. A5/1 and A5/2 have been used in GSM telephony, but A5/1 has severe weaknesses and A5/2 is even worse.
The solution is to use a block cipher in a mode that gives it stream-like characteristics. This is what has been done for GSM telephony with the KASUMI cipher, also called A5/3. It’s much better than the other GSM alternatives, although a 2010 paper reported an attack on the cipher. (The not-so-bad news is that the attack may not work against the way it’s used in GSM.)
But what about the ciphers we used in operating systems and networking?
Block ciphers operate in a number of different modes. Just saying “Let’s use AES” is only a starting point. How will you operate it?
You could look at the Wikipedia page for a quick overview of some of the modes, or the U.S. NIST document SP800-38A if you prefer a government-authorized overview to a crowd-sourced one, but other than the 33 pages of test vectors and official imprimatur there isn’t much more in the NIST version.
For details, see “Evaluation of Some Blockcipher Modes of Operation” by Phillip Rogaway at the University of California, Davis. It has 159 pages of detailed explanation and analysis, and as it title says, that’s just for some of the more interesting modes. Don’t be overly intimidated, the writing is refreshingly informal and it’s very readable compared to most academic writing.
All the same, let’s not go that deep.
For most of the data that most of us own, Cipher Block Chaining is the appropriate way to encrypt files in the broad sense of that word — actual files, email messages, or entire devices as in whole-disk encryption. You will see AES-CBC-256 (or AES-256-CBC) to mean the specific cipher, this mode of operation, and a 256-bit key.
In Learning Tree’s System and Network Security Introduction course you compare encrypted bitmap images to see how CBC really obscures the patterns that obviously leak through when you use weaker modes like Electronic Code Book or ECB. Yes, there are uses for ECB, but they have nothing to do with what most of us want to accomplish most of the time. Stick with CBC for your files! (and disks, and archives, and USB thumbdrives, and …)
Before we worry about whether this is somehow cheating, let’s first consider just how purely stream-oriented the existing (but weak) stream ciphers really are. Yes, the perfectly secure (but almost perfectly impractical) One-Time Pad system operates, in theory, on one bit at a time. But practical stream ciphers really operate on one byte at a time. Aren’t those really 8-bit blocks?
Second, practical hardware accelerators don’t send the data and key streams through a single XOR gate one bit at a time, they manipulate bytes or even larger words. Within the operating system or an application, your CPU does XOR on 64-bit words.
Several of the block cipher modes effectively convert the block cipher into a stream cipher. The key primes the generation of a key stream that is XORed with the data stream. Yes, at up to 256 bits at a time. But consider that 256 bits means 32 bytes, less than half the minimum allowed Ethernet packet size and far smaller than a practical disk I/O buffer size.
Let’s solve our security problems instead of worrying about semantics.
Galois/Counter Mode or GCM has been proven to be secure when used with a strong block cipher, as long as you are careful to choose a unique initialization vector for every encryption done with the same key.
Check your browser’s settings, AES-GCM should be a preferred cipher for TLS.
Use WPA2 for wireless security. That includes the preferred AES-CCMP.
It’s easy to say “Use AES-CCMP,” now as for what it means…
That’s the AES-CCM Protocol, where “CCM” means “Counter Mode with CBC-MAC”, where “CBC” means “Cipher Block Chaining” and “MAC” means Message Authentication Code.” So AES-CCMP is [deep breath] AES in Counter Mode with Cipher Block Chaining Message Authentication Code Protocol.
The real meaning of AES-CCMP is:
Check your wireless settings, make sure you are using WPA/2, a.k.a. 802.11i!