ECB, CBC, CFB, OFB, and when and where you would use them.

classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

ECB, CBC, CFB, OFB, and when and where you would use them.

David Gianndrea
I wonder if some one could point me to some high level document
that would describe where, and when you would use ECB, CBC, CFB, OFB
modes. I have some developers that are trying to include
encryption into some code, and there seems to be some confusion
among them.


--
David Gianndrea
Senior Network Engineer
Comsquared Systems, Inc.

Email:   [hidden email]
Web:     www.comsquared.com
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: ECB, CBC, CFB, OFB, and when and where you would use them.

Victor Duchovni
On Tue, Oct 18, 2005 at 09:31:44AM -0400, David Gianndrea wrote:

> I wonder if some one could point me to some high level document
> that would describe where, and when you would use ECB, CBC, CFB, OFB
> modes. I have some developers that are trying to include
> encryption into some code, and there seems to be some confusion
> among them.
>

There is no single right answer, and encryption alone in the hands of
developers who are not trained in security analysis most often only
achieves the *appearance* of security.

Encryption algorithms are used as part of a security "protocol", with
appropriate key management to address specific application security
requirements.

Encryption for transmission has different requirements from encryption
for storage. Authentication is different from confidentiality, ...

Introductory books like Schneier's "Applied Cryptography" are a good
start, but must not be treated as security "pixie dust". They do
explain modes, but knowing whether a proposed "protocol" achieves a
particular security goal is the real question, that requires a
real understanding of the threats and how the "protocol" addresses the
threats.

--
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: ECB, CBC, CFB, OFB, and when and where you would use them.

Richard Levitte - VMS Whacker
In reply to this post by David Gianndrea
In message <[hidden email]> on Tue, 18 Oct 2005 09:31:44 -0400, David Gianndrea <[hidden email]> said:

dgianndrea> I wonder if some one could point me to some high level
dgianndrea> document that would describe where, and when you would use
dgianndrea> ECB, CBC, CFB, OFB modes. I have some developers that are
dgianndrea> trying to include encryption into some code, and there
dgianndrea> seems to be some confusion among them.

I can point you at Bruce Schneier's book, Applied Cryptography:
http://www.amazon.com/exec/obidos/tg/detail/-/0471117099/qid=1129643113/sr=8-1/ref=pd_bbs_1/102-0263158-8696136?v=glance&s=books&n=507846

My second choice would be the Handbook of Applied Cryptography
(http://www.cacr.math.uwaterloo.ca/hac/), chapter 7, which does say a
little bit but isn't quite as in-depth as Schneier's book.

Cheers,
Richard

--
Richard Levitte                         [hidden email]
                                        http://richard.levitte.org/

"When I became a man I put away childish things, including
 the fear of childishness and the desire to be very grown up."
                                                -- C.S. Lewis
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: ECB, CBC, CFB, OFB, and when and where you would use them.

David Gianndrea
In reply to this post by Victor Duchovni
Sorry I forgot to state that it is to encrypt file data on storage
devices such as disks, and tapes. I agree with your statement of
appearance, but im trying to get the folks the resources that they
need to do it correctly. They are currently in the design, and spec
phase of this, so now is the time to make sure there going down
the right track. I forgot about Schneier's "Applied Cryptography"!
I will point them to it as well. Any other words of wisdom would
be a big help.


David Gianndrea
Senior Network Engineer
Comsquared Systems, Inc.

Email:   [hidden email]
Web:     www.comsquared.com


Victor Duchovni wrote:

> On Tue, Oct 18, 2005 at 09:31:44AM -0400, David Gianndrea wrote:
>
>
>>I wonder if some one could point me to some high level document
>>that would describe where, and when you would use ECB, CBC, CFB, OFB
>>modes. I have some developers that are trying to include
>>encryption into some code, and there seems to be some confusion
>>among them.
>>
>
>
> There is no single right answer, and encryption alone in the hands of
> developers who are not trained in security analysis most often only
> achieves the *appearance* of security.
>
> Encryption algorithms are used as part of a security "protocol", with
> appropriate key management to address specific application security
> requirements.
>
> Encryption for transmission has different requirements from encryption
> for storage. Authentication is different from confidentiality, ...
>
> Introductory books like Schneier's "Applied Cryptography" are a good
> start, but must not be treated as security "pixie dust". They do
> explain modes, but knowing whether a proposed "protocol" achieves a
> particular security goal is the real question, that requires a
> real understanding of the threats and how the "protocol" addresses the
> threats.
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: ECB, CBC, CFB, OFB, and when and where you would use them.

Victor Duchovni
On Tue, Oct 18, 2005 at 10:40:21AM -0400, David Gianndrea wrote:

> Sorry I forgot to state that it is to encrypt file data on storage
> devices such as disks, and tapes. I agree with your statement of
> appearance, but im trying to get the folks the resources that they
> need to do it correctly. They are currently in the design, and spec
> phase of this, so now is the time to make sure there going down
> the right track. I forgot about Schneier's "Applied Cryptography"!
> I will point them to it as well. Any other words of wisdom would
> be a big help.
>

Look at the design of the CGD crypto-disk driver in NetBSD. Standard
practice in this space for disks is to use CBC with the number encrypted
to yield the IV for the block. For tapes this may be harder, because
tape records may not have a natural index.

It is important to distiguish between the "media loss" threat model
(where only confidentiality is required) and the "media tampering"
threat model (where the attacker might borrow the disk and change the
data). For media-loss confidentiality it is enough to avoid ECB (because
it fails to mask repeated blocks).

Because of atomicity requirements for disk I/O, unless you can
reformat the disk for larger sectors for extra room for a MAC (usually
impractical), you cannot tamper-proof the disk, but you can try to make
it difficult for the attacker to make predictable changes to the disk.

CBC (as used with EGD) is not enough, because one can XOR selected
content into a (cipher) block and jumble the previous (cipher) block.
If one can predict where sensitive content lies on the disk, one may
be able to compromise the system in an undesirable way.

To prevent tampering you need a mode with global error propagation,
I don't have a specific suggestion. None of the standard modes are good
for this, but some are especially bad (avoid ECB and the keystream modes
CFB and OFB).

This is not a simple problem. Plenty of bad designs have been proposed
and implemented (e.g. FreeBSD).

--
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: ECB, CBC, CFB, OFB, and when and where you would use them.

David Gianndrea
Ok that is good info. What about just doing file level encryption.
As an example you have a disk with a bunch of files, and it is
only those files you would want encrypted, and the issue is more
a confidentiality is required / media loss issue then a tamper issue?

We are looking to use AES-256 for this.

David Gianndrea
Senior Network Engineer
Comsquared Systems, Inc.

Email:   [hidden email]
Web:     www.comsquared.com


Victor Duchovni wrote:

> On Tue, Oct 18, 2005 at 10:40:21AM -0400, David Gianndrea wrote:
>
>
>>Sorry I forgot to state that it is to encrypt file data on storage
>>devices such as disks, and tapes. I agree with your statement of
>>appearance, but im trying to get the folks the resources that they
>>need to do it correctly. They are currently in the design, and spec
>>phase of this, so now is the time to make sure there going down
>>the right track. I forgot about Schneier's "Applied Cryptography"!
>>I will point them to it as well. Any other words of wisdom would
>>be a big help.
>>
>
>
> Look at the design of the CGD crypto-disk driver in NetBSD. Standard
> practice in this space for disks is to use CBC with the number encrypted
> to yield the IV for the block. For tapes this may be harder, because
> tape records may not have a natural index.
>
> It is important to distiguish between the "media loss" threat model
> (where only confidentiality is required) and the "media tampering"
> threat model (where the attacker might borrow the disk and change the
> data). For media-loss confidentiality it is enough to avoid ECB (because
> it fails to mask repeated blocks).
>
> Because of atomicity requirements for disk I/O, unless you can
> reformat the disk for larger sectors for extra room for a MAC (usually
> impractical), you cannot tamper-proof the disk, but you can try to make
> it difficult for the attacker to make predictable changes to the disk.
>
> CBC (as used with EGD) is not enough, because one can XOR selected
> content into a (cipher) block and jumble the previous (cipher) block.
> If one can predict where sensitive content lies on the disk, one may
> be able to compromise the system in an undesirable way.
>
> To prevent tampering you need a mode with global error propagation,
> I don't have a specific suggestion. None of the standard modes are good
> for this, but some are especially bad (avoid ECB and the keystream modes
> CFB and OFB).
>
> This is not a simple problem. Plenty of bad designs have been proposed
> and implemented (e.g. FreeBSD).
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: ECB, CBC, CFB, OFB, and when and where you would use them.

David C. Partridge
Why not encrypt the file using PKCS#7 enveloped or signed and enveloped
data.  3DES-CBC or AES for date encryption, key encryption using intended
recipient public key, authentication using RSA singer public key?

If you need non-expanding data encryption using symmetric cipher, look at
EAS in CTR mode, but this (of course) won't give you integrity, nor does
this solve the key storage problem.

Dave

-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of David Gianndrea
Sent: 18 October 2005 16:10
To: [hidden email]
Subject: Re: ECB, CBC, CFB, OFB, and when and where you would use them.

Ok that is good info. What about just doing file level encryption.
As an example you have a disk with a bunch of files, and it is only those
files you would want encrypted, and the issue is more a confidentiality is
required / media loss issue then a tamper issue?

We are looking to use AES-256 for this.

David Gianndrea
Senior Network Engineer
Comsquared Systems, Inc.

Email:   [hidden email]
Web:     www.comsquared.com

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: ECB, CBC, CFB, OFB, and when and where you would use them.

Victor Duchovni
In reply to this post by David Gianndrea
On Tue, Oct 18, 2005 at 11:09:51AM -0400, David Gianndrea wrote:

> Ok that is good info. What about just doing file level encryption.
> As an example you have a disk with a bunch of files, and it is
> only those files you would want encrypted, and the issue is more
> a confidentiality is required / media loss issue then a tamper issue?
>
> We are looking to use AES-256 for this.
>

A strong cipher used badly can give worse security than a weaker cipher
used well. Is your application a crypto disk, a crypto filesystem, or a
utility to encrypt and decrypt files. Is the threat model loss of physical
media, or are files encrypted for transmission or on-line network access?

You are still looking for algorithm recommendations (a common error)
when you should be looking for a security analysis of your problem,
the algorithm is the easy part at the end of the analysis.

--
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: ECB, CBC, CFB, OFB, and when and where you would use them.

David Gianndrea
Sorry Victor, Im not explaining it very well. Let me try again.

What we need to do is to protect data from the point of view of
ensuring that if the media it is on be that a hard drive, tape, or
optical disk is encrypted. For our system that is best done by
encrypting each file on a file by file basis. Our design team is
looking to use AES-128 in CBC, and a pass phrase protected key.

Our team is planning on using the OpenSSL Libs do do this. None
of them have a crypto back ground so im trying to help them make
sure that they have the resources to make the right design decisions.

It is becoming clear to me, and them that what they first had planned
may not be as secure as they first thought.

When I first posted the question about modes I thought it was a simple
matter of picking the "Correct One", but im seeing that is a moving
target depending on what your trying to do.

So in short we know what we want to do, and how we want to implement
it into our software, but it appears that we may need a better
understanding of the "Correct Way" to implement the encryption!



David Gianndrea
Senior Network Engineer
Comsquared Systems, Inc.

Email:   [hidden email]
Web:     www.comsquared.com


Victor Duchovni wrote:

> On Tue, Oct 18, 2005 at 11:09:51AM -0400, David Gianndrea wrote:
>
>
>>Ok that is good info. What about just doing file level encryption.
>>As an example you have a disk with a bunch of files, and it is
>>only those files you would want encrypted, and the issue is more
>>a confidentiality is required / media loss issue then a tamper issue?
>>
>>We are looking to use AES-256 for this.
>>
>
>
> A strong cipher used badly can give worse security than a weaker cipher
> used well. Is your application a crypto disk, a crypto filesystem, or a
> utility to encrypt and decrypt files. Is the threat model loss of physical
> media, or are files encrypted for transmission or on-line network access?
>
> You are still looking for algorithm recommendations (a common error)
> when you should be looking for a security analysis of your problem,
> the algorithm is the easy part at the end of the analysis.
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: ECB, CBC, CFB, OFB, and when and where you would use them.

Rich Salz
In reply to this post by David C. Partridge
why not uses pgp


--
Rich Salz                  Chief Security Architect
DataPower Technology       http://www.datapower.com
XS40 XML Security Gateway  http://www.datapower.com/products/xs40.html

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: ECB, CBC, CFB, OFB, and when and where you would use them.

Victor Duchovni
On Tue, Oct 18, 2005 at 07:08:38PM -0400, Rich Salz wrote:

> why not uses pgp
>

Indeed, but with any file-by-file encryption tool, one also needs to ask
about the lifecycle of the plain-text pre-images and and working decrypted
copies. It is very hard to not leak additional plain-text copies that
would be recovered if the disk is misplaced, when cryptography is ad-hoc
file by file, rather than built-into the filesystem or the disk driver.

There are also questions of key-recovery (users forget key, users are
walked out the door and new hire needs key, ...)

If the security goals are to be met, they need to be identified and
clearly articulated. The algorithm is generally very easy (or completely
impractical) once the requirements are clear.

--
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: ECB, CBC, CFB, OFB, and when and where you would use them.

Ken Goldman
In reply to this post by David Gianndrea
What Victor is (correctly) trying to say is that you have not yet
defined the problem.

"encrypting each file" is a possible solution.  It is not the problem.

What is your data, what is it's value, where does it exist over its
life, who is the attacker, what is the access, what will the attacker
try to do (read the data, write the data, change the data, deny access
to the data, replay old data, detect read or write patterns)?

> Sorry Victor, Im not explaining it very well. Let me try again.
>
> What we need to do is to protect data from the point of view of
> ensuring that if the media it is on be that a hard drive, tape, or
> optical disk is encrypted. For our system that is best done by
> encrypting each file on a file by file basis. Our design team is
> looking to use AES-128 in CBC, and a pass phrase protected key.


--
Ken Goldman   [hidden email]   914-784-7646
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: ECB, CBC, CFB, OFB, and when and where you would use them.

David Gianndrea
In reply to this post by Rich Salz
It is a development design, and support issue. They want to use what is
native in the operating system. Since we are talking about solaris that
makes it OpenSSL.


David Gianndrea
Senior Network Engineer
Comsquared Systems, Inc.

Email:   [hidden email]
Web:     www.comsquared.com


Rich Salz wrote:
> why not uses pgp
>
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: ECB, CBC, CFB, OFB, and when and where you would use them.

Rich Salz
> It is a development design, and support issue. They want to use what is
> native in the operating system. Since we are talking about solaris that
> makes it OpenSSL.

Solaris bundles OpenSSL?  I didn't know that; neat.  Of course you
still have to design, write, and maintain your own software built
on top of that.

At the cost of "maintaining" PGP, you also remove the question
about what format, algorithm, and crypto mechanisms to use when
you "protect" a file.  Given that you are asking some pretty basic
questions about cryptography, I think this is a good trade-off for
your team to make.

        /r$

--
Rich Salz                  Chief Security Architect
DataPower Technology       http://www.datapower.com
XS40 XML Security Gateway  http://www.datapower.com/products/xs40.html

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: ECB, CBC, CFB, OFB, and when and where you would use them.

David Gianndrea
In reply to this post by Ken Goldman
I’m sorry guys, but I can't get into to much more detail. Both Victor,
and Ken are correct, and we know those answers. After talking with
our director of development yesterday, I may have convinced him to
seek the help of someone who does crypto implementation for a living.

Basically to have them go over there design, and implementation document
and make sure that they are doing sane things!

Thanks everyone for your input!

David Gianndrea
Senior Network Engineer
Comsquared Systems, Inc.

Email:   [hidden email]
Web:     www.comsquared.com


Ken Goldman wrote:

> What Victor is (correctly) trying to say is that you have not yet
> defined the problem.
>
> "encrypting each file" is a possible solution.  It is not the problem.
>
> What is your data, what is it's value, where does it exist over its
> life, who is the attacker, what is the access, what will the attacker
> try to do (read the data, write the data, change the data, deny access
> to the data, replay old data, detect read or write patterns)?
>
>
>>Sorry Victor, Im not explaining it very well. Let me try again.
>>
>>What we need to do is to protect data from the point of view of
>>ensuring that if the media it is on be that a hard drive, tape, or
>>optical disk is encrypted. For our system that is best done by
>>encrypting each file on a file by file basis. Our design team is
>>looking to use AES-128 in CBC, and a pass phrase protected key.
>
>
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]