## Data Encryption Standard: Part 2

### September 3, 2010

In the previous exercise we examined the working of the DES block cipher for a single 64-bit block. In today’s exercise we extend encryption to an entire file, following the procedures of FIPS 81.

In the descriptions that follow, Pi is the ith plain-text block, Ci is the ith cipher-text block, Ek is the encryption function with key k, Dk is the decryption function with key k, IV is the initialization vector, and ⊕ is the xor operation. There are four block modes:

• Electronic Codebook (ECB) treats each block separately, padding the final block. The encryption algorithm is Ci = Ek(Pi) and the decryption algorithm is Pi = Dk(Ci).
• Cipher Block Chaining (CBC) links each block to the previous one, starting from an initialization vector, padding the final block. The encryption algorithm is Ci = Ek(PiCi-1) with C0 = IV and the decryption algorithm is Pi = Dk(Ci) ⊕ Ci-1 with C0 = IV.
• Cipher Feedback (CFB) is similar to CBC. The encryption algorithm is Ci = Ek(Ci-1) ⊕ Pi with C0 = IV and the decryption algorithm is Pi = Ek(Ci-1) ⊕ Ci with C0 = IV; note that both encryption and decryption use Ek. The final block is not padded; instead, the leading bits of Ek(Ci-1) are xor’ed with the partial block.
• Output Feedback (OFB) is symmetric for encryption and decryption. The encryption algorithm is Ci = PiOi and the decryption algorithm is Pi = CiOi. For both encryption and decryption, Oi = Ek(Oi-1) with O0 = IV. The final block is not padded; instead, the leading bits of Ek(Oi-1) are xor’ed with the partial block.

The initialization vector is a 64-bit block given by the user as a “salt” to the cryptographic process. Padding gives the final block a length of eight bytes and can be accomplished in many ways, all of which must be reversible for either ascii or binary files. FIPS 81 specifies a method that never increases the number of blocks in the file, but requires an out-of-band indicator (say, in the message header) to specify whether or not padding was applied; that method is generally no longer used. Our padding method adds a byte of x80 followed by sufficient bytes of x00 to fill the final 64-bit block, so the message length always increases; in particular, a final block that is exactly eight bytes long causes another full 8-byte block to be added. It is simple to remove the padding; just remove all trailing x00 bytes and the immediately preceding x80 byte.

Of the four methods, ECB is probably the most-frequently used but also the least secure, since repeated blocks will be encrypted identically. Of the others, OFB is most resistant to bit-errors during transmission. If in doubt, CBC is always a good choice. Since there is no particular need for secrecy, the IV can be prepended as the first 64-bit block in the encrypted message (or the last block, or the nth block for some n agreed between sender and receiver), as long as care is taken that no IV is reused with the same key; thus, a common IV embeds the current date and time.

Your task is to write functions that encrypt and decrypt files using the four block modes described above. In the next exercise we will continue our examination of the Data Encryption Standard by looking at Triple DES, cryptographic hashing, and keying procedures. When you are finished, you are welcome to read or run a suggested solution, or to post your own solution or discuss the exercise in the comments below.