21.03.2013 Views

Problem - Kevin Tafuro

Problem - Kevin Tafuro

Problem - Kevin Tafuro

SHOW MORE
SHOW LESS

Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

implementation. If you need code that implements CBC mode, you will find it in the<br />

following discussion.<br />

Discussion<br />

You should probably use a higher-level abstraction, such as the one<br />

discussed in Recipe 5.16. Use a raw mode only when absolutely necessary,<br />

because there is a huge potential for introducing a security vulnerability<br />

by accident. If you still want to use CBC, be sure to use a<br />

message authentication code with it (see Chapter 6).<br />

CBC mode is a way to use a raw block cipher and, if used properly, it avoids all the<br />

security risks associated with using the block cipher directly. CBC mode works on a<br />

message in blocks, where blocks are a unit of data on which the underlying cipher<br />

operates. For example, AES uses 128-bit blocks, whereas older ciphers such as DES<br />

almost universally use 64-bit blocks.<br />

See Recipe 5.4 for a discussion of the advantages and disadvantages of this mode, as<br />

well as a comparison to other cipher modes.<br />

CBC mode works (as illustrated in Figure 5-1) by taking the ciphertext output for the<br />

previous block, XOR’ing that with the plaintext for the current block, and encrypting<br />

the result with the raw block cipher. The very first block of plaintext gets XOR’d<br />

with an initialization vector, which needs to be randomly selected to ensure meeting<br />

security goals but which may be publicly known.<br />

Many people use sequential IVs or even fixed IVs, but that is not at all<br />

recommended. For example, SSLhas had security problems in the past<br />

when using CBC without random IVs. Also note that if there are common<br />

initial strings, CBC mode can remain susceptible to dictionary<br />

attacks if no IV or similar mechanism is used. As with ECB, padding is<br />

required unless messages are always block-aligned.<br />

Many libraries already come with an implementation of CBC mode for any ciphers<br />

they support. Some don’t, however. For example, you may only get an implementation<br />

of the raw block cipher when you obtain reference code for a new cipher.<br />

Generally, CBC mode requires padding. Because the cipher operates on block-sized<br />

quantities, it needs to have a way of handling messages that do not break up evenly<br />

into block-sized parts. This is done by adding padding to each message, as described<br />

in Recipe 5.11. Padding always adds to the length of a message. If you wish to avoid<br />

message expansion, you have a couple of options. You can ensure that your messages<br />

always have a length that is a multiple of the block size; in that case, you can<br />

simply turn off padding. Otherwise, you have to use a different mode. See Recipe 5.4<br />

for our mode recommendations. If you’re really a fan of CBC mode, you can sup-<br />

176 | Chapter 5: Symmetric Encryption<br />

This is the Title of the Book, eMatter Edition<br />

Copyright © 2007 O’Reilly & Associates, Inc. All rights reserved.

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!