Discussion

This section provides in-depth knowledge of topics important in the context of the library.

Block cipher mode of operation

Block ciphers can be used in different modes of operation. The mode of operation can be set by passing one of the constants to the cipher object. Different modes of operation may require to pass extra arguments to the constructor.

PEP-272 requires libraries to provide at least the most common modes: ECB, CBC, CFB, OFB and CTR, all of those are supported by this library.

Each mode of operation is different and has different requirements.

Warning

All of the supported modes of operating do not protect the integrity of encrypted data!

Electronic Code Book Mode (ECB)

The ECB mode of operation is the simplest one - each plaintext block is independently encrypted. The resulting problem is that the same plaintext leads to the same ciphertext, every time they occur. This means ECB mode is not semantically secure.

Plain- / ciphertexts must be multiple of blocksize in length.

The formulae for the ECB mode are:

C_{i}=E_{K}(P_{i}) P_{i}=D_{K}(C_{i})

https://upload.wikimedia.org/wikipedia/commons/d/d6/ECB_encryption.svg

ECB encryption

https://upload.wikimedia.org/wikipedia/commons/e/e6/ECB_decryption.svg

ECB decryption

Attacks against ECB mode

Because all plaintext blocks are encrypted independently, an encryption of the same block results in the same ciphertext block each time.

This means by having multiple ciphertexts in can be concluded whether the correspondent plaintexts are the same or not.

The multiple repetition of plaintext blocks may result in visible repetitions in the ciphertext, e.g. in images.

https://upload.wikimedia.org/wikipedia/commons/5/56/Tux.jpg

Plain Tux image

https://upload.wikimedia.org/wikipedia/commons/f/f0/Tux_ecb.jpg

Encrypted Tux image in ECB mode

Cipher Block Chaining Mode (CBC)

To solve the problems of the ECB mode, a plaintext block is xored to the previous ciphertext block. For the very “first” ciphertext an initialization vector (IV) is used. The IV can be considered public information.

Plain- / ciphertexts must be multiple of blocksize in length.

Having an incorrect block or IV will result in an incorrect decryption of the direct adjectant block, but the remaining blocks will remain intact.

The formulae for en- and decryption are:

C_{i}=E_{K}(P_{i} \oplus C_{i-1}) P_{i}=D_{K}(C_{i}) \oplus C_{i-1} C_0 = \mbox{IV}

https://upload.wikimedia.org/wikipedia/commons/8/80/CBC_encryption.svg

CBC encryption

https://upload.wikimedia.org/wikipedia/commons/2/2a/CBC_decryption.svg

CBC decryption

Attacks against CBC mode

A one-bit change to the ciphertext causes complete corruption of the corresponding block of plaintext, and the inversion of the corresponding bit in the next block while leaving the rest iof the blocks intact. This can lead to padding oracle attacks such as POODLE (it is the consequence solely of the choice of CBC mode but other design choices, too).

Watermarking attacks are possible with predictable IVs.

Cipher Feedback Mode (CFB)

The CFB mode of operation makes a stream cipher out of the block cipher. The block size of the cipher is reduced to segment_size.

Plain- and ciphertext must be a multiple of segment_size in length.

The formulae describing CFB mode are:

C_{i}=E_{K}(C_{i-1})\oplus P_{i} P_{i}=E_{K}(C_{i-1})\oplus C_{i} C_{0}=\mbox{IV}

https://upload.wikimedia.org/wikipedia/commons/9/9d/CFB_encryption.svg

CFB encryption

https://upload.wikimedia.org/wikipedia/commons/5/57/CFB_decryption.svg

CFB decryption

Output Feedback (OFB)

OFB mode creates a stream cipher by XORing the plain text with a keystream generated by encrypting a stream of null bytes in CBC mode. Encryption and decryption are the same, data of arbitrary length can be processed.

The initialization vector must be unique, or there will be a catastrophic cryptographic failure.

The formulae describing OFB mode of operation are:

C_{i} = P_{i} \oplus O_{i} P_{i} = C_{i} \oplus O_{i} O_{i} = E_{K} (O_{i-1} \oplus O_{i} ) O_{0}=\mbox{IV}

https://upload.wikimedia.org/wikipedia/commons/b/b0/OFB_encryption.svg

OFB encryption

https://upload.wikimedia.org/wikipedia/commons/f/f5/OFB_decryption.svg

OFB decryption

Counter mode of operation

CTR mode creates a stream cipher by XORing the plain text with a keystream generated by encrypting a counter. Encryption and decryption are the same, data of arbitrary length can be processed.

The counter must never repeat, or there will be a catastrophic cryptographic failure.

CTR can be described with those formulae:

C_{i} = P_{i} \oplus O_{i} P_{i} = C_{i} \oplus O_{i}

where O_{i} are the return values of the counter.

https://upload.wikimedia.org/wikipedia/commons/4/4d/CTR_encryption_2.svg

CTR encryption

https://upload.wikimedia.org/wikipedia/commons/3/3c/CTR_decryption_2.svg

CTR decryption

Speed

As a large part of this library is written in pure python, it is slower than C implementations, like PyCrypto and its successor PyCryptodome.

The presence of the optional C extension significantly improves the speed of this library.