What is a block cipher? It is a data encryption method that takes in a block of plain text and generates a block of ciphertext of roughly the same size. A ciphertext can be defined as an unreadable output from an encryption algorithm. Also referred to as cipher, the ciphertext cannot be read until it is converted back into plain text using a key.
How does a block cipher differ from any other cipher? As you can guess from the name, in a block cipher, the process of encryption is executed on a block of plain text, not the individual text bits.
Through this beginner’s guide, we shall look at the basic principles of a block cipher and its modes of operation.
In this article let us look at:
As stated above, a block cipher is a form of encryption where plain text is first divided into multiple blocks, each with a fixed size. Essentially, each block has the same number of data bits. At any given time, the encryption process operates on a single block of plain text – and applies the encryption key to convert it into a block of ciphertext.
Each block is of the same size (for example, 64 bits). For instance, a 160-bit plain text is encrypted into 2 blocks of 64-bits each, while the third block will have the remaining balance of 32 bits. It will be padded with an additional 32 bits to maintain the same size as other blocks.
Similarly, the decryption process operates on a single ciphertext block to convert it back into plain text. Among the most effective block cipher examples, the Data Encryption Standard (or DES) published by the National Institute of Standards & Technology is a block cipher with symmetric keys.
How is the block cipher encryption/decryption process beneficial compared to other methods?
A block cipher is designed on the following three principles:
Let us take a close look at each of these three principles of a block cipher.
This block cipher design principle indicates the overall strength of the ciphering algorithm. In short, the more the number of rounds, the greater is the strength of the block cipher – making it more difficult to break into or decrypt the algorithm. In the event of a weak Function F design, the number of rounds can determine how easy (or difficult) it is to break into the algorithm.
Simultaneously, a higher number of rounds can also make the encryption and decryption process slow and inefficient. Hence in practice, this design principle is always a trade between efficiency and security.
Based on the Feistel structure, the entire encryption process consists of multiple rounds of plain text processing – where the input block of each round is denoted by two halves namely, L (for left half) and R (for right half).
Function F is essentially an encrypting function that takes in the encryption key “K” and “R” as the inputs and produces the encrypted output. It is the block cipher design principle that determines security. Function F should be designed in such a way that it cannot be unscrambled or substituted. The higher the non-linearity of function F, the more is its strength.
In other words, this function must be designed based on the bit independence criteria, meaning the output bits must be independently changed whenever there is any change in the input bits.
The key schedule algorithm calculates the round keys. This algorithm differs according to the block ciphering schemes or methods. For example, the key schedule algorithm in the DES scheme divides the 56-bit key into two halves of 28-bit each. Similarly, the Serpent algorithm uses the 256-bit key for generating 132 words with a length of 32 bits.
Many Block Cipher examples are operational in the domain of data encryption. Here are some of the popular ones:
Initially published by IBM in 1975, DES encrypts data in blocks of 64-bits each. This means that 64 bits of plain text data go as input into DES that in turn produces 64 bits of ciphertext. Its short key size of 56 bits makes it highly insecure for modern applications.
Also known as 3DES or TDES, Triple DES is a symmetric key block cipher that applies the DES algorithm to each data block three times. Each block size is 64-bits with key sizes of 56, 112, or 168 bits. Published in 1995, Triple DES is now available in two variants namely, 3-key Triple-DES (or 3TDES) and 2-key Triple-DES (or 2TDES).
Originally named Rijndael, AES is primarily a specification released in 2001 by the U.S-based National Institute of Standards and Technology. With block sizes of 128-bits, AES has a range of key sizes ranging from 128, 192, and 256 bits. Among the most popular encryption algorithms, AES has been tested to run at least six times faster than Triple DES. Based on the Substitution-Permutation Network technology, AES comprises a series of linked operations – that either involves replacing inputs with specific outputs (or substitution) or shuffling bits (or permutations).
Initially proposed as a replacement for DES, IDEA is another symmetric key block cipher used in data encryption. With individual block sizes of 64 bits, IDEA has a key size of 128 bits. Although restricted, IDEA encryption is used in many applications, including the PGP protocol. As a later addition, the Simplified IDEA is among the widely accepted block cipher examples that operate on plain text with a fixed length of 16-bits and encrypts them into 4 equal blocks of 4-bits each.
Derived from the earlier Blowfish block cipher, Twofish has a block size of 128-bits with key sizes of 128, 192, and 256-bits. Initially published in 1998, Twofish was among the five chosen finalists for the AES contest. Suitably fast for both 8-bit and 32-bit CPUs, Twofish is used for encryptions in applications with frequently changing keys.
Ranked second in the AES contest, Serpent is another block cipher with symmetric keys that has a block size of 128-bits and key sizes varying from 128, 192, to 256-bits. Like AES, Serpent is based on the Substitution-Permutation Network technology and operates on a block of four words with 32-bits each.
As defined by the NIST, there are different modes in which block cipher operates. These modes of operations are useful in enhancing the block ciphering algorithm to accommodate wider encryption applications. Each of these five modes of operation generates different properties that can add to the ciphering technology’s overall security.
Let us discuss each of these five modes of operations in greater detail:
Among the easiest operation modes, the block cipher in this mode processes a series of message blocks that are sequentially arranged. In simple terms, the algorithm takes in the first plain text block for encryption and produces the first block of ciphertext before moving on to the next block. Each processed block is 64-bits, and the output ciphertext is also divided into 64-bit blocks. Additionally, every block is decrypted independently at a given time to obtain the corresponding plain text block.
Being a deterministic mode of operation, ECB is not widely used in applications as it is easy for any hacker to guess the partial information in application data. For example, through the trial-and-error method, hackers can guess an employee’s salary range by deciphering the ECB ciphertext.
The CBC mode of operation overcomes the limitations of ECB by providing a non-deterministic system. So, even if every plain text block is repeated, the CBC mode of encryption does not produce the same output. This is achieved through chaining – which produces a block of ciphertext based on the inputs provided by the current (and previous) text block.
Through the CBC mode of operation, the current block of plain text is added to the previous block – with the output encrypted using a key. Similarly, decryption occurs in the reverse mode – meaning by decrypting the current ciphertext block and adding the previous block of ciphertext.
CBC is widely used in applications that require both data authentication and symmetric encryption.
While the CBC mode of block ciphering encrypts a fixed number of plain text bits at any given time, the CFB mode differs by encrypting some plain text values one at any given time. In other words, the CFB mode can be used for implementing stream ciphering in applications that require them.
Additionally, each ciphertext block is entered as an input to the next plain text block during the encryption process. The CFB mode also differs from the ECB mode as each ciphertext block encryption is dependent on the input plain text block, the encryption key, and the previous ciphertext block.
CFB mode is commonly used in applications that are designed to work on smaller data units in place of blocks.
The OFB mode works similarly to that of the CFB mode of operation. The only difference being this mode sends the encrypted output as the feedback in place of the ciphertext. Every bit of the output block is sent back instead of selected bits.
The OFB mode helps in reducing errors during bit transmission and in decreasing dependency of the output cipher on the plain text input.
The Counter or CTR mode is based on the CFB mode of operation – without the feedback part. In place of the feedback, a counter (or sequence of numbers) is used as the input into the encryption process along with the key. For each encrypted text block, the counter value is incremented by 1.
In the CTR mode, every ciphertext block does not depend on the previous ciphertext block. In other words, CTR mode can be used to convert a block cipher into a stream cipher. Like the CFB or OFB mode, CTR offers advantages like zero propagation of transmission errors.
In summary, this beginner’s guide provides a detailed look at how a block cipher works for encryption, along with the block cipher design principles that makes it so popular in this technology domain. We have also looked at the major modes of operation in block cipher that are prevalent in modern applications.
So, have you made up your mind to make a career in Cyber Security? Visit our Master Certificate in Cyber Security (Red Team) for further help. It is the first program in offensive technologies in India and allows learners to practice in a real-time simulated ecosystem, that will give you an edge in this competitive world.