Block Ciphers

A block cipher is an encryption technique which takes a fixed-length block of data (plaintext) and uses a secret key to encrypt the data to a block of encrypted data of the same length (ciphertext). The data can be decrypted with the same key.

Supported Block Ciphers
Algorithm Meaning
AES Advanced Encryption Standard
RIJNDAEL Same as AES
DES Data Encryption Standard
TDES Triple Data Encryption Algorithm (TDEA) as known as Triple DES
DES_EDE3 Same as TDES
DES_EDE2 Variant of TDES with 16 byte key length
DESX Variant of DES by XORing extra keys
DES_XEX3 Same as DESX
BLOWFISH Blowfish
TWOFISH Twofish

A block cipher encrypts input in blocks of a fixed size, although the source data can be in a variety of lengths. The block size depends on the algorithm.

Required Key length and Block Size for Block Ciphers
Algorithm Key Length Effective Key Length Block size
AES (RIJNDAEL) 16, 24 or 32 bytes   16 bytes
DES 8 bytes 56 bits 8 bytes
TDES (DES_EDE3) 24 bytes 168 bits 8 bytes
DES_EDE2 16 bytes 112 bits 8 bytes
DESX (DES_XEX3) 24 bytes maximum 119 bits 8 bytes
BLOWFISH 1 to 56 bytes 1   8 bytes
TWOFISH 1 to 32 bytes 2 16, 24, 32 bytes 16 bytes
  1. Officially BLOWFISH supports only 4 to 56 bytes key length. A key shorter than 4 bytes is available for compatibility with other cryptographic modules.
  2. A key shorter than those lengths is padded with zeroes until the next larger effective key length.

If the data to be encrypted is longer than the block size, it is partitioned into separate blocks before encryption. The last block may be padded out to match the block size using a padding scheme. Uniface uses the PKCS7 padding scheme to do so.

Modes of Operation

The procedure used to encrypt the blocks of data is known as the mode of operation.

Supported Modes of Operation for Block Ciphers
Abbreviation Mode Description
ECB Electronic code book (ECB) The message is divided into blocks and each block is encrypted separately. The last block must be padded.

This is the Uniface default.

CBC Cipher-block chaining Each cipher block depends on all the plaintext blocks processed up to that point, and an initialization vector is used in the first block. The last block must be padded.
CBC_CTS CBC cipher text stealing Similar to CBC, but pads the last plaintext block with high order bits from the second to last ciphertext block (stealing the ciphertext from the second to last block).

The source data must be longer than the block size.

CFB Cipher feedback Makes a block cipher into a self-synchronizing stream cipher.
OFB Output feedback Makes a block cipher into a synchronous stream cipher.
CTR Counter Turns a block cipher into a stream cipher by encrypting successive values of a counter.

Note:  Stream ciphers encrypt the data on a character basis instead of a block basis.

Initialization Vector

Most modes of operation require an additional input value, known as the initialization vector, to produce unique output from the same key. The initialization vector does not need to be secret but it must never be reused with the same key. Otherwise it could break the security of the source data.

For practical use, you can create an initialization vector by a random scheme or a time stamp and store it together with the encrypted data, then use them when you decrypt the data. The initialization vector can be any length but if it is longer than the block size, it will be truncated to the block size.

Create and Use an Initialization Vector

; Create an initialization vector.
vIv = $datim

; Encrypt the source data by AES in CBC mode.
vEnc = $encode("AES", vSource, vKey, "CBC", vIv)

; Decrypt the encrypted data.
; DECRYPT must be the same as SOURCE.
vDecrypt = $decode("AES", vEnc, vKey, "CBC", vIv)

Encrypt and Decrypt Using Triple DES Block Cipher in ECB Mode

Encrypt the data by Triple DES in ECB mode:

vEnc = $encode("TDES", vRawSource, vKey2)

Decrypt the data. The output of$decode (vDec) should be the same as input of $encode (vRawSource).

vDec = $decode("TDES", vEnc, vKey2)