Block Ciphers
A block cipher is an encryption technique which takes a fixed-length block of data (plaintext) and uses a secret key to encrypt the data to a block of encrypted data of the same length (ciphertext). The data can be decrypted with the same key.
Algorithm | Meaning |
---|---|
AES
|
Advanced Encryption Standard |
RIJNDAEL
|
Same as AES |
DES
|
Data Encryption Standard |
TDES
|
Triple Data Encryption Algorithm (TDEA) as known as Triple DES |
DES_EDE3
|
Same as TDES |
DES_EDE2
|
Variant of TDES with 16 byte key length |
DESX
|
Variant of DES by XORing extra keys |
DES_XEX3
|
Same as DESX |
BLOWFISH
|
Blowfish |
TWOFISH
|
Twofish |
A block cipher encrypts input in blocks of a fixed size, although the source data can be in a variety of lengths. The block size depends on the algorithm.
Algorithm | Key Length | Effective Key Length | Block size |
---|---|---|---|
AES (RIJNDAEL) | 16, 24 or 32 bytes | 16 bytes | |
DES | 8 bytes | 56 bits | 8 bytes |
TDES (DES_EDE3) | 24 bytes | 168 bits | 8 bytes |
DES_EDE2 | 16 bytes | 112 bits | 8 bytes |
DESX (DES_XEX3) | 24 bytes | maximum 119 bits | 8 bytes |
BLOWFISH | 1 to 56 bytes 1 | 8 bytes | |
TWOFISH | 1 to 32 bytes 2 | 16, 24, 32 bytes | 16 bytes |
|
If the data to be encrypted is longer than the block size, it is partitioned into separate blocks before encryption. The last block may be padded out to match the block size using a padding scheme. Uniface uses the PKCS7 padding scheme to do so.
Modes of Operation
The procedure used to encrypt the blocks of data is known as the mode of operation.
Abbreviation | Mode | Description |
---|---|---|
ECB | Electronic code book (ECB) | The message is divided into blocks and each block is encrypted separately. The
last block must be padded. This is the Uniface default. |
CBC | Cipher-block chaining | Each cipher block depends on all the plaintext blocks processed up to that point, and an initialization vector is used in the first block. The last block must be padded. |
CBC_CTS | CBC cipher text stealing | Similar to CBC, but pads the last plaintext block with high order bits from the
second to last ciphertext block (stealing the ciphertext from the second to last block). The source data must be longer than the block size. |
CFB | Cipher feedback | Makes a block cipher into a self-synchronizing stream cipher. |
OFB | Output feedback | Makes a block cipher into a synchronous stream cipher. |
CTR | Counter | Turns a block cipher into a stream cipher by encrypting successive values of a counter. |
Note: Stream ciphers encrypt the data on a character basis instead of a block basis.
Initialization Vector
Most modes of operation require an additional input value, known as the initialization vector, to produce unique output from the same key. The initialization vector does not need to be secret but it must never be reused with the same key. Otherwise it could break the security of the source data.
For practical use, you can create an initialization vector by a random scheme or a time stamp and store it together with the encrypted data, then use them when you decrypt the data. The initialization vector can be any length but if it is longer than the block size, it will be truncated to the block size.
Create and Use an Initialization Vector
; Create an initialization vector. vIv = $datim ; Encrypt the source data by AES in CBC mode. vEnc = $encode("AES", vSource, vKey, "CBC", vIv) ; Decrypt the encrypted data. ; DECRYPT must be the same as SOURCE. vDecrypt = $decode("AES", vEnc, vKey, "CBC", vIv)
Encrypt and Decrypt Using Triple DES Block Cipher in ECB Mode
Encrypt the data by Triple DES in ECB mode:
vEnc = $encode("TDES", vRawSource, vKey2)
Decrypt the data. The output of$decode (vDec
) should
be the same as input of $encode (vRawSource
).
vDec = $decode("TDES", vEnc, vKey2)