In the previous lecture, we discussed the calculation process of the symmetric key grouping algorithm. We found five key factors that affect the security of the symmetric key algorithm, as well as the impact and selection of the initialization vector on the security of the algorithm.
However, there are still some remaining issues that we have not had time to discuss. What impact does the link mode and data completion scheme have on the security of the algorithm? How do they affect the security of grouping algorithms? How can we avoid these safety traps?
In fact, these are the core issues of symmetric key analysis. Because, it can be said that each link mode and each data completion scheme has a different structure, which of course corresponds to different analysis methods, and the analysis is more complicated.
In this lecture, we will first analyze the impact of link mode on security. At the same time, we can also take this opportunity to study the problems of ECB mode. Remember? As we mentioned at the beginning, it is not a secure encryption mode.
Before talking about ECB mode, first, let’s take a look at what link mode is.
How to connect in link mode?
As we said last time, the link mode refers to how to connect the previous grouping operation with the next grouping operation, so that the previous grouping operation can affect the next operation. However, the description of how this connection is established and how the previous operation affects the next operation is vague.
Logically speaking, all elements of the previous grouping operation may participate in the next grouping operation; each element of the next grouping operation may receive one element or a combination of several elements of the previous operation.
In between, different allocation combinations will be formed, and different link modes will be formed.
Of course, you have to know that not all combinations are safe.
Among them, some models have strict scope of application. Beyond this range, the algorithm is no longer safe. We need to pay special attention to these limitations, understand the principles of each mode clearly, and do not fall into safety traps when using them.
What is the ECB mode like?
Let’s first briefly understand how the ECB mode works.
Last time, we discussed five key factors that affect the security of symmetric key algorithms. However, ECB mode is different in that it does not use linked mode, so it does not require an initialization vector.
Not using chain mode means that the previous grouping operation does not affect the next grouping operation, and the operation of each data grouping is independent. No initialization vector is required, and each data grouping operation is independent, which is an exciting feature.
No initialization vector is required, which also means that ECB mode does not have the trouble of initialization vector management and has simpler code. For the interface design and implementation of many cryptographic algorithms, default data will be used for ease of use.
For example, the following Java code uses the default ECB mode. This code looks quite refreshing and simple:
Cipher cipher = Cipher.getInstance("AES");
cipher.init(Cipher.DECRYPT_MODE, secretKey);
However, you see, the following code looks much more complicated. Because we need to synchronize the initialization vector on the encryption side and the decryption side, and its actual implementation is more cumbersome:
IvParameterSpec ivParameters = new IvParameterSpec(ivBytes);
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
cipher.init(Cipher.DECRYPT_MODE, secretKey, ivParameters);
Each grouping operation is independent, which is an attractive feature. Because being able to operate independently means that operations can be performed in parallel and do not have to be performed in order.
Can be operated in parallel, which means the computing efficiency is greatly improved; there is no order requirement, which means that each piece of encrypted data can be accessed, decrypted, modified, and deleted independently. Moreover, adding and inserting new data segments will not affect other data segments.
All of these mean good computing efficiency. This is a feature that every large-scale data computing scenario desires, such as databases, streaming media, and video conferencing. Unfortunately, ECB mode has fatal security flaws.
Its fatal security flaw comes precisely from its exciting features: the lack of initialization vectors and the lack of link modes. This means that if we cannot reject its temptations and look for alternatives, we will fall into these fatal security traps.
What problems does the absence of
bring?
You may not know what problems the lack of initialization vector and link mode will cause, let us analyze it together.
Remember the characteristics of initialization vectors? If an initialization vector is missing from an encryption operation, the same plaintext block will be encrypted into the same ciphertext block. Let’s take a look at an example. Suppose we have the following data:
ABCDEFGHHIJKLMNO0123456789012345
When we use the AES-128/ECB algorithm to encrypt, we need to group this data into two plaintext groups:
ABCDEFGHHIJKLMNO 0123456789012345
Then, we encrypt this data, and the resulting ciphertext (key “1234567890123456”) is (hexadecimal representation):
1389AE9853633EBF3D35F28987FCD1187B4BFC89DD1700154482BC7EB686BB0E
We can divide the ciphertext into two pieces according to the block size:
1389AE9853633EBF3D35F28987FCD118 7B4BFC89DD1700154482BC7EB686BB0E
According to the characteristics of the ECB encryption mode, we know that the data corresponding to the first line of ciphertext is “ABCDEFGHHIJKLMNO”, and the data corresponding to the second line of ciphertext is “0123456789012345”.
If we know the ciphertext corresponding to a data block, we can know the corresponding data block by looking for repeated ciphertext without a key or performing a decryption operation. For example, the following ciphertext:
7B4BFC89DD1700154482BC7EB686BB0E1389AE9853633EBF3D35F28987FCD118
The corresponding data block is:
0123456789012345ABCDEFGHHIJKLMNO
You may have questions, the data is encrypted, how can the attacker know the data block and the corresponding ciphertext in advance? In fact, in the Internet world, there is a lot of data that is known to be repeated and has a certain location. HTTP header data, HTTPS packet headers, URLs, etc. are all data with high repetition frequency.
As long as the data block is located and the corresponding ciphertext is anchored, the known data block and ciphertext can be used to find and infer unknown data.
Moreover, in many application scenarios, especially Internet application scenarios, it is easy to inject specific plaintext data and obtain the corresponding ciphertext information. If the attacker does not have the ciphertext information of “0123456789012345”, he can construct such a plaintext and then let the key holder encrypt it, and then he can obtain the corresponding ciphertext group.
Attackers may not be satisfied with looking at data and peeking into privacy. Therefore, the more serious problem of ECB mode is caused by the lack of link mode. The lack of link mode will make each grouping operation independent, and the ciphertext data will of course be independent.
Let’s take a look at the following data:
Zhang San borrowed RMB 30 yuan from Li Si on August 22, 2020, as evidenced by this.
Suppose that during our encryption operation, this data is divided into the following four groups:
Zhang San in 2020 Xiang Li on August 22 Four borrowing RMB 30 It's round, and this is the proof.
There is also the following data:
Wang Er borrowed RMB 3,456,000 from Li Si on August 22, 2020, as evidenced by this.
Assume that during the encryption operation, this data is also divided into the following five groups:
Wang Er in 2020 Xiang Li on August 22 Four borrowing RMB 30 forty-five million six thousand It's round, and this is the proof.
If we have the plaintext and the corresponding ciphertext, we can rearrange the ciphertext data to obtain the desired results.
If ECB is used, we can delete the ciphertext group corresponding to the plaintext group “forty-five million six thousand”, then the decryption result is:
Wang Er borrowed RMB 30 yuan from Li Si on August 22, 2020, as evidenced by this.
We can also insert the ciphertext group corresponding to the plaintext group “forty-five million six thousand” into the ciphertext data of the first piece of data. Then, the decryption result of the modified ciphertext data is:
Zhang San borrowed RMB 3,456,000 from Li Si on August 22, 2020, as evidenced by this.
Such results are far from the original data. This attack method is often referred to as a “group replay” attack.
When to use ECB mode?
Now, you know that ECB mode is a very unsafe mode, right? Since ECB mode is so unsafe, why does the security application program interface provide an ECB mode programming interface? This is mainly because ECB mode is the basis of the grouping algorithm.
The most basic operation of the grouping algorithm is to convert a fixed-length data block. The conversion of this single data block is the operation in ECB mode. Algorithm engineers with professional knowledge in cryptography can construct more complex and more secure algorithms by rationally using the ECB mode. However, we should not use ECB mode in general applications.
Since its birth, ECB has been considered an unsafe encryption mode. Engineers with basic knowledge of cryptography generally will not use it. In the next section, we discuss a widely used pattern and the challenges it currently faces.
Take Away
Today, by deconstructing the ECB mode, we discussed the role of link modes and initialization vectors in group operations, as well as the problems caused by the lack of initialization vectors and link modes.
Finally, we also discuss the practical uses of ECB mode, and a practical suggestion: we should not use ECB mode in general applications. Through today’s discussion, we need to: Understand the problems that may be caused by the missing initialization vector in the grouping algorithm; Understand the problems that may be caused by the missing link mode in the grouping algorithm; Know that the ECB mode is not a safe mode and applications should not use it directly ECB mode.