Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Block cipher mode of operation
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
==Error propagation== "Error propagation" properties describe how a decryption behaves during bit errors, i.e. how error in one bit cascades to different decrypted bits. Bit errors may occur intentionally in attacks or randomly due to transmission errors. * Random bit errors occur independently in any bit position with an expected probability of Β½. * Specific bit errors occur in the same bit position(s) as the original bit error(s). * Specific bit errors in stream cipher modes (OFB, CTR, etc.) are trivial. They affect only the specific bit intended. * Specific bit errors in more complex modes such (e.g. CBC): [[adaptive chosen-ciphertext attack]] may intelligently combine many different specific bit errors to break the cipher mode. In [[Padding oracle attack]], CBC can be decrypted in the attack by guessing encryption secrets based on error responses. The Padding Oracle attack variant "CBC-R" (CBC Reverse) lets the attacker construct any valid message. For modern [[authenticated encryption]] (AEAD) or protocols with [[message authentication codes]] chained in MAC-Then-Encrypt order, any bit error should completely abort decryption and must not generate any specific bit errors to decryptor. I.e. if decryption succeeded, there should not be any bit error. As such error propagation is less important subject in modern cipher modes than in traditional confidentiality-only modes. {| class="wikitable" ! Mode !! Effect of bit errors in C<sub>i</sub> !! Effect of bit errors in the IV or nonce |- | ECB || Random bit errors in P<sub>i</sub> || {{n/a}} |- | CBC || Random bit errors in P<sub>i</sub><br>Specific bit errors in P<sub>i+1</sub> || Specific bit errors in P<sub>1</sub> |- | CFB || Specific bit errors in P<sub>i</sub><br> Random bit errors in P<sub>i+1</sub>, β¦, until synchronization is restored || Random bit errors in P<sub>1</sub>, β¦, until synchronization is restored |- | OFB || Specific bit errors in P<sub>i</sub> || Random bit errors in P<sub>1</sub>, P<sub>2</sub>, β¦, P<sub>n</sub> |- | CTR || Specific bit errors in P<sub>i</sub> || Random bit errors in P<sub>i</sub> for bit error in counter block T<sub>i</sub> |} (Source: SP800-38A Table D.2: Summary of Effect of Bit Errors on Decryption) It might be observed, for example, that a one-block error in the transmitted ciphertext would result in a one-block error in the reconstructed plaintext for ECB mode encryption, while in CBC mode such an error would affect two blocks. Some felt that such resilience was desirable in the face of random errors (e.g., line noise), while others argued that error correcting increased the scope for attackers to maliciously tamper with a message. However, when proper integrity protection is used, such an error will result (with high probability) in the entire message being rejected. If resistance to random error is desirable, [[error-correcting code]]s should be applied to the ciphertext before transmission.
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)