ANSI INCITS ISO IEC 10116-2006 Information technology Security techniques Modes of operation for an n-bit block cipher.pdf

1、INCITS/ISO/IEC 10116:20062008 (ISO/IEC 10116:2006, IDT) Information technology Security techniques Modes of operationfor an n-bit block cipherINCITS/ISO/IEC 10116:20062008(ISO/IEC 10116:2006, IDT)INCITS/ISO/IEC 10116:20062008 ii ITIC 2008 All rights reserved PDF disclaimer This PDF file may contain

2、embedded typefaces. In accordance with Adobes licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloading this file, parties accept therein the responsibility

3、 of not infringing Adobes licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation paramet

4、ers were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below. Adopted by INCITS (InterNational Committee for

5、Information Technology Standards) as an American National Standard. Date of ANSI Approval: 7/2/2008 Published by American National Standards Institute, 25 West 43rd Street, New York, New York 10036 Copyright 2008 by Information Technology Industry Council (ITI). All rights reserved. These materials

6、are subject to copyright claims of International Standardization Organization (ISO), International Electrotechnical Commission (IEC), American National Standards Institute (ANSI), and Information Technology Industry Council (ITI). Not for resale. No part of this publication may be reproduced in any

7、form, including an electronic retrieval system, without the prior written permission of ITI. All requests pertaining to this standard should be submitted to ITI, 1250 Eye Street NW, Washington, DC 20005. Printed in the United States of America Contents PageForeword . . . . . . . . . . . . . . . . .

8、 . . . . . . . . . . . . . . . . . . . . . . . . . . . vii1 Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Normative references . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Terms and definitions . . . . . . . . . . . .

9、 . . . . . . . . . . . . . . . . . . . . . . 24 Symbols (and abbreviated terms) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 Electronic Codebook (ECB) mode . . . . . . . . . . . . . . . . .

10、 . . . . . . . . . . . 66.1 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66.2 Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66.3 Decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

11、67 Cipher Block Chaining (CBC) mode . . . . . . . . . . . . . . . . . . . . . . . . . . . 67.1 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67.2 Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77.3 Decryption . . . . .

12、 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 Cipher Feedback (CFB) mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88.1 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88.2 Encryption . . . . . . . . . . . . . . . .

13、 . . . . . . . . . . . . . . . . . . . . . 88.3 Decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 Output Feedback (OFB) mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109.1 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . .

14、 . . . . . . . . . 109.2 Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109.3 Decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1110 Counter (CTR) mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

15、1110.1 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1110.2 Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1210.3 Decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Annex A (normat

16、ive) Object identifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Annex B (informative) Properties of the modes of operation . . . . . . . . . . . . . . . . 16B.1 Properties of the Electronic Codebook (ECB) mode of operation . . . . . . . . 16B.2 Properties of the Cipher Block Chaining

17、 (CBC) mode of operation . . . . . . . 17B.3 Properties of the Cipher Feedback (CFB) mode of operation . . . . . . . . . . 18B.4 Properties of the Output Feedback (OFB) mode of operation . . . . . . . . . . 20B.5 Properties of the Counter (CTR) mode of operation . . . . . . . . . . . . . . . 21Annex

18、 C (informative) Figures describing the modes of operation . . . . . . . . . . . . . 23iiiINCITS/ISO/IEC 10116:20062008 ITIC 2008 All rights reservedAnnex D (informative) Examples for the Modes of Operation . . . . . . . . . . . . . . . 26D.1 General . . . . . . . . . . . . . . . . . . . . . . . . .

19、 . . . . . . . . . . . . . . . 26D.2 Triple Data Encryption Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . 26D.2.1 ECB Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27D.2.2 CBC Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29D.2.

20、3 CFB Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31D.2.4 OFB Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34D.2.5 Counter Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35D.3 Advanced Encryption Standard . . . . .

21、 . . . . . . . . . . . . . . . . . . . . . 36D.3.1 ECB Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36D.3.2 CBC Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37D.3.3 CFB Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

22、 . . 38D.3.4 OFB Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39D.3.5 Counter Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41FiguresC.1 The Cip

23、her Block Chaining (CBC) mode of operation with m = 1 . . . . . . . . . 23C.2 The Cipher Block Chaining (CBC) mode of operation . . . . . . . . . . . . . . . . 23C.3 The Cipher Feedback (CFB) mode of operation . . . . . . . . . . . . . . . . . . . . 24C.4 The Output Feedback (OFB) mode of operation

24、 . . . . . . . . . . . . . . . . . . 24C.5 The Counter (CTR) mode of operation . . . . . . . . . . . . . . . . . . . . . . . . . 25iv INCITS/ISO/IEC 10116:20062008 ITIC 2008 All rights reservedForewordISO (the International Organization for Standardization) and IEC (the International Elec-trotechni

25、cal Commission) form the specialized system for worldwide standardization. Nationalbodies that are members of ISO or IEC participate in the development of International Standardsthrough technical committees established by the respective organization to deal with particularfields of technical activit

26、y. ISO and IEC technical committees collaborate in fields of mutualinterest. Other international organizations, governmental and non-governmental, in liaison withISO and IEC, also take part in the work. In the field of information technology, ISO and IEChave established a joint technical committee,

27、ISO/IEC JTC 1.International Standards are drafted in accordance with the rules given in the ISO/IEC Directives,Part 2.The main task of the joint technical committee is to prepare International Standards. DraftInternational Standards adopted by the joint technical committee are circulated to national

28、bodies for voting. Publication as an International Standard requires approval by at least 75 %of the national bodies casting a vote.Attention is drawn to the possibility that some of the elements of this document may be thesubject of patent rights. ISO and IEC shall not be held responsible for ident

29、fying any or allsuch patent rights.ISO/IEC 10116 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information tech-nology, Subcomittee SC 27, IT Security techniques.This third edition cancels and replaces the second edition (ISO/IEC 10116:1997) which has beenrevised. Implementations that com

30、ply with ISO/IEC 10116:1997 will also comply with this thirdedition.The main technical changes between the second edition and this third edition are as follows:a) CBC mode has been extended to permit interleaving; andb) a new mode (Counter mode) has been introduced.vINCITS/ISO/IEC 10116:20062008 ITI

31、C 2008 All rights reservedIntroductionISO/IEC 10116 specifies modes of operation for an n-bit block cipher. These modes providemethods for encrypting and decrypting data where the bit length of the data may exceed thesize n of the block cipher.This third edition of ISO/IEC 10116 specifies five modes

32、 of operation:a) Electronic Codebook (ECB);b) Cipher Block Chaining (CBC);c) Cipher Feedback (CFB);d) Output Feedback (OFB); ande) Counter (CTR).vi INCITS/ISO/IEC 10116:20062008 ITIC 2008 All rights reservedInformation technology Security techniques Modes of operation for an n-bit block cipher1 Scop

33、eThis International Standard establishes five modes of operation for applications of an n-bit blockcipher (e.g. protection of data transmission, data storage). The defined modes only provideprotection of data confidentiality. Protection of data integrity and requirements for padding thedata are not

34、within the scope of this International Standard. Also most modes do not protectthe confidentiality of message length information.This International Standard specifies the modes of operation and gives recommendations forchoosing values of parameters (as appropriate).The modes of operation specified i

35、n this International Standard have been assigned object iden-tifiers in accordance with ISO/IEC 9834. The list of assigned object identifiers is given in AnnexA. In applications in which object identifiers are used, the object identifiers specified in An-nex A are to be used in preference to any oth

36、er object identifiers that may exist for the modeconcerned.NOTE Annex B (informative) contains comments on the properties of each mode. Block ciphersare specified in ISO/IEC 18033-3.2 Normative referencesThe following referenced documents are indispensable for the application of this document. Forda

37、ted references, only the edition cited applies. For undated references, the latest edition of thereferenced document (including any amendments) applies.ISO/IEC 18033-3, Information technology Security techniques Encryption algorithms Part 3:Block ciphers.1AMERICAN NATIONAL STANDARD INCITS/ISO/IEC 10

38、116:20062008 ITIC 2008 All rights reserved3 Terms and definitionsFor the purposes of this document, the following terms and definitions apply.3.1block chainingencryption of information in such a way that each block of ciphertext is cryptographically de-pendent upon a preceding ciphertext block.3.2bl

39、ock ciphersymmetric encryption algorithm with the property that the encryption algorithm operates on ablock of plaintext, i.e. a string of bits of a defined length, to yield a block of ciphertext.ISO/IEC 18033-13.3ciphertextdata which has been transformed to hide its information content.3.4counterbi

40、t array of length n bits (where n is the size of the underlying block cipher) which is used in theCounter mode; its value when considered as the binary representation of an integer increases byone (modulo 2n) after each block of plaintext is processed.3.5cryptographic synchronizationco-ordination of

41、 the encryption and decryption processes.3.6decryptionreversal of a corresponding encryption.ISO/IEC 18033-13.7encryption(reversible) transformation of data by a cryptographic algorithm to produce ciphertext, i.e., tohide the information content of the data.ISO/IEC 18033-13.8feedback buffer (FB)vari

42、able used to store input data for the encryption process. At the starting point FB has thevalue of SV.2 INCITS/ISO/IEC 10116:20062008 ITIC 2008 All rights reserved3.9keysequence of symbols that controls the operation of a cryptographic transformation (e.g. encryp-tion, decryption).ISO/IEC 18033-13.1

43、0n-bit block cipherblock cipher with the property that plaintext blocks and ciphertext blocks are n bits in length.3.11plaintextunencrypted information.3.12starting variable (SV)variable possibly derived from some initialization value and used in defining the starting pointof the modes of operation.

44、NOTE The method of deriving the starting variable from the initializing value is not defined inthis International Standard. It needs to be described in any application of the modes of operation.4 Symbols (and abbreviated terms)C Ciphertext block.CTR Counter value.dK Decryption function of the block

45、cipher keyed by key K.E Intermediate variable.eK Encryption function of the block cipher keyed by key K.F Intermediate variable.FB Feedback buffer.i Iteration.j Size of plaintext/ciphertext variable.K Key.n Plaintext/ciphertext block length for a block cipher.m Number of stored ciphertext blocks.P P

46、laintext block.q Number of plaintext/ciphertext variables.r Size of feedback buffer.SV Starting variable.X Block cipher input block.Y Block cipher output block.| Concatenation of bit strings.3INCITS/ISO/IEC 10116:20062008 ITIC 2008 All rights reserved4.1 a mod nFor integers a and n, a mod n denotes

47、the (non-negative) remainder obtained when a is dividedby n. Equivalently if b = a mod n, then b is the unique integer satisfying: 0 b 0, the number ofciphertext blocks that must be stored whilst processing the mode. The value of m should besmall (typically m = 1) and at most 1024.NOTE The choice of

48、 1024 as the upper limit for m is somewhat arbitrary. It is intended to providea realistic upper bound on the number of hardware processors.6 INCITS/ISO/IEC 10116:20062008 ITIC 2008 All rights reservedThe variables employed by the CBC mode area) The input variables1) A sequence of q plaintext blocks

49、 P1,P2,.,Pq, each of n bits.2) A key K.3) A sequence of m starting variables SV1,SV2,.,SVm each of n bits.NOTE If m = 1 then this mode is compatible with the CBC mode described in the secondedition of this standard (ISO/IEC 10116:1997).b) The output variables, i.e. a sequence of q ciphertext variables C1,C2,.,Cq, each of n bits.7.2 EncryptionThe CBC mode of encryption operates as follows:Ci = eK(Pi SVi),1 i min(m,q)If q m, all subsequent plaintext blocks are encrypted as:Ci = eK(Pi C