1、INTERNATIONAL STANDARD INTERNATIONAL ORGANIZATION FOR STANDARDIZATION ORGANISATION INTERNATIONALE DE NORMALISATION MEXAYHAPOAHAR OPTAHMSAMR I-IO CTAHAPTMBAklM Information processing - Modes of operation for a 64-bit block cipher algorithm Traitement de linformation - Modes opkratoires dun algorithme
2、 de chiffrement par blocs de 64 bits IS0 8372 First edition 1987-08-15 Reference number IS0 8372 : 1987 (E) Adopted by INCITS (InterNational Committee for Information Technology Standards) as an American National Standard.Date of ANSI Approval: 1/13/99Published by American National Standards Institu
3、te,25 West 43rd Street, New York, New York 10036Copyright 2002 by Information Technology Industry Council (ITI).All rights reserved.These materials are subject to copyright claims of InternationalStandardization Organization (ISO), International ElectrotechnicalCommission (IEC), American National St
4、andards Institute (ANSI),and Information Technology Industry Council (ITI). Not for resale.No part of this publication may be reproduced in any form,including an electronic retrieval system, without the prior writtenpermission of ITI. All requests pertaining to this standard should besubmitted to IT
5、I, 1250 Eye Street NW, Washington, DC 20005.Printed in the United States of AmericaForeword IS0 (the international Organization for Standardization) is a worldwide federation of national standards bodies (IS0 member bodies). The work of preparing International Standards is normally carried out throu
6、gh IS0 technical committees. Each member body interested in a subject for which a technical committee has been established has the right to be represented on that committee. International organizations, govern- mental and non-governmental, in liaison with ISO, also take part in the work. Draft Inter
7、national Standards adopted by the technical committees are circulated to the member bodies for approval before their acceptance as International Standards by the IS0 Council. They are approved in accordance with IS0 procedures requiring at least 75 % approval by the member bodies voting. Internation
8、al Standard IS0 8372 was prepared by Technical Committee ISO/TC 97, lnforma tion processing systems. Users should note that all International Standards undergo revision from time to time and that any reference made herein to any other International Standard implies its latest edition, unless otherwi
9、se stated. 0 International Organization for Standardization, 1997 0 Printed in Switzerland INTERNATIONAL STANDARD IS0 8372 : 1987 (E) Information processing - Modes of operation for a 64-bit block cipher algorithm 1 Scope and field of application This International Standard describes four modes of o
10、peration for any 64-bit block cipher algorithm using a secret key. NOTE - The annex, which does not form part of this International Standard, contains comments on the properties of each mode. This International Standard establishes four defined modes of operation so that in any application of a 64-b
11、it block cipher (for example data transmission, data storage authentication) this International Standard will provide a useful reference for the specification of the mode of operation, the formation of the starting variable, and the values of parameters (as appropriate). NOTE - For the Cipher Feedba
12、ck (CFB) mode of operation (see clause 71, two parameters, j and k, are defined. For the Output Feed- back (CFB) mode of operation (see clause 81, one parameter, j, is defined. When one of these modes of operation is used the parameter value(s) needs to be chosen and used by all communicating partie
13、s. 2 Reference ANSI X3.92-1991, Data Encryption Algorithm. 3 Definitions 3.1 plaintext: Unenciphered information. 3.2 cipher text: Enciphered information. 3.3 block chaining : The encipherment of information such that each block of ciphertext is cryptographically dependent upon the preceding ciphert
14、ext block. 3.4 initializing value (IV) : Value used in defining the start- ing point of an encipherment process. 3.5 starting variable (SV): Variable derived from the initializing value and used in defining the starting point of the modes of operation. NOTE - The method of deriving the starting vari
15、able from the initializ- ing value is not defined in this International Standard. It needs to be described in any application of the modes of operation. 3.6 cryptographic synchronization : The co-ordination of the encipherment and decipherment process. 4 Notation For the purposes of this Internation
16、al Standard the functional relation defined by the block encipherment algorithm is written C = eK(P) where P is the plaintext block; C is the ciphertext block; K is the key. The expression eK is the operation of encipherment using the key K. The corresponding decipherment function is written P = dK(
17、C) A variable, such as P and C above, denoted by a capital letter, represents a one-dimensional array of bits, for example: A = a, a2, . . . , a,) B = b, b2, . . . , 6,) i.e. arrays of m bits, numbered from 1 to m. The operation of addition, modulo 2, also known as the ex- clusive or function is sho
18、wn by the symbol . The operation applied to arrays such as A and B is defined as A B = (0, CT3 bl. 9 CT3 b2, . . . r 0, CB b,) The operation of selecting the left-mostj bits of A to generate a j bit array is written A - j = a, u2, . . . , Uj This operation is defined only when j m, where m is the nu
19、mber of bits in A. A “shift function” Sk is defined as follows. Given an m-bit variable X and a k-bit variable Fwhere k m, the effect of a shift function S,JX 1 F) produces the m-bit variable SJXIF) = q+1, x/c+28 . . . 8 -q,tfitf2, . . . .fd The effect is to shift the bits of array X left by k place
20、s, discard- ing xl . . . xk and to place the array F in the rightmost k places of x. IS0 8372 : 1967 (El A special case of this function is used which begins with the k-bit variable I(k) of successive 1 bits and shifts the variable C of j bits into it, where j k. The result is Sj(l(k)IC) = (1, 1, .
21、. . , l,C,C*, . . . , Cj where there are k - j “ones” on the left of the resultant array. 5 Electronic Codebook (EC61 mode Given a plaintext block P of 64 bits, the encipherment algorithm produces a cipher-text block C of 64 bits, i.e. : C = eK(P) The decipherment algorithm produces P = dK(C) This m
22、ode of using the encipherment algorithm is known as “electronic codebook”. 6 Cipher Block Chaining (CBC) mode The variables employed for the CBC mode of encipherment are a) a sequence of n plaintext blocks PI, P2, . . . , P, each of 64 bits; b) a key K: c) a starting variable SV of 64 bits; d) the r
23、esultant sequence of n ciphertext blocks Cl, C, . . . , C, each of 64 bits. NOTE - The method of forming SV is not described in this Inter- national Standard. The CBC mode of encipherment is described as follows: Encipherment of the first plaintext variable: Cl = eK(P, SU subsequently, . . . (1) Ci=
24、eK(PiCj-l) for i=2,3 ,., n . . . (2) This procedure is illustrated in the upper part of figure 1. The starting variable SV is used in the generation of the first ciphertext output. Subsequently, the ciphertext is added, modulo 2, to the next plaintext before encipherment. The CBC mode of deciphermen
25、t is described as follows: Decipherment of the first ciphertext variable: P, = dK(C,) I SV subsequently, . . . (3) P; = dK(Ci) Ci- 1 for i = 2, 3, . . . , n . . . (4) This procedure is illustrated in the lower part of figure 1. I c a n-l -i e 4 Encipherment algorithm 4. Decipherment algorithm Cn-1 -
26、+ 1 pn Figure 1 - Cipher Block Chaining (CBC) mode of operation IS0 8372: 1987 (E) 7 Cipher Feedback (CFB) mode NOTE - The method of forming SV is not described in this Inter- national Standard. 7.1 Two parameters define a CFB mode of operation a) the size of feedback variable, k, where 1 k 64; b) t
27、he size of plaintext variable, j, where 1 j k. The variables employed for the CFB mode of operation are a) The input variables: 1) a sequence of n plaintext variables P, P2, . . , P, each of j bits; 2) a key K; 3) a starting variable SVof 84 bits. b) The intermediate results: 1) a sequence of n algo
28、rithm input variables X, x2, . . . , A, each of 84 bits; 2) a sequence of n algorithm output variables Y, y2, . . . I Y, each of 84 bits; 3) a sequence of n variables El, E2, . . . , E, each of j bits; 4) a sequence of n feedback variables F, F2, . . . , F, each of k bits. c) The output variables, i
29、.e. a sequence of n cipher-text variables C, C2, . . . , C, each of j bits. The variable X is set to its initial value x, = sv . . . (5) 7.2 The operation of enciphering each plaintext block employs the following five steps: a) use of encipherment algorithm, Y; = eK(Xi); . . . (6) b) selection of le
30、ftmostj bits, Ei = Yi - j; . . . (7) C) generation of ciphertext block, Ci = Pi E; . . . (8) d) generation of feedback block, Fi = Sj(l(k)(Ci); . . . (9) e) shift function onX, Xi+ 1 = Sk(XilFi). . . . (10) These steps are repeated for i = 1, 2, . . . , n, ending with equation (8) on the last cycle.
31、 The procedure is illustrated on the left side of figure 2. The leftmost j bits of the output Y of the encipherment algorithm are used to encipher the j-bit plaintext block by modulo 2 addition. The remaining bits of Y are discarded. The bits of the plaintext and ciphertext blocks are numbered from
32、1 to j. The ciphertext block is augmented by placing k - j “ones” in its leftmost bit positions to become F, a k-bit array, then the bits of the array X are shifted left by k places and the array F is inserted in the rightmost k places, to produce the new value of X. In this shift operation, the lef
33、tmost k bits of Xare discarded. The initial value of the array X is the starting variable (SW. Encipherment -A I r Decipherment A- 1 i 1 j Figure 2 - Cipher Feedback (CFB) mode of operation 3 IS0 8372: 1987 (E) 7.3 The variables employed for decipherment are the same as those employed for encipherme
34、nt. The variable X is set to its initial value X1 = SK The operation of deciphering each ciphertext block employs the following five steps: a) b) cl d) e) use of encipherment algorithm, Yi = eK(Xi); . . . (11) selection of leftmost j bits, Ei = Yi - j; . . . (12) generation of plaintext block, Pi =
35、Ci Ei; . . . (13) generation of feedback block, Fi = Sj(Z(k) Ci); . . . (14) shift function on X, Xi + t = Sk(Xi ) Fi). . . . (15) These steps are repeated for i = 1, 2, . . . , n, ending with equation (13) on the last cycle. The procedure is illustrated on the right side of figure 2. The leftmost j
36、 bits of the output Y of the encipherment algorithm are used to decipher the j-bit ciphertext block by modulo 2 addition. The remaining bits of Y are discarded. The plaintext and ciphertext blocks have bits numbered from 1 to j. The cipher-text block is augmented by placing k - j “ones” in its leftm
37、ost bit positions to become F, a k-bit array, then the bits of the array X are shifted left by k places and the array F is inserted in the rightmost k places to produce the new value of X. In this shift operation, the leftmost k bits of Xare discarded. The initial value of the array X is the startin
38、g variable (Sk). 7.4 It is recommended that CFB should be used with equal values of j and k. In this recommended form (j = k) the equations (9) and (14) can be written Fi = Ci (case j = k) 8 Output Feedback (OFB) mode 8.1 One parameter defines an OFB mode of operation, i.e. the size of plaintext var
39、iable j where 1 j 64. The variables employed for the OF6 mode of operation are a) The input variables 1) a sequence of n plaintext blocks P, P2, . . . , P, each of j bits; 2) a key K; 3) a starting variable SV of 64 bits. b) The intermediate results: 1) a sequence of n algorithm input variables XI,
40、x2, . . . I X, each of 64 bits; 2) a sequence of n algorithm output variables Yt, y2, . . . , Y, each of 64 bits; 3) a sequence of n variables E, E2, . . . , E, each of j bits. c) The output variables, i.e. a sequence of n ciphertext variables C, C2, . . . , C, each of j bits. NOTE - The method of f
41、orming SV is not described in this Inter- national Standard. The variable X is set to its initial value x, = sv . . . (16) 8.2 The operation of enciphering each plaintext block employs the following four steps: a) use of encipherment algorithm, Yi = eK(Xi); . . . (17) b) selection of leftmost j bits
42、, Ei = Yi - j; . . . (18) C) generation of ciphertext block, Ci = Pi Ei; . . . (19) d) feedback operation, Xi + 1 = Yi. . . . (20) These steps are repeated for i = 1, 2, . . . , n, ending with equation (19) on the last cycle. The procedure is illustrated on the left side of figure 3. The result of e
43、ach use of the encipher- ment algorithm, which is Yi, is used to feed back and become the next value of X, namely Xi + 1. The leftmost j bits of Yi are used to encipher the input block. 8.3 The variables employed for decipherment are the same as those employed for encipherment. The variable X is set
44、 to its initial value X1 = SK The operation of deciphering each ciphertext block employs the following four steps: a) use of encipherment algorithm, Yi = eK(Xi); . . . (21) b) selection of leftmostj bits, Ei = Yi - j; . . . (22) C) generation of plaintext block, Pi = Ci Ei; . . . (23) d) feedback op
45、eration, Xi + 1 = Yi. . . . (24) These steps are repeated for i = 1, 2, . . . , n, ending with equation (23) on the last cycle. The procedure is illustrated in the right side of figure 3. The values of variables Xi and Yi are the same as those used for encipherment; only equation (23) is different.
46、IS0 8372 : 1987 (El Encipherment Decipherment -A-1 -A- I 1 I I I I 1 i 1 j Figure 3 - Output Feedback (OFB) mode of operation 5 IS0 6372 : 1967 (E) Annex Properties of the modes of operation (This annex contains comments on the properties of the four modes of operation described in this standard and
47、 is not an integral part of the body of the standard.) A.1 Properties of the Electronic Codebook (ECB) mode of operation Messages that carry information between computers, or people, may have repetitions or commonly used sequences. In ECB mode, identical plaintext produces (for the same key) identic
48、al ciphertext variables. This characteristic makes ECB unsuitable for general use. The use of ECB may be specified in future standards for those purposes where the repetition characteristic is acceptable. If block boundaries are lost between encipherment and decipherment (for example a bit slip), sy
49、nchronization between the encryption and decryption operations will be lost until correct block boundaries are re-established. The results of all decipherment operations will be incorrect. A.2 Properties of the Cipher Block Chaining (CBC) mode of operation The CBC mode produces the same ciphertext whenever the same plaintext is enciphered using the same key and initialising value. Users who are concerned about this characteristic should devise some way of changing the start of the plaintext, the key or the start- ing var
