1、 Reference numberISO/IEC 10116:2006(E)ISO/IEC 2006Information technology Security techniques Modes of operation for an n-bit block cipher Technologies de linformation Techniques de scurit Modes opratoires pour un chiffrement par blocs de n-bits International Organization for Standardization (ISO), 2
2、006. All rights reserved. International Electrotechnical Commission (IEC), 2006. All rights reserved. NOT FOR RESALE. National Standard of CanadaCAN/CSA-ISO/IEC 10116:07(ISO/IEC 10116:2006)International Standard ISO/IEC 10116:2006 (third edition, 2006-02-01) has been adopted withoutmodification (IDT
3、) as CSA Standard CAN/CSA-ISO/IEC 10116:07, which has been approved as a NationalStandard of Canada by the Standards Council of Canada.ISBN 978-1-55436-630-9 November 2007Legal Notice for StandardsCanadian Standards Association (CSA) standards are developed through a consensus standards development
4、process approved by theStandards Council of Canada. This process brings together volunteers representing varied viewpoints and interests to achieve consensusand develop a standard. Although CSA administers the process and establishes rules to promote fairness in achieving consensus, it doesnot indep
5、endently test, evaluate, or verify the content of standards.Disclaimer and exclusion of liabilityThis document is provided without any representations, warranties, or conditions of any kind, express or implied, including, withoutlimitation, implied warranties or conditions concerning this documents
6、fitness for a particular purpose or use, its merchantability, or itsnon-infringement of any third partys intellectual property rights. CSA does not warrant the accuracy, completeness, or currency of anyof the information published in this document. CSA makes no representations or warranties regardin
7、g this documents compliance withany applicable statute, rule, or regulation.IN NO EVENT SHALL CSA, ITS VOLUNTEERS, MEMBERS, SUBSIDIARIES, OR AFFILIATED COMPANIES, OR THEIR EMPLOYEES,DIRECTORS, OR OFFICERS, BE LIABLE FOR ANY DIRECT, INDIRECT, OR INCIDENTAL DAMAGES, INJURY, LOSS, COSTS, OR EXPENSES,HO
8、WSOEVER CAUSED, INCLUDING BUT NOT LIMITED TO SPECIAL OR CONSEQUENTIAL DAMAGES, LOST REVENUE, BUSINESSINTERRUPTION, LOST OR DAMAGED DATA, OR ANY OTHER COMMERCIAL OR ECONOMIC LOSS, WHETHER BASED IN CONTRACT,TORT (INCLUDING NEGLIGENCE), OR ANY OTHER THEORY OF LIABILITY, ARISING OUT OF OR RESULTING FROM
9、 ACCESS TO ORPOSSESSION OR USE OF THIS DOCUMENT, EVEN IF CSA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, INJURY, LOSS,COSTS, OR EXPENSES.In publishing and making this document available, CSA is not undertaking to render professional or other services for or on behalf of anyperson or entity
10、or to perform any duty owed by any person or entity to another person or entity. The information in this document isdirected to those who have the appropriate degree of experience to use and apply its contents, and CSA accepts no responsibilitywhatsoever arising in any way from any and all use of or
11、 reliance on the information contained in this document.CSA is a private not-for-profit company that publishes voluntary standards and related documents. CSA has no power, nor does itundertake, to enforce compliance with the contents of the standards or other documents it publishes.Intellectual prop
12、erty rights and ownershipAs between CSA and the users of this document (whether it be in printed or electronic form), CSA is the owner, or the authorizedlicensee, of all works contained herein that are protected by copyright, all trade-marks (except as otherwise noted to the contrary), andall invent
13、ions and trade secrets that may be contained in this document, whether or not such inventions and trade secrets are protectedby patents and applications for patents. Without limitation, the unauthorized use, modification, copying, or disclosure of this documentmay violate laws that protect CSAs and/
14、or others intellectual property and may give rise to a right in CSA and/or others to seek legalredress for such use, modification, copying, or disclosure. To the extent permitted by licence or by law, CSA reserves all intellectualproperty rights in this document.Patent rightsAttention is drawn to th
15、e possibility that some of the elements of this standard may be the subject of patent rights. CSA shall not be heldresponsible for identifying any or all such patent rights. Users of this standard are expressly advised that determination of the validity ofany such patent rights is entirely their own
16、 responsibility.Authorized use of this documentThis document is being provided by CSA for informational and non-commercial use only. The user of this document is authorized to doonly the following:If this document is in electronic form:.load this document onto a computer for the sole purpose of revi
17、ewing it;.search and browse this document; and.print this document.Limited copies of this document in print or paper form may be distributed only to persons who are authorized by CSA to have suchcopies, and only if this Legal Notice appears on each such copy.In addition, users may not and may not pe
18、rmit others to.alter this document in any way or remove this Legal Notice from the attached standard;.sell this document without authorization from CSA; or.make an electronic copy of this document.If you do not agree with any of the terms and conditions contained in this Legal Notice, you may not lo
19、ad or use this document ormake any copies of the contents hereof, and if you do make such copies, you are required to destroy them immediately. Use of thisdocument constitutes your acceptance of the terms and conditions of this Legal Notice.Information technology Security techniques Modes of operati
20、on for an n-bit block cipherTechnical Corrigendum 1:2009 (IDT) toNational Standard of CanadaCAN/CSA-ISO/IEC 10116-07(ISO/IEC 10116:2006, IDT)NOT FOR RESALE.PUBLICATION NON DESTINE LA REVENTE.CSA Standards Update ServiceTechnical Corrigendum 1:2009 toCAN/CSA-ISO/IEC 10116-07October 2009Title: Informa
21、tion technology Security techniques Modes of operation for an n-bit block cipherPagination: 1 page (1 text)To register for e-mail notification about any updates to this publicationgo to www.ShopCSA.caclick on E-mail Services under MY ACCOUNTclick on CSA Standards Update ServiceThe List ID that you w
22、ill need to register for updates to this publication is 2418739.If you require assistance, please e-mail techsupportcsa.ca or call 416-747-2233.Visit CSAs policy on privacy at www.csagroup.org/legal to find out how we protect your personal information.ICS 35.040 Ref. No. ISO/IEC 10116:2006/Cor.1:200
23、8(E) ISO/IEC 2008 All rights reserved INTERNATIONAL STANDARD ISO/IEC 10116:2006 TECHNICAL CORRIGENDUM 1 Published 2008-03-15 INTERNATIONAL ORGANIZATION FOR STANDARDIZATION ORGANISATION INTERNATIONALE DE NORMALISATIONINTERNATIONAL ELECTROTECHNICAL COMMISSION COMMISSION LECTROTECHNIQUE INTERNATIONALEI
24、nformation technology Security techniques Modes of operation for an n-bit block cipher TECHNICAL CORRIGENDUM 1 Technologies de linformation Techniques de scurit Modes opratoires pour un chiffrement par blocs de n bits RECTIFICATIF TECHNIQUE 1 Technical Corrigendum 1 to ISO/IEC 10116:2006 was prepare
25、d by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques. Page 8, 8.1 Delete the phrase “and r 0, the number ofciphertext blocks that must be stored whilst processing the mode. The value of m should besmall (typically m = 1) and at most 1024.NO
26、TE The choice of 1024 as the upper limit for m is somewhat arbitrary. It is intended to providea realistic upper bound on the number of hardware processors.6 c ISO/IEC 2006 All rights reservedCAN/CSA-ISO/IEC 10116:07ISO/IEC 10116:2006(E)The variables employed by the CBC mode area) The input variable
27、s1) A sequence of q plaintext blocks P1,P2,.,Pq, each of n bits.2) A key K.3) A sequence of m starting variables SV1,SV2,.,SVm each of n bits.NOTE If m = 1 then this mode is compatible with the CBC mode described in the secondedition of this standard (ISO/IEC 10116:1997).b) The output variables, i.e
28、. a sequence of q ciphertext variables C1,C2,.,Cq, each of n bits.7.2 EncryptionThe CBC mode of encryption operates as follows:Ci = eK(Pi SVi),1 i min(m,q)If q m, all subsequent plaintext blocks are encrypted as:Ci = eK(Pi Cim),m+1 i qNOTE At any time during the computation, the values of the m most
29、 recent ciphertext blocksneed to be stored, e.g. in a cyclically used “feedback buffer”FB (see figure C.2).This procedure is shown in the left side of figure C.2.7.3 DecryptionThe CBC mode of decryption operates as follows:Pi = dK(Ci)SVi,1 i min(m,q)If q m, all subsequent plaintext blocks are comput
30、ed as:Pi = dK(Ci)Cim,m+1 i qNOTE At any time during the computation, the values of the m most recent ciphertext blocksneed to be stored, e.g. in a cyclically used feedback buffer FB (see figure C.2).This procedure is shown in the right side of figure C.2.c ISO/IEC 2006 All rights reserved 7CAN/CSA-I
31、SO/IEC 10116:07ISO/IEC 10116:2006(E)8 Cipher Feedback (CFB) mode8.1 PreliminariesThree parameters define a CFB mode of operation: the size of feedback buffer, r, where n r 1024n and r n.b) If r = n then this mode is compatible with the version of CFB mode described in the firstedition of this standa
32、rd (ISO/IEC 10116:1991).c) the upper bound on r, i.e. r 1024n is chosen because it provides a realistic upper bound onthe number of hardware processors.It is recommended that CFB should be used with equal values of j and k (see clause B.3.2).The variables employed by the CFB mode of operation area)
33、The input variables1) A sequence of q plaintext variables P1,P2,.,Pq, each of j bits.2) A key K.3) A starting variable SV of r bits.b) The intermediate results1) A sequence of q block cipher input blocks X1,X2,.,Xq, each of n bits.2) A sequence of q block cipher output blocks Y1,Y2,.,Yq, each of n b
34、its.3) A sequence of q variables E1,E2,.,Eq, each of j bits.4) A sequence of q 1 feedback variables F1,F2,.,Fq1, each of k bits.5) A sequence of q feedback buffer contents FB1,FB2,.,FBq each of r bits.c) The output variables, i.e. a sequence of q ciphertext variables C1,C2,.,Cq, each of j bits.8.2 E
35、ncryptionThe feedback buffer FB is set to its initial valueFB1 = SV8 c ISO/IEC 2006 All rights reservedCAN/CSA-ISO/IEC 10116:07ISO/IEC 10116:2006(E)The operation of encrypting each plaintext variable employs the following six steps.a) Xi = n FBi (Selection of leftmost n bits of FB).b) Yi = eK(Xi) (U
36、se of block cipher).c) Ei = j Yi (Selection of leftmost j bits of Yi).d) Ci = Pi Ei (Generation of ciphertext variable).e) Fi = I(kj) | Ci (Generation of feedback variable).f) FBi+1 = Sk(FBi | Fi) (Shift function on FB).These steps are repeated for i = 1,2,.,q, ending with step (d) on the last cycle
37、. The procedureis shown in the left side of figure C.3. The leftmost j bits of the output block Y of the blockcipher are used to encrypt the j-bit plaintext variable by modulo 2 addition. The remainingbits of Y are discarded. The plaintext and ciphertext variables have bits numbered from 1 to j.The
38、ciphertext variable is augmented by placing k j one bits in its leftmost bit positions tobecome the k-bit feedback variable F. Then the bits of the feedback buffer FB are shifted leftby k places and F is inserted in the rightmost k places, to produce the new value of the feedbackbuffer FB. In this s
39、hift operation, the leftmost k bits of FB are discarded. The new n leftmostbits of FB are used as the next input X of the encryption process.8.3 DecryptionThe variables employed for decryption are the same as those employed for encryption.The feedback buffer FB is set to its initial valueFB1 = SVThe
40、 operation of decrypting each ciphertext variable employs the following six steps.a) Xi = n FBi (Selection of leftmost n bits of FB).b) Yi = eK(Xi) (Use of block cipher).c) Ei = j Yi (Selection of leftmost j bits of Yi).d) Pi = Ci Ei (Generation of plaintext variable).e) Fi = I(kj) | Ci (Generation
41、of feedback variable).f) FBi+1 = Sk(FBi | Fi) (Shift function on FB).These steps are repeated for i = 1,2,.,q, ending with step (d) on the last cycle. The procedureis shown in the right side of figure C.3. The leftmost j bits of the output block Y of the blockcipher are used to decrypt the j-bit cip
42、hertext variable by modulo 2 addition. The remainingbits of Y are discarded. The plaintext and ciphertext variables have bits numbered from 1 to j.The ciphertext variable is augmented by placing k j one bits in its leftmost bit positions tobecome the k-bit feedback variable F. Then the bits of the f
43、eedback buffer FB are shifted leftc ISO/IEC 2006 All rights reserved 9CAN/CSA-ISO/IEC 10116:07ISO/IEC 10116:2006(E)by k places and F is inserted in the rightmost k places to produce the new value of FB. In thisshift operation, the leftmost k bits of FB are discarded. The new n leftmost bits of FB ar
44、eused as the next input X of the decryption process.9 Output Feedback (OFB) mode9.1 PreliminariesThe OFB mode of operation is defined by one parameter, i.e. the size of the plaintext variablej, where 1 j n.The variables employed by the OFB mode of operation are thea) input variables where1) A sequen
45、ce of q plaintext variables P1,P2,.,Pq, each of j bits;2) A key K; and3) A starting variable SV of n bits;b) intermediate results where1) A sequence of q block-cipher input blocks X1,X2,.,Xq, each of n bits;2) A sequence of q block-cipher output blocks Y1,Y2,.,Yq, each of n bits; and3) A sequence of
46、 q variables E1,E2,.,Eq, each of j bits; andc) output variables, i.e. a sequence of q ciphertext variables C1,C2,.,Cq, each of j bits.9.2 EncryptionThe input block X is set to its initial valueX1 = SVThe operation of encrypting each plaintext variable employs the following four steps.a) Yi = eK(Xi)
47、(Use of block cipher).b) Ei = j Yi (Selection of leftmost j bits).c) Ci = Pi Ei (Generation of ciphertext variable).d) Xi+1 = Yi (Feedback operation).These steps are repeated for i = 1,2,.,q, ending with step (c) on the last cycle. The procedureis shown on the left side of figure C.4. The plaintext
48、and ciphertext variables have bits numberedfrom 1 to j.10 c ISO/IEC 2006 All rights reservedCAN/CSA-ISO/IEC 10116:07ISO/IEC 10116:2006(E)The result of each use of the block cipher is Yi and this is fed back to become the next value ofX, namely Xi+1. The leftmost j bits of Yi are used to encrypt the
49、input variable.9.3 DecryptionThe variables employed for decryption are the same as those employed for encryption.The input block X is set to its initial valueX1 = SVThe operation of decrypting each ciphertext variable employs the following four steps.a) Yi = eK(Xi) (Use of block cipher).b) Ei = j Yi (Selection of leftmost j bits).c) Pi = Ci Ei (Generation of plaintext variable).d
