Secuelas de los tratamientos utilizados para el manejo de las enfermedades

Block ciphers only work on fixed length blocks of data, but the actual data that needs to be encrypted can be of any arbitrary length. Several different modes of operation for block ciphers have been devised. The most common ones are described in this section, they are: Electronic Code Book, Cipher Block Chaining, Cipher Feedback, Output Feedback and Counter.

3.3.3.1 Electronic Code Book

The simplest mode is called Electronic Code Book (ECB), the input data is separated into blocks and each is encrypted individually. A block diagram is shown in Figure 3-3. Plaintexts with the same value will always give the same ciphertext, this means that patterns in the data can still be seen in the encrypted data. Also this method is susceptible to the replay attack, a network attack where an attacker repeats valid data that was gained from eavesdropping on a previous session.

Figure 3-3: Block diagram of the ECB cryptographic mode of operation. 3.3.3.2 Cipher Block Chaining

In Cipher Block Chaining (CBC) the plaintext is XORed with the previous ciphertext before encrypting it; the first plaintext is XORed with an initialisation vector, see section 3.3.3.6. A block diagram is shown in Figure 3-4. Each ciphertext is now dependent on all previous plaintexts so 1 bit error in the plaintext corrupts all following ciphertexts, one bit error in the ciphertext corrupts the corresponding

plaintext block and flips the corresponding bit in the next block. Encryption must be done sequentially as the output from each block is needed at the input to the next, but as the converse is true, i.e. the only data required from the previous block is the input and it is only needed to convert the output of the decryption to the actual plaintext, decryption can be parallelised.

Figure 3-4: Block diagram of the CBC cryptographic mode of operation.

3.3.3.3 Cipher Feedback

In Cipher Feedback (CFB) an initialisation vector is encrypted, the plaintext is then XORed with the output from the encryption to form the ciphertext, this ciphertext is then encrypted and XORed with the next plaintext and so on, a block diagram is shown in Figure 3-5. 1 bit error in the plaintext corrupts the entire cipher stream; 1 bit error in a ciphertext flips the corresponding bit in the corresponding plaintext and the entire next block. Encryption must be done sequentially, but decryption can be parallelised. It is important to realise that as the plaintext interacts with the output of the block cipher in both the encryption and the decryption forms the block cipher is used in encryption mode.

3.3.3.4 Output Feedback

Output Feedback (OFB) is similar to CFB, an initialisation vector is encrypted and is XORed with the plaintext data to form the ciphertext, the difference is that the output of the encryption is fed back before the plaintext is added. A block diagram is shown in Figure 3-6. Neither encryption nor decryption using OFB can be parallelised, but unlike CFB and CBC modes errors do not propagate and will only affect the bits in question. As in CFB, both encryption and decryption use block ciphers in their encryption mode, in fact the encryption and decryption modes are exactly the same, simplifying any implementation. It is very important to not use the same initialisation vector with the same key; this will result in an identical random bit-stream and will leak a lot of information about the plaintexts. Another possible insecurity with OFB is that if the output of the block cipher happens to give the same value as the initialisation vector then the random bit-stream will repeat. The probability of this happening is related to the number of plaintexts that are encrypted with the same key and so this problem can be mitigated by changing the key regularly.

Figure 3-6: Block diagram of the OFB cryptographic mode of operation. 3.3.3.5 Counter

Counter mode (CTR) is similar to CFB and OFB in the sense that it uses the output of a block cipher to generate a random bit-stream that is then XORed with the plaintext to form the ciphertext. The input to the block cipher is a unique number, called a nonce, a contraction of number used once, concatenated with a counter. It is important not to use the same key / nonce combination as it will leak information about the plaintext.

Block Cipher Encryption Key Plaintext Ciphertext IV 0xf634... Counter 0000000 Block Cipher Encryption Key Plaintext Ciphertext IV 0xf634... Counter 0000001 Block Cipher Encryption Key Ciphertext Plaintext IV 0xf634... Counter 0000000 Block Cipher Encryption Key Ciphertext Plaintext IV 0xf634... CTR Encryption Decryption

Figure 3-7: Block diagram of the CBC cryptographic mode of operation.

3.3.3.6 Initialisation Vector

The choice of initialisation vector (IV) can have a significant impact on the security of an encrypted message. If the same IV is used across several messages and those messages start with the same block, the first block of ciphertext will be the same, this will reveal information to any potential attacker. A random block of data can be generated and used as the IV, this will require the encryption algorithm to have access to a source of randomness, and also, in order to perform the decryption the IV must be known. If it is random then it must be sent along with the message, this increases the size of the ciphertext by 1 block. If there are a large number of relatively short messages this can form a significant overhead.

A better method is to use a cryptographic nonce (a number used only once) to generate the IV, typically this takes the form of a message counter. The nonce must also be sent with the message, this still creates an overhead, but it can be much shorter than a block. It is converted into an entire block by encrypting it with padding.

3.3.3.7 Summary of Modes of operation

As the ciphertext of a constant plaintext is always the same with ECB it can leak some information about the data, additionally it is susceptible to a replay attack and it is generally suggested that it not be used [31]. OFB is very similar to CFB, it does have a number of advantages though, errors do not propagate, and both encryption and decryption are exactly the same, significantly simplifying an implementation, this more than makes up for the fact that the decryption cannot be parallelised. CTR, in turn, is preferable to OFB as the random bit-stream generated using CTR will not repeat unless the same nonce, counter and key are re-used; no matter how many times

the encryption is performed. There are also a number of advantages to using CTR over CBC. CTR does not require padding, it can be parallelised arbitrarily and it has a simpler structure. The advantage of CBC is that it is more robust and leaks less information if it is not setup securely.

3.4 Data Encryption Standard