哪一个在什么情况下更受欢迎?

我想看看各种模式的评估标准列表,也许还有每个标准的适用性的讨论。

For example, I think one of the criteria is "size of the code" for encryption and decryption, which is important for micro-code embedded systems, like 802.11 network adapters. IF the code required to implement CBC is much smaller than that required for CTR (I don't know this is true, it's just an example), then I could understand why the mode with the smaller code would be preferred. But if I am writing an app that runs on a server, and the AES library I am using implements both CBC and CTR anyway, then this criterion is irrelevant.

看到我说的“评估标准清单和每个标准的适用性”了吗??

这与编程无关,但与算法有关。


当前回答

Generally the sole existence of a chaining mode already reduces the theoretically security as chaining widens the attack surface and also make certain kind of attacks more feasible. On the other hand, without chaining, you can at most encrypt 16 bytes (128 bits) securely, as that's the block size of AES (also of AES-192 and AES-256) and if your input data exceeds that block size, what else would you do than using chaining? Just encrypting the data block by block? That would be ECB and ECB has the worst security to begin with. Anything is more secure than ECB.

Most security analyses recommend that you always use either CBC or CTR, unless you can name any reason why you cannot use one of these two modes. And out of these two modes, they recommend CBC if security is your main concern and CTR if speed is your main concern. That's because CTR is slightly less secure than CBC because it has a higher likeliness of IV (initialization vector) collision, since the presence of the CTR counter reduces the IV value space, and attackers can change some ciphertext bits to damage exactly the same bits in plaintext (which can be an issue if the attacker knows exact bit positions in the data). On the other hand, CTR can be fully parallelized (encryption and decryption) and requires no data padding to a multiple of the block size.

也就是说,他们仍然声称CFB和OFB是安全的,但稍微不太安全,他们一开始就没有真正的优势。CFB与CBC有相同的弱点,最重要的是不能防止重放攻击。OFB与CTR具有相同的弱点,但完全不能并行。所以CFB就像没有填充的CBC,但更不安全,OFB就像CTR,但没有速度优势和更宽的攻击面。

There is only one special case where you may want to use OFB and that's if you need to decrypt data in realtime (e.g. a stream of incoming data) on hardware that is actually too weak for doing so, yet you will know the decryption key way ahead of time. As in that case, you can pre-calculate all the XOR blocks in advance and store them somewhere and when the real data arrives, the entire decryption is just XOR'ing the incoming data with the stored XOR blocks and that requires very little computational power. That's the one thing you can do with OFB that you cannot do with any other chaining.

有关性能分析,请参阅本文。 有关详细的评估(包括安全性),请参阅本文。

其他回答

ECB should not be used if encrypting more than one block of data with the same key. CBC, OFB and CFB are similar, however OFB/CFB is better because you only need encryption and not decryption, which can save code space. CTR is used if you want good parallelization (ie. speed), instead of CBC/OFB/CFB. XTS mode is the most common if you are encoding a random accessible data (like a hard disk or RAM). OCB is by far the best mode, as it allows encryption and authentication in a single pass. However there are patents on it in USA.

你真正需要知道的唯一一件事是,除非你只加密1个区块,否则不要使用ECB。如果要加密随机访问的数据而不是流,则应该使用XTS。

每次加密时都应该使用唯一的IV,而且它们应该是随机的。如果你不能保证它们是随机的,使用OCB,因为它只需要一次,而不是静脉注射,两者有明显的区别。如果人们可以猜出下一个nonce,则nonce不会降低安全性,IV会导致这个问题。

我知道一个方面:尽管CBC通过为每个块更改IV来提供更好的安全性,但它不适用于随机访问的加密内容(比如加密的硬盘)。

因此,对于顺序流使用CBC(和其他顺序模式),对于随机访问使用ECB。

Anything but ECB. If using CTR, it is imperative that you use a different IV for each message, otherwise you end up with the attacker being able to take two ciphertexts and deriving a combined unencrypted plaintext. The reason is that CTR mode essentially turns a block cipher into a stream cipher, and the first rule of stream ciphers is to never use the same Key+IV twice. There really isn't much difference in how difficult the modes are to implement. Some modes only require the block cipher to operate in the encrypting direction. However, most block ciphers, including AES, don't take much more code to implement decryption. For all cipher modes, it is important to use different IVs for each message if your messages could be identical in the first several bytes, and you don't want an attacker knowing this.

Phil Rogaway在2011年做了一个形式化的分析。第1.6节给出了我在这里记录的摘要,并以粗体添加了我自己的重点(如果您没有耐心,那么他建议您使用CTR模式,但我建议您阅读下面关于消息完整性与加密的段落)。

Note that most of these require the IV to be random, which means non-predictable and therefore should be generated with cryptographic security. However, some require only a "nonce", which does not demand that property but instead only requires that it is not re-used. Therefore designs that rely on a nonce are less error prone than designs that do not (and believe me, I have seen many cases where CBC is not implemented with proper IV selection). So you will see that I have added bold when Rogaway says something like "confidentiality is not achieved when the IV is a nonce", it means that if you choose your IV cryptographically secure (unpredictable), then no problem. But if you do not, then you are losing the good security properties. Never re-use an IV for any of these modes.

Also, it is important to understand the difference between message integrity and encryption. Encryption hides data, but an attacker might be able to modify the encrypted data, and the results can potentially be accepted by your software if you do not check message integrity. While the developer will say "but the modified data will come back as garbage after decryption", a good security engineer will find the probability that the garbage causes adverse behaviour in the software, and then he will turn that analysis into a real attack. I have seen many cases where encryption was used but message integrity was really needed more than the encryption. Understand what you need.

我应该说,尽管GCM具有加密和消息完整性,但它是一种非常脆弱的设计:如果你重复使用IV,你就完蛋了——攻击者可以恢复你的密钥。其他设计没有那么脆弱,所以我个人不敢推荐GCM,因为我在实践中看到了大量糟糕的加密代码。

如果你同时需要消息完整性和加密,你可以结合两种算法:通常我们看到CBC和HMAC,但没有理由把自己绑定到CBC。重要的是要知道先加密,然后MAC加密的内容,而不是相反。此外,IV需要成为MAC计算的一部分。

我不了解知识产权问题。

下面是罗格威教授的好消息:

分组密码模式,加密但不消息完整性

ECB: A blockcipher, the mode enciphers messages that are a multiple of n bits by separately enciphering each n-bit piece. The security properties are weak, the method leaking equality of blocks across both block positions and time. Of considerable legacy value, and of value as a building block for other schemes, but the mode does not achieve any generally desirable security goal in its own right and must be used with considerable caution; ECB should not be regarded as a “general-purpose” confidentiality mode.

CBC: An IV-based encryption scheme, the mode is secure as a probabilistic encryption scheme, achieving indistinguishability from random bits, assuming a random IV. Confidentiality is not achieved if the IV is merely a nonce, nor if it is a nonce enciphered under the same key used by the scheme, as the standard incorrectly suggests to do. Ciphertexts are highly malleable. No chosen ciphertext attack (CCA) security. Confidentiality is forfeit in the presence of a correct-padding oracle for many padding methods. Encryption inefficient from being inherently serial. Widely used, the mode’s privacy-only security properties result in frequent misuse. Can be used as a building block for CBC-MAC algorithms. I can identify no important advantages over CTR mode.

CFB: An IV-based encryption scheme, the mode is secure as a probabilistic encryption scheme, achieving indistinguishability from random bits, assuming a random IV. Confidentiality is not achieved if the IV is predictable, nor if it is made by a nonce enciphered under the same key used by the scheme, as the standard incorrectly suggests to do. Ciphertexts are malleable. No CCA-security. Encryption inefficient from being inherently serial. Scheme depends on a parameter s, 1 ≤ s ≤ n, typically s = 1 or s = 8. Inefficient for needing one blockcipher call to process only s bits . The mode achieves an interesting “self-synchronization” property; insertion or deletion of any number of s-bit characters into the ciphertext only temporarily disrupts correct decryption.

OFB: An IV-based encryption scheme, the mode is secure as a probabilistic encryption scheme, achieving indistinguishability from random bits, assuming a random IV. Confidentiality is not achieved if the IV is a nonce, although a fixed sequence of IVs (eg, a counter) does work fine. Ciphertexts are highly malleable. No CCA security. Encryption and decryption inefficient from being inherently serial. Natively encrypts strings of any bit length (no padding needed). I can identify no important advantages over CTR mode.

CTR: An IV-based encryption scheme, the mode achieves indistinguishability from random bits assuming a nonce IV. As a secure nonce-based scheme, the mode can also be used as a probabilistic encryption scheme, with a random IV. Complete failure of privacy if a nonce gets reused on encryption or decryption. The parallelizability of the mode often makes it faster, in some settings much faster, than other confidentiality modes. An important building block for authenticated-encryption schemes. Overall, usually the best and most modern way to achieve privacy-only encryption.

XTS: An IV-based encryption scheme, the mode works by applying a tweakable blockcipher (secure as a strong-PRP) to each n-bit chunk. For messages with lengths not divisible by n, the last two blocks are treated specially. The only allowed use of the mode is for encrypting data on a block-structured storage device. The narrow width of the underlying PRP and the poor treatment of fractional final blocks are problems. More efficient but less desirable than a (wide-block) PRP-secure blockcipher would be.

mac(消息完整性,而不是加密)

ALG1–6: A collection of MACs, all of them based on the CBC-MAC. Too many schemes. Some are provably secure as VIL PRFs, some as FIL PRFs, and some have no provable security. Some of the schemes admit damaging attacks. Some of the modes are dated. Key-separation is inadequately attended to for the modes that have it. Should not be adopted en masse, but selectively choosing the “best” schemes is possible. It would also be fine to adopt none of these modes, in favor of CMAC. Some of the ISO 9797-1 MACs are widely standardized and used, especially in banking. A revised version of the standard (ISO/IEC FDIS 9797-1:2010) will soon be released [93].

CMAC:基于CBC-MAC的MAC,该模式作为(VIL) PRF是可证明安全的(直到生日界限)(假设底层块密码是一个良好的PRP)。基本上是基于cbcmac的方案的最小开销。在某些应用程序域中,固有的串行特性是一个问题,并且使用64位块密码将需要偶尔重新输入密钥。比ISO 9797-1系列的mac更干净。

HMAC:基于加密哈希函数而不是区块密码的MAC(尽管大多数加密哈希函数本身是基于区块密码的)。机制具有很强的可证明安全界限,尽管不是来自首选的假设。文献中多个密切相关的变体使理解已知的东西变得复杂。没有任何破坏性攻击的建议。广泛标准化和使用。

GMAC:一个非基于MAC,是GCM的特殊情况。继承了GCM的许多好的和坏的特性。但是对于MAC来说,“无要求”是不必要的,而且在这方面它几乎没有什么好处。如果标记被截断到≤64位,并且解密的范围没有被监控和限制,则实际攻击。在非重用上完全失败。如果采用GCM,则使用是隐式的。不建议单独标准化。

身份验证加密(加密和消息完整性)

CCM:一种结合CTR模式加密和原始加密的非基于AEAD方案 CBC-MAC。固有的串行性,在某些情况下限制了速度。可证明的安全,具有良好的边界,假设底层区块密码是一个良好的PRP。笨拙的结构,显然能做到。实现起来比GCM简单。可以作为一个非基于MAC。广泛标准化和使用。

GCM: A nonce-based AEAD scheme that combines CTR mode encryption and a GF(2128)-based universal hash function. Good efficiency characteristics for some implementation environments. Good provably-secure results assuming minimal tag truncation. Attacks and poor provable-security bounds in the presence of substantial tag truncation. Can be used as a nonce-based MAC, which is then called GMAC. Questionable choice to allow nonces other than 96-bits. Recommend restricting nonces to 96-bits and tags to at least 96 bits. Widely standardized and used.

Generally the sole existence of a chaining mode already reduces the theoretically security as chaining widens the attack surface and also make certain kind of attacks more feasible. On the other hand, without chaining, you can at most encrypt 16 bytes (128 bits) securely, as that's the block size of AES (also of AES-192 and AES-256) and if your input data exceeds that block size, what else would you do than using chaining? Just encrypting the data block by block? That would be ECB and ECB has the worst security to begin with. Anything is more secure than ECB.

Most security analyses recommend that you always use either CBC or CTR, unless you can name any reason why you cannot use one of these two modes. And out of these two modes, they recommend CBC if security is your main concern and CTR if speed is your main concern. That's because CTR is slightly less secure than CBC because it has a higher likeliness of IV (initialization vector) collision, since the presence of the CTR counter reduces the IV value space, and attackers can change some ciphertext bits to damage exactly the same bits in plaintext (which can be an issue if the attacker knows exact bit positions in the data). On the other hand, CTR can be fully parallelized (encryption and decryption) and requires no data padding to a multiple of the block size.

也就是说,他们仍然声称CFB和OFB是安全的,但稍微不太安全,他们一开始就没有真正的优势。CFB与CBC有相同的弱点,最重要的是不能防止重放攻击。OFB与CTR具有相同的弱点,但完全不能并行。所以CFB就像没有填充的CBC,但更不安全,OFB就像CTR,但没有速度优势和更宽的攻击面。

There is only one special case where you may want to use OFB and that's if you need to decrypt data in realtime (e.g. a stream of incoming data) on hardware that is actually too weak for doing so, yet you will know the decryption key way ahead of time. As in that case, you can pre-calculate all the XOR blocks in advance and store them somewhere and when the real data arrives, the entire decryption is just XOR'ing the incoming data with the stored XOR blocks and that requires very little computational power. That's the one thing you can do with OFB that you cannot do with any other chaining.

有关性能分析,请参阅本文。 有关详细的评估(包括安全性),请参阅本文。