Used with an underlying block cipher algorithm that is approved in a Federal Information Processing Standard (FIPS), these modes can provide cryptographic protection for sensitive, but unclassified, computer data. 1 Purpose This publication provides recommendations regarding modes of operation to be used with symmetric key block cipher algorithms. 2 Authority This document has been developed by the National Institute of Standards and Technology (NIST) in furtherance of its statutory responsibilities under the Computer Security Act of 1987 (Public Law 100-235) and the Information Technology Management Reform Act of 1996, specifically 15 U.S.C. 278 g-3(a)(5). Conformance testing for implementations of the modes of operation that are specified in this recommendation will be conducted within the framework of the Cryptographic Module Validation Program (CMVP), a joint effort of the NIST and the Communications Security Establishment of the Government of Canada. An implementation of a mode of operation must adhere to the requirements in this recommendation in order to be validated under the CMVP. 3 Introduction This recommendation specifies five confidentiality modes of operation for symmetric key block cipher algorithms, such as the algorithm specified in FIPS Pub. 197, the Advanced Encryption Standard (AES) [2]. The modes may be used in conjunction with any symmetric key block cipher algorithm that is approved by a Federal Information Processing Standard (FIPS). The five modes--the Electronic Codebook (ECB), Cipher Block Chaining (CBC), Cipher Feedback (CFB), Output Feedback (OFB), and Counter (CTR) modes--can provide data confidentiality. Two FIPS publications already approve confidentiality modes of operation for two particular block cipher algorithms. FIPS Pub. 81 [4] specifies the ECB, CBC, CFB, and OFB modes of the Data Encryption Standard (DES). FIPS Pub. 46-3 [3] approves the seven modes that are specified in ANSI X9.52 [1]. Four of these modes are equivalent to the ECB, CBC, CFB, and OFB modes with the Triple DES algorithm (TDEA) as the underlying block cipher; the other 2 three modes in ANSI X9.52 are variants of the CBC, CFB, and OFB modes of Triple DES that use interleaving or pipelining. Thus, there are three new elements in this recommendation: 1) the extension of the four confidentiality modes in FIPS Pub 81 for use with any FIPS-approved block cipher; 2) the revision of the requirements for these modes; and 3) the specification of an additional confidentiality mode, the CTR mode, for use with any FIPS-approved block cipher. 3 4 Definitions, Abbreviations, and Symbols 4.1 Definitions and Abbreviations Bit A binary digit: 0 or 1. Bit Error The substitution of a `0' bit for a `1' bit, or vice versa. Bit String An ordered sequence of 0's and 1's. Block Cipher A family of functions and their inverse functions that is parameterized by cryptographic keys; the functions map bit strings of a fixed length to bit strings of the same length. Block Size The number of bits in an input (or output) block of the block cipher. CBC Cipher Block Chaining. CFB Cipher Feedback. Ciphertext Encrypted data. Confidentiality Mode A mode that is used to encipher plaintext and decipher ciphertext. The confidentiality modes in this recommendation are the ECB, CBC, CFB, OFB, and CTR modes. CTR Counter. Cryptographic Key A parameter used in the block cipher algorithm that determines the forward cipher operation and the inverse cipher operation. Data Block (Block) A sequence of bits whose length is the block size of the block cipher. Data Segment (Segment) In the CFB mode, a sequence of bits whose length is a parameter that does not exceed the block size. Decryption (Deciphering) The process of a confidentiality mode that transforms encrypted data into the original usable data. ECB Electronic Codebook. Encryption (Enciphering) The process of a confidentiality mode that transforms usable data into an unreadable form. 4 Exclusive-OR The bitwise addition, modulo 2, of two bit strings of equal length. FIPS Federal Information Processing Standard. Forward Cipher Function (Forward Cipher Operation) One of the two functions of the block cipher algorithm that is selected by the cryptographic key. Initialization Vector (IV) A data block that some modes of operation require as an additional initial input. Input Block A data block that is an input to either the forward cipher function or the inverse cipher function of the block cipher algorithm. Inverse Cipher Function (Inverse Cipher Operation) The function that reverses the transformation of the forward cipher function when the same cryptographic key is used. Least Significant Bit(s) The right-most bit(s) of a bit string. Mode of Operation (Mode) An algorithm for the cryptographic transformation of data that features a symmetric key block cipher algorithm. Most Significant Bit(s) The left-most bit(s) of a bit string. Nonce A value that is used only once. Octet A group of eight binary digits. OFB Output Feedback. American Bankers Association, Washington, D.C., July 29, 1998. [2] FIPS Publication 197, "Advanced Encryption Standard (AES)." U.S. DoC/NIST, November 26, 2001. [3] FIPS Publication 46-3, "Data Encryption Standard (DES)." U.S. DoC/NIST, October 25, 1999. [4] FIPS Publication 81, "DES Modes of Operation." U.S. DoC/NIST, December 1980. [5] A. Menezes, P. van Oorschot, and S. Vanstone, "Handbook of Applied Cryptography." CRC Press, New York, 1997.