Post on 03-Jun-2018
8/12/2019 Sp800-38a(Apuntes Sobre Algorimos de Criptografia)
1/66
NIST Special Publication 800-38A Recommendation for Block2001 Edition Cipher Modes of Operation
ethods and Techniques
Morris Dworkin
C O M P U T E R S E C U R I T Y
8/12/2019 Sp800-38a(Apuntes Sobre Algorimos de Criptografia)
2/66
ii
8/12/2019 Sp800-38a(Apuntes Sobre Algorimos de Criptografia)
3/66
C O M P U T E R S E C U R I T Y
Computer Security Division
Information Technology Laboratory
National Institute of Standards and Technology
Gaithersburg, MD 20899-8930
December 2001
U.S. Department of CommerceDonald L. Evans, Secretary
Technology Administration
Phillip J. Bond, Under Secretary of Commerce for Technology
National Institute of Standards and Technology
Arden L. Bement, Jr., Director
iii
8/12/2019 Sp800-38a(Apuntes Sobre Algorimos de Criptografia)
4/66
Reports on Information Security Technology
The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology
(NIST) promotes the U.S. economy and public welfare by providing technical leadership for the Nations
measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of
concept implementations, and technical analyses to advance the development and productive use ofinformation technology. ITLs responsibilities include the development of technical, physical,
administrative, and management standards and guidelines for the cost-effective security and privacy of
sensitive unclassified information in Federal computer systems. This Special Publication 800-series
reports on ITLs research, guidance, and outreach efforts in computer security, and its collaborative
activities with industry, government, and academic organizations.
Certain commercial entities, equipment, or materials may be identified in this document in order to describe an
experimental procedure or concept adequately. Such identification is not intended to imply recommendation or
endorsement by the National Institute of Standards and Technology, nor is it intended to imply that the entities,materials, or equipment are necessarily the best available for the purpose.
National Institute of Standards and Technology Special Publication 800-38A 2001 ED
Natl. Inst. Stand. Technol. Spec. Publ. 800-38A 2001 ED, 66 pages (December 2001)
CODEN: NSPUE2
U.S. GOVERNMENT PRINTING OFFICE
WASHINGTON: 2001
For sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov Phone: (202) 512-1800 Fax: (202) 512-2250
Mail: Stop SSOP, Washington, DC 20402-0001
iv
http:///reader/full/bookstore.gpo.govhttp:///reader/full/bookstore.gpo.gov8/12/2019 Sp800-38a(Apuntes Sobre Algorimos de Criptografia)
5/66
Abstract
Thisrecommendationdefinesfiveconfidentialitymodesofoperationforusewithanunderlying
symmetric key block cipher algorithm: Electronic Codebook (ECB), Cipher Block Chaining
(CBC),CipherFeedback (CFB),OutputFeedback(OFB),and Counter (CTR). Usedwith an
underlyingblockcipheralgorithmthatisapprovedinaFederalInformationProcessingStandard(FIPS), these modes can provide cryptographic protection for sensitive, but unclassified,
computerdata.
KEY WORDS: Computer security; cryptography; data security; block cipher; encryption;
FederalInformationProcessingStandard;modeofoperation.
v
8/12/2019 Sp800-38a(Apuntes Sobre Algorimos de Criptografia)
6/66
Table of Contents
1 PURPOSE .......................................................................................................................................................... 1
2 AUTHORITY .................................................................................................................................................... 1
3 INTRODUCTION ............................................................................................................................................. 1
4 DEFINITIONS, ABBREVIATIONS, AND SYMBOLS................................................................................. 3
4.1 DEFINITIONSANDABBREVIATIONS............................................................................................................3
4.2 SYMBOLS....................................................................................................................................................5
4.2.1 Variables ............................................................................................................................................... 5
4.2.2 Operations and Functions..................................................................................................................... 5
5 PRELIMINARIES............................................................................................................................................. 7
5.1 UNDERLYINGBLOCKCIPHERALGORITHM.................................................................................................7
5.2 REPRESENTATIONOFTHEPLAINTEXTANDTHECIPHERTEXT.....................................................................7
5.3 INITIALIZATIONVECTORS...........................................................................................................................8
5.4 EXAMPLESOFOPERATIONSANDFUNCTIONS.............................................................................................8
6 BLOCK CIPHER MODES OF OPERATION ............................................................................................... 9
6.1 THEELECTRONICCODEBOOKMODE..........................................................................................................9
6.2 THECIPHERBLOCKCHAININGMODE......................................................................................................10
6.3 THECIPHERFEEDBACKMODE.................................................................................................................11
6.4 THEOUTPUTFEEDBACKMODE................................................................................................................13
6.5 THECOUNTERMODE...............................................................................................................................15
APPENDIX A: PADDING ...................................................................................................................................... 17
APPENDIX B: GENERATION OF COUNTER BLOCKS ................................................................................. 18
B.1 THESTANDARDINCREMENTINGFUNCTION.............................................................................................18B.2 CHOOSINGINITIALCOUNTERBLOCKS.....................................................................................................19
APPENDIX C: GENERATION OF INITIALIZATION VECTORS ................................................................. 20
APPENDIX D: ERROR PROPERTIES ................................................................................................................ 21
APPENDIX E: MODES OF TRIPLE DES............................................................................................................ 23
APPENDIX F: EXAMPLE VECTORS FOR MODES OF OPERATION OF THE AES ................................ 24
F.1 ECBEXAMPLEVECTORS.........................................................................................................................24
F.1.1 ECB-AES128.Encrypt .......... .......... ........... .......... .......... ........... .......... ........... .......... .......... .......... ........ 24
F.1.2 ECB-AES128.Decrypt ........... .......... ........... .......... .......... ........... .......... ........... .......... .......... .......... ....... 24
F.1.3 ECB-AES192.Encrypt .......... ........... .......... .......... ........... .......... ........... .......... .......... ........... ......... ........ 25F.1.4 ECB-AES192.Decrypt ......... ........... .......... ........... .......... .......... ........... .......... ........... .......... .......... ........ 25
F.1.5 ECB-AES256.Encrypt .......... ........... .......... ........... .......... .......... ........... .......... ........... .......... ......... ........ 26
F.1.6 ECB-AES256.Decrypt ........... .......... .......... ........... .......... ........... .......... .......... ........... .......... .......... ....... 26
F.2 CBCEXAMPLEVECTORS.........................................................................................................................27
F.2.1 CBC-AES128.Encrypt ......................................................................................................................... 27
F.2.2 CBC-AES128.Decrypt......................................................................................................................... 27
F.2.3 CBC-AES192.Encrypt ......................................................................................................................... 28
F.2.4 CBC-AES192.Decrypt......................................................................................................................... 28
vi
8/12/2019 Sp800-38a(Apuntes Sobre Algorimos de Criptografia)
7/66
F.2.5 CBC-AES256.Encrypt ......................................................................................................................... 28
F.2.6 CBC-AES256.Decrypt......................................................................................................................... 29
F.3 CFBEXAMPLEVECTORS.........................................................................................................................29
F.3.1 CFB1-AES128.Encrypt .......... .......... .......... .......... ........... .......... .......... ........... .......... .......... .......... ....... 29
F.3.2 CFB1-AES128.Decrypt ....................................................................................................................... 31
F.3.3 CFB1-AES192.Encrypt .......... .......... .......... ........... .......... .......... .......... ........... .......... .......... ........... ...... 33
F.3.4 CFB1-AES192.Decrypt ....................................................................................................................... 34F.3.5 CFB1-AES256.Encrypt ....................................................................................................................... 36
F.3.6 CFB1-AES256.Decrypt ....................................................................................................................... 37
F.3.7 CFB8-AES128.Encrypt .......... ........... .......... .......... .......... ........... .......... .......... ........... .......... .......... ...... 39
F.3.8 CFB8-AES128.Decrypt ....................................................................................................................... 41
F.3.9 CFB8-AES192.Encrypt ........... .......... .......... .......... ........... .......... .......... ........... .......... .......... .......... ...... 42
F.3.10 CFB8-AES192.Decrypt .......... ........... .......... ........... .......... .......... ........... .......... ........... .......... ......... . 44
F.3.11 CFB8-AES256.Encrypt ......... .......... ........... .......... .......... ........... .......... .......... .......... ........... .......... .. 46
F.3.12 CFB8-AES256.Decrypt .......... ........... .......... ........... .......... .......... ........... .......... ........... .......... ......... . 48
F.3.13 CFB128-AES128.Encrypt ......... ........... .......... .......... ........... .......... .......... .......... ........... .......... ........ 50
F.3.14 CFB128-AES128.Decrypt .......... ........... .......... .......... .......... ........... .......... .......... .......... ........... ....... 50
F.3.15 CFB128-AES192.Encrypt ......... ........... .......... .......... ........... .......... .......... .......... ........... .......... ........ 50
F.3.16 CFB128-AES192.Decrypt .......... ........... .......... .......... .......... ........... .......... .......... .......... ........... ....... 51
F.3.17 CFB128-AES256.Encrypt ......... ........... .......... .......... ........... .......... .......... .......... ........... .......... ........ 51F.3.18 CFB128-AES256.Decrypt .......... ........... .......... .......... .......... ........... .......... .......... .......... ........... ....... 52
F.4 OFBEXAMPLEVECTORS.........................................................................................................................52
F.4.1 OFB-AES128.Encrypt ......................................................................................................................... 52
F.4.2 OFB-AES128.Decrypt......................................................................................................................... 53
F.4.3 OFB-AES192.Encrypt ......................................................................................................................... 53
F.4.4 OFB-AES192.Decrypt......................................................................................................................... 54
F.4.5 OFB-AES256.Encrypt ......................................................................................................................... 54
F.4.6 OFB-AES256.Decrypt......................................................................................................................... 55
F.5 CTREXAMPLEVECTORS.........................................................................................................................55
F.5.1 CTR-AES128.Encrypt .......... .......... ........... .......... .......... ........... .......... ........... .......... .......... .......... ........ 55
F.5.2 CTR-AES128.Decrypt ........... .......... .......... ........... .......... ........... .......... .......... ........... .......... .......... ....... 56
F.5.3 CTR-AES192.Encrypt .......... .......... ........... .......... .......... ........... .......... ........... .......... .......... .......... ........ 56
F.5.4 CTR-AES192.Decrypt ........... .......... .......... ........... .......... ........... .......... .......... ........... .......... .......... ....... 57F.5.5 CTR-AES256.Encrypt .......... .......... .......... ........... .......... ........... .......... .......... ........... .......... ......... ......... 57
F.5.6 CTR-AES256.Decrypt ........... .......... .......... ........... .......... .......... ........... .......... ........... .......... .......... ....... 57
APPENDIX G: REFERENCES.............................................................................................................................. 59
Table of Figures
Figure1:TheECBMode................................................................................................................9
Figure2:TheCBCMode..............................................................................................................10
Figure3:TheCFBMode..............................................................................................................12
Figure4:TheOFBMode..............................................................................................................14Figure5:TheCTRMode..............................................................................................................16
vii
8/12/2019 Sp800-38a(Apuntes Sobre Algorimos de Criptografia)
8/66
1 Purpose
This publication provides recommendations regarding modes of operation to be used with
symmetrickeyblockcipheralgorithms.
2 Authority
This document has been developed by the National Institute of Standards and Technology
(NIST)infurtheranceofitsstatutoryresponsibilitiesundertheComputerSecurityActof1987
(Public Law 100-235) and the Information Technology Management Reform Act of 1996,
specifically15U.S.C.278g-3(a)(5).Thisisnotaguidelinewithinthemeaningof15U.S.C.278
g-3(a)(5).
Thisrecommendationisneitherastandardnoraguideline,andassuch,isneithermandatorynor
bindingonFederalagencies.Federalagenciesandnon-governmentorganizationsmayusethisrecommendationonavoluntarybasis.Itisnotsubjecttocopyright.
Nothinginthisrecommendationshouldbetakentocontradictstandardsandguidelinesthathave
beenmademandatoryandbindinguponFederalagenciesbytheSecretaryofCommerceunder
hisstatutoryauthority.Norshouldthisrecommendationbeinterpretedasalteringorsuperseding
theexistingauthoritiesoftheSecretaryofCommerce,theDirectoroftheOfficeofManagement
andBudget,oranyotherFederalofficial.
Conformance testing for implementations of themodes ofoperation that arespecified in this
recommendation will be conducted within the framework of the Cryptographic Module
Validation Program (CMVP), a joint effort of the NIST and the Communications Security
Establishmentof theGovernmentofCanada. Animplementationofamodeofoperationmust
adheretotherequirementsinthisrecommendationinordertobevalidatedundertheCMVP.
3 Introduction
Thisrecommendationspecifiesfiveconfidentialitymodesofoperationforsymmetrickeyblock
cipheralgorithms,suchasthealgorithmspecifiedinFIPSPub.197, theAdvancedEncryption
Standard(AES)[2].Themodesmaybeusedinconjunctionwithanysymmetrickeyblockcipher
algorithm that is approved by a Federal Information Processing Standard (FIPS). The five
modesthe Electronic Codebook (ECB), Cipher Block Chaining (CBC), Cipher Feedback(CFB),OutputFeedback(OFB),andCounter(CTR)modes canprovidedataconfidentiality.
Two FIPS publications alreadyapprove confidentialitymodes ofoperation for twoparticular
blockcipheralgorithms.FIPSPub.81[4]specifiestheECB,CBC,CFB,andOFBmodesofthe
Data Encryption Standard (DES). FIPS Pub. 46-3 [3] approves the seven modes that are
specifiedinANSIX9.52[1].Fourofthesemodesareequivalentto theECB,CBC,CFB,and
OFBmodeswith theTripleDES algorithm(TDEA) astheunderlyingblockcipher;theother
1
8/12/2019 Sp800-38a(Apuntes Sobre Algorimos de Criptografia)
9/66
threemodesinANSIX9.52arevariantsoftheCBC,CFB,andOFBmodesofTripleDESthat
useinterleavingorpipelining.
Thus, there are three new elements in this recommendation: 1) the extension of the four
confidentiality modes in FIPS Pub 81 for use with any FIPS-approved block cipher; 2) the
revision of the requirements for these modes; and 3) the specification of an additionalconfidentialitymode,theCTRmode,forusewithanyFIPS-approvedblockcipher.
2
8/12/2019 Sp800-38a(Apuntes Sobre Algorimos de Criptografia)
10/66
4 Definitions, Abbreviations, and Symbols
4.1 Definitions and Abbreviations
Bit Abinarydigit:0or1.
BitError Thesubstitutionofa0bitfora1bit,orviceversa.
BitString Anorderedsequenceof0sand1s.
BlockCipher Afamilyoffunctionsandtheirinversefunctionsthatisparameterized
bycryptographickeys;thefunctionsmapbitstringsofafixedlengthto
bitstringsofthesamelength.
BlockSize Thenumberofbitsinaninput(oroutput)blockoftheblockcipher.
CBC CipherBlockChaining.
CFB CipherFeedback.
Ciphertext Encrypteddata.
ConfidentialityMode Amodethatisusedtoencipherplaintextanddecipherciphertext.The
confidentialitymodesinthisrecommendationaretheECB,CBC,CFB,
OFB,andCTRmodes.
CTR Counter.
CryptographicKey Aparameterusedintheblockcipheralgorithmthatdeterminesthe
forwardcipheroperationandtheinversecipheroperation.
DataBlock(Block) Asequenceofbitswhoselengthistheblocksizeoftheblockcipher.
DataSegment
(Segment)
IntheCFBmode,asequenceofbitswhoselengthisaparameterthat
doesnotexceedtheblocksize.
Decryption(Deciphering) The processofa confidentiality mode that transformsencrypteddataintotheoriginalusabledata.
ECB ElectronicCodebook.
Encryption
(Enciphering)
Theprocessofaconfidentialitymodethattransformsusabledatainto
anunreadableform.
3
8/12/2019 Sp800-38a(Apuntes Sobre Algorimos de Criptografia)
11/66
Exclusive-OR Thebitwiseaddition,modulo2,oftwobitstringsofequallength.
FIPS FederalInformationProcessingStandard.
ForwardCipher
Function(ForwardCipherOperation)
Oneofthetwofunctionsoftheblockcipheralgorithmthatisselected
bythecryptographickey.
InitializationVector
(IV)
A data block that some modes of operation require as an additional
initialinput.
InputBlock Adatablockthatisaninputtoeithertheforwardcipherfunctionorthe
inversecipherfunctionoftheblockcipheralgorithm.
InverseCipher
Function(Inverse
CipherOperation)
The function that reverses the transformation of the forward cipher
functionwhenthesamecryptographickeyisused.
LeastSignificant
Bit(s)
Theright-mostbit(s)ofabitstring.
ModeofOperation
(Mode)
Analgorithmforthecryptographictransformationofdatathatfeatures
asymmetrickeyblockcipheralgorithm.
MostSignificantBit(s) Theleft-mostbit(s)ofabitstring.
Nonce Avaluethatisusedonlyonce.
Octet Agroupofeightbinarydigits.
OFB OutputFeedback.
OutputBlock Adatablockthatisanoutputofeithertheforwardcipherfunctionor
theinversecipherfunctionoftheblockcipheralgorithm.
Plaintext Usabledatathatisformattedasinputtoamode.
4
8/12/2019 Sp800-38a(Apuntes Sobre Algorimos de Criptografia)
12/66
4.2 Symbols
4.2.1 Variables
b Theblocksize,inbits.
j Theindextoasequenceofdatablocksordatasegmentsorderedfromleft
toright.
n Thenumberofdatablocksordatasegmentsintheplaintext.
s Thenumberofbitsinadatasegment.
u Thenumberofbitsinthelastplaintextorciphertextblock.
Cj Thejth
ciphertextblock.
C#
Thejthciphertextsegment.
C*
j
Thelastblockoftheciphertext,whichmaybeapartialblock.
Ij Thejthinputblock.
IV Theinitializationvector.
K Thesecretkey.
Oj Thejthoutputblock.
n
Pj Thejthplaintextblock.
P#
Thejthplaintextsegment.
P*
j
Thelastblockoftheplaintext,whichmaybeapartialblock.
Tj Thejthcounterblock.
n
4.2.2 Operations and Functions
X |Y TheconcatenationoftwobitstringsXandY.
X Y Thebitwiseexclusive-ORoftwobitstringsXandYofthesamelength.
CIPHK(X) TheforwardcipherfunctionoftheblockcipheralgorithmunderthekeyKapplied
tothedatablockX.
5
8/12/2019 Sp800-38a(Apuntes Sobre Algorimos de Criptografia)
13/66
CIPH-1
(X) TheinversecipherfunctionoftheblockcipheralgorithmunderthekeyKappliedKtothedatablockX.
LSB (X) Thebitstringconsistingofthem leastsignificantbitsofthebitstringX.m
MSB (X) Thebitstringconsistingofthem mostsignificantbitsofthebitstringX.m
[x] Thebinaryrepresentationofthenon-negativeintegerx,inmbits,wherex
8/12/2019 Sp800-38a(Apuntes Sobre Algorimos de Criptografia)
14/66
5 Preliminaries
5.1 Underlying Block Cipher Algorithm
ThisrecommendationassumesthataFIPS-approvedsymmetrickeyblockcipheralgorithmhasbeenchosenas theunderlyingalgorithm,andthat a secret, randomkey, denotedK,hasbeen
establishedamongallofthepartiestothecommunication. Thecryptographickeyregulatesthe
functioningoftheblockcipheralgorithmand,thus,byextension,regulatesthefunctioningofthe
mode. Thespecificationsof theblockcipherandalgorithmsandthemodesarepublic,sothe
securityofthemodedepends,ataminimum,onthesecrecyofthekey.
Aconfidentialitymodeofoperationoftheblockcipheralgorithmconsistsoftwoprocessesthat
are inverses of each other: encryption and decryption. Encryption is the transformationof a
usablemessage,calledtheplaintext,intoanunreadableform,calledtheciphertext;decryptionis
thetransformationthatrecoverstheplaintextfromtheciphertext.
For any given key, the underlying block cipher algorithm of the mode also consists of two
functions that areinverses ofeach other.These two functionsareoftencalledencryptionand
decryption, but in this recommendation, those terms are reserved for the processes of the
confidentialitymodes.Instead,aspartofthechoiceoftheblockcipheralgorithm,oneofthetwo
functionsisdesignatedastheforwardcipherfunction,denotedCIPHK;theotherfunctionisthen
calledtheinversecipherfunction,denotedCIPH1
.TheinputsandoutputsofbothfunctionsareKcalledinputblocksandoutputblocks. Theinputandoutputblocksoftheblockcipheralgorithm
havethesamebitlength,calledtheblocksize,denoted b.
5.2 Representation of the Plaintext and the Ciphertext
Forallofthemodesinthisrecommendation,theplaintextmustberepresentedasasequenceof
bitstrings;therequirementsonthelengthsofthebitstringsvaryaccordingtothemode:
FortheECBandCBCmodes,thetotalnumberofbitsintheplaintextmustbeamultipleofthe
blocksize,b;inotherwords,forsomepositiveintegern, thetotalnumberofbitsintheplaintext
mustbenb. Theplaintextconsistsofasequenceofnbitstrings,eachwithbitlengthb. Thebit
stringsinthesequencearecalleddatablocks,andtheplaintextisdenoted P1,P2,,P .n
FortheCFBmode,thetotalnumberofbitsintheplaintextmustbeamultipleofaparameter,
denoteds,thatdoesnotexceedtheblocksize;inotherwords,forsomepositiveintegern, the
totalnumberofbitsinthemessagemustbe ns. Theplaintextconsistsofasequenceofnbitstrings,eachwithbitlength s. Thebitstringsinthesequencearecalleddatasegments,andthe
plaintextisdenotedP#
1,P#
2,,P#
.n
FortheOFBandCTRmodes,theplaintextneednotbeamultipleoftheblocksize.Letn andu
denotetheuniquepairofpositiveintegerssuchthatthetotalnumberofbitsinthemessageis
(n-1)b+u,where1 u b. Theplaintextconsistsofasequenceofnbitstrings,inwhichthebit
lengthofthelastbitstringisu,andthebitlengthoftheotherbitstringsisb. Thesequenceis
denotedP1,P2,,Pn-1,P*
,andthebitstringsarecalleddatablocks,althoughthelastbitstring,n
7
8/12/2019 Sp800-38a(Apuntes Sobre Algorimos de Criptografia)
15/66
P
*,maynotbeacompleteblock.n
Foreachmode, theencryptionprocess transformseveryplaintextdatablockorsegmentintoa
correspondingciphertextdatablockorsegmentwiththesamebitlength,sothattheciphertextis
asequenceofdatablocksorsegments. Theciphertextisdenotedasfollows: fortheECBand
CBCmodes,C1,C2,,C;fortheCFBmode,C
#
1,C
#
2,,C
#
;and,fortheOFBandCTRmodes,C1,C2,,Cn-1,C*
,wheren
C*
maybeapartialblock.n
n n
Theformattingoftheplaintext,includingin somecasestheappendingofpaddingbitstoform
completedatablocksordatasegments,isoutsidethescopeofthisrecommendation.Paddingis
discussedinAppendixA.
5.3 Initialization Vectors
TheinputtotheencryptionprocessesoftheCBC,CFB,andOFBmodesincludes,inadditionto
theplaintext,adatablockcalledtheinitializationvector(IV),denotedIV. TheIVisusedinan
initialstepintheencryptionofamessageandinthecorrespondingdecryptionofthemessage.
The IV need not be secret; however, for the CBCandCFBmodes,the IV foranyparticular
executionoftheencryptionprocessmustbeunpredictable,and,fortheOFBmode,uniqueIVs
mustbeusedforeachexecutionoftheencryptionprocess.ThegenerationofIVsisdiscussedin
AppendixC.
5.4 Examples of Operations and Functions
Theconcatenationoperationonbitstringsisdenoted|;forexample,001|10111=00110111.
Givenbitstringsofequallength,theexclusive-ORoperation,denoted,specifiestheaddition,modulo2,ofthebitsineachbitposition,i.e.,withoutcarries.Thus,1001110101=00110,for
example.
ThefunctionsLSB andMSB returnthesleastsignificantbitsandthe smostsignificantbitsofs stheirarguments.Forexample,LSB3(111011010)=010,andMSB4(111011010)=1110.
Givenapositiveintegermandanon-negative(decimal)integerxthatislessthan2m
,thebinary
representationofxinmbitsisdenoted[x] .Forexample,[45]8=00101101.m
8
8/12/2019 Sp800-38a(Apuntes Sobre Algorimos de Criptografia)
16/66
6 Block Cipher Modes of Operation
The mathematical specifications of the five modes are given in Sections 6.1-6.5, along with
descriptions,illustrations,andcommentsonthepotentialforparallelprocessing.
6.1 The Electronic Codebook Mode
TheElectronicCodebook(ECB)modeisaconfidentialitymodethatfeatures,foragivenkey,
theassignmentofafixedciphertextblocktoeachplaintextblock,analogoustotheassignmentof
codewordsinacodebook. TheElectronicCodebook(ECB)modeisdefinedasfollows:
ECBEncryption: Cj=CIPHK(Pj) forj=1 n.
ECBDecryption: Pj=CIPH-1
(Cj) forj=1 n.
InECB encryption, theforward cipher function is applied directly andindependently toeachblockoftheplaintext.Theresultingsequenceofoutputblocksistheciphertext.
InECB decryption, the inversecipher function is applieddirectly and independently to each
blockoftheciphertext.Theresultingsequenceofoutputblocksistheplaintext.
K
ECB Encryption ECB Decryption
PLAINTEXT
CIPHK
INPUT BLOCK
OUTPUT BLOCK
CIPHERTEXT
CIPH-1K
INPUT BLOCK
OUTPUT BLOCK
Figure1:TheECBMode
InECBencryptionand ECBdecryption,multiple forward cipherfunctionsandinversecipher
functionscanbecomputedinparallel.
CIPHERTEXT PLAINTEXT
In theECBmode, under agivenkey,anygiven plaintextblock always getsencrypted tothe
9
8/12/2019 Sp800-38a(Apuntes Sobre Algorimos de Criptografia)
17/66
sameciphertextblock. Ifthispropertyisundesirableinaparticularapplication,theECBmode
shouldnotbeused.
TheECBmodeisillustratedinFigure1.
6.2 The Cipher Block Chaining Mode
The CipherBlockChaining (CBC)mode isa confidentiality mode whoseencryptionprocess
featuresthecombining(chaining)oftheplaintextblockswiththepreviousciphertextblocks.
TheCBCmoderequiresanIVtocombinewiththefirstplaintextblock.TheIVneednotbe
secret, but itmustbe unpredictable; the generationof such IVs isdiscussed inAppendix C.
Also,theintegrityoftheIVshouldbeprotected,asdiscussedinAppendixD. TheCBCmodeis
definedasfollows:
CBCEncryption: C1= CIPHK(P1IV);
Cj = CIPHK(Pj Cj-1) forj=2 n.
CBCDecryption: P1 =CIPH-1
(C1)IV;KPj=CIPH
-1(Cj) Cj-1 forj=2 n.K
CIPHK
OUTPUT BLOCK 1
OUTPUT BLOCK 2
OUTPUT BLOCK n
PLAINTEXT 1 PLAINTEXT 2INITIALIZATIONVECTOR
INPUT BLOCK 1 INPUT BLOCK 2 INPUT BLOCK n
PLAINTEXT n
ENCRYPT
DECRYPT
INPUT BLOCK 1 INPUT BLOCK 2 INPUT BLOCKn
CIPH-1K
PLAINTEXT 1 PLAINTEXT 2 PLAINTEXT n
OUTPUT BLOCK 1 OUTPUT BLOCK 2 OUTPUT BLOCK n
INITIALIZATIONVECTOR
CIPHERTEXT 1 CIPHERTEXT 2
CIPHERTEXT 1 CIPHERTEXT 2
CIPHERTEXT n
CIPHERTEXT n
CIPHK CIPHK
CIPH-1K CIPH-1
K
Figure2:TheCBCMode
In CBCencryption, the first inputblock is formed by exclusive-ORing the firstblock ofthe
plaintextwiththe IV.The forwardcipherfunction isappliedto the firstinputblock, and the
10
8/12/2019 Sp800-38a(Apuntes Sobre Algorimos de Criptografia)
18/66
resultingoutputblockisthefirstblockoftheciphertext.Thisoutputblockisalsoexclusive-
ORedwiththesecondplaintextdatablocktoproduce thesecondinputblock,andtheforward
cipherfunctionisappliedtoproducethesecondoutputblock. Thisoutputblock,whichis the
secondciphertextblock,isexclusive-ORedwiththenextplaintextblocktoformthenextinput
block. Each successiveplaintextblock isexclusive-ORed with thepreviousoutput/ciphertext
blocktoproducethenewinputblock. Theforwardcipherfunctionisappliedtoeachinputblocktoproducetheciphertextblock.
InCBCdecryption,theinversecipherfunctionisappliedtothefirstciphertextblock,andthe
resulting output block is exclusive-ORed with the initialization vector to recover the first
plaintextblock. Theinversecipherfunctionisalsoappliedtothesecondciphertextblock,and
theresultingoutputblockisexclusive-ORedwiththefirstciphertextblocktorecoverthesecond
plaintextblock.Ingeneral,torecoveranyplaintextblock(exceptthefirst),theinversecipher
function isapplied tothecorrespondingciphertextblock,andtheresultingblockisexclusive-
ORedwiththepreviousciphertextblock.
InCBCencryption,theinputblocktoeachforwardcipheroperation(exceptthefirst)dependsontheresultof thepreviousforwardcipheroperation,sotheforwardcipheroperationscannotbe
performed in parallel. In CBC decryption, however, the input blocks for the inverse cipher
function, i.e., theciphertextblocks,are immediately available, so that multiple inversecipher
operationscanbeperformedinparallel.
TheCBCmodeisillustratedinFigure2.
6.3 The Cipher Feedback Mode
The Cipher Feedback (CFB) mode is a confidentiality mode that features the feedback of
successiveciphertext segments into theinput blocksof theforwardcipher togenerateoutputblocksthatareexclusive-ORedwiththeplaintexttoproducetheciphertext,andviceversa. The
CFBmoderequiresanIVastheinitial inputblock. TheIVneednotbesecret,butitmustbe
unpredictable;thegenerationofsuchIVsisdiscussedinAppendixC.
The CFB mode also requires an integer parameter, denoted s, such that 1 s b. In the
specificationoftheCFBmodebelow,eachplaintextsegment( P#)andciphertextsegment(C
#)j j
consistsofsbits. Thevalueofsissometimesincorporatedintothenameofthemode,e.g.,the
1-bitCFBmode,the8-bitCFBmode,the64-bitCFBmode,orthe128-bitCFBmode.
TheCFBmodeisdefinedasfollows:
CFBEncryption: I1 =IV;
Ij=LSBb-s(Ij1)|C#
j-1 forj=2 n;
Oj=CIPHK(Ij) forj=1,2 n;C
#
j=P#
jMSB (Oj) forj=1,2 n.s
CFBDecryption: I1 =IV;
Ij=LSBb-s(Ij-1)|C#
j-1 forj=2 n;
11
8/12/2019 Sp800-38a(Apuntes Sobre Algorimos de Criptografia)
19/66
Oj=CIPHK(Ij) forj=1,2 n;
P#
=C#
jMSB (Oj) forj=1,2 n.j s
InCFBencryption,thefirstinputblockistheIV,andtheforwardcipheroperationisappliedto
theIVtoproducethefirstoutputblock. Thefirstciphertextsegmentisproducedbyexclusive-
ORingthefirstplaintextsegmentwiththesmostsignificantbitsofthefirstoutputblock. (Theremainingb-sbitsofthefirstoutputblockarediscarded.) Theb-sleastsignificantbitsoftheIV
are then concatenatedwith thes bitsofthe first ciphertext segmentto form thesecond input
block. Analternativedescriptionoftheformationofthesecondinputblockisthatthebitsof
the first input block circularly shift s positions to the left, and then the ciphertext segment
replacesthesleastsignificantbitsoftheresult.
Theprocessisrepeatedwiththesuccessiveinputblocksuntilaciphertextsegmentisproduced
fromeveryplaintextsegment. Ingeneral,eachsuccessiveinputblockisencipheredtoproduce
anoutputblock. Thesmostsignificantbitsofeachoutputblockareexclusive-ORedwiththe
correspondingplaintextsegmenttoformaciphertextsegment.Eachciphertextsegment(except
thelastone)isfedbackintothepreviousinputblock,asdescribedabove,toformanewinputblock.Thefeedbackcanbedescribedintermsoftheindividualbitsinthestringsasfollows:ifi1i2ibisthejthinputblock,andc1c2c isthejthciphertextsegment,thenthe(j+1)
thinputblocks
isis+1is+2ibc1c2c .s
OUTPUT BLOCK 1Select Discards Bits (b-s) Bits
INPUT BLOCK 1
OUTPUT BLOCK 1Select Discard
s Bits (b-s) Bits
CIPHK
INITIALIZATION
VECTOR
PLAINTEXT 1s Bits
CIPHERTEXT 1s Bits
INPUT BLOCK 1
CIPHERTEXT 1s Bits
PLAINTEXT 1
s Bits
E
NCRYPT
DECRYPT
OUTPUT BLOCK nSelect Discards Bits (b-s) Bits
INPUT BLOCK n(b-s) Bits s Bits
OUTPUT BLOCK nSelect Discard
s Bits (b-s) Bits
PLAINTEXT ns Bits
CIPHERTEXT ns Bits
INPUT BLOCK n(b-s) Bits s Bits
CIPHERTEXT ns Bits
PLAINTEXT n
s Bits
OUTPUT BLOCK 2Select Discards Bits (b-s) Bits
INPUT BLOCK 2(b-s) Bits s Bits
OUTPUT BLOCK 2Select Discard
s Bits (b-s) Bits
PLAINTEXT 2s Bits
CIPHERTEXT 2s Bits
INPUT BLOCK 2(b-s) Bits s Bits
CIPHERTEXT 2s Bits
PLAINTEXT 2s Bits
INITIALIZATIONVECTOR
CIPHK CIPHK
CIPHKCIPHKCIPHK
Figure3:TheCFBMode
InCFBdecryption,theIVisthefirstinputblock,andeachsuccessiveinputblockisformedasin
CFBencryption,byconcatenatingthe b-s leastsignificantbitsofthepreviousinputblockwith
12
8/12/2019 Sp800-38a(Apuntes Sobre Algorimos de Criptografia)
20/66
thesmostsignificantbitsofthepreviousciphertext.Theforwardcipherfunctionisappliedto
eachinputblocktoproducetheoutputblocks. Thesmostsignificantbitsoftheoutputblocks
are exclusive-ORed with the corresponding ciphertext segments to recover the plaintext
segments.
InCFBencryption,likeCBCencryption,theinputblocktoeachforwardcipherfunction(exceptthe first) depends on the result of the previous forward cipher function; therefore, multiple
forward cipher operations cannot be performed in parallel. In CFB decryption, the required
forwardcipheroperationscanbeperformedinparalleliftheinputblocksarefirstconstructed(in
series)fromtheIVandtheciphertext.
TheCFBmodeisillustratedinFigure3.
6.4 The Output Feedback Mode
The OutputFeedback (OFB) mode is a confidentialitymode that features theiteration of the
forwardcipheronanIVtogeneratea sequenceofoutputblocksthatareexclusive-ORedwiththeplaintexttoproducetheciphertext,andviceversa.TheOFBmoderequiresthattheIVisa
nonce, i.e., the IV mustbe unique for eachexecutionof the mode under the given key; the
generationofsuchIVsisdiscussedinAppendixC. TheOFBmodeisdefinedasfollows:
OFBEncryption: I1 =IV;
Ij=Oj-1 forj=2 n;Oj=CIPHK(Ij) forj=1,2 n;Cj=Pj Oj forj=1,2 n-1;C
*=P
*
MSB (O ).n n u n
OFBDecryption: I1 =IV;Ij=Oj-1 forj=2 n;
Oj=CIPHK(Ij) forj=1,2 n;Pj =Cj Oj forj=1,2 n-1;P
*
n =C*
nMSBu(On).
InOFB encryption, the IVis transformed by theforward cipherfunction toproduce thefirst
outputblock. Thefirstoutputblockisexclusive-ORedwiththefirstplaintextblocktoproduce
thefirstciphertextblock.Theforwardcipherfunctionistheninvokedonthefirstoutputblock
toproducethesecondoutputblock. Thesecondoutputblockisexclusive-ORedwiththesecond
plaintext block to produce the second ciphertext block, and the forward cipher function is
invoked on the second output block toproduce the thirdoutput block. Thus, the successiveoutputblocksareproduced from applying theforwardcipher function to theprevious output
blocks, and theoutput blocks areexclusive-ORed with thecorrespondingplaintext blocks to
produce the ciphertextblocks. For thelastblock,whichmaybeapartialblockofubits,the
most significant u bits of the last output blockare used for the exclusive-OR operation; the
remainingb-ubitsofthelastoutputblockarediscarded.
In OFBdecryption, the IV istransformedby theforward cipher function toproduce thefirst
13
8/12/2019 Sp800-38a(Apuntes Sobre Algorimos de Criptografia)
21/66
outputblock. Thefirstoutputblockisexclusive-ORedwiththefirstciphertextblocktorecover
the first plaintext block. The first output block is then transformed by the forward cipher
functiontoproducethesecondoutputblock.Thesecondoutputblockisexclusive-ORedwith
thesecondciphertextblocktoproducethesecondplaintextblock,andthesecondoutputblockis
alsotransformedbytheforwardcipherfunction toproduce the third outputblock. Thus, the
successiveoutputblocksareproducedfromapplyingtheforwardcipherfunctiontothepreviousoutput blocks, and the output blocks are exclusive-ORed with the corresponding ciphertext
blockstorecovertheplaintextblocks. Forthelastblock,whichmaybeapartialblockofubits,
themostsignificantubitsofthelastoutputblockareusedfortheexclusive-ORoperation;the
remainingb-ubitsofthelastoutputblockarediscarded.
OUTPUT BLOCK 1
INPUT BLOCK 1
OUTPUT BLOCK 1
CIPHK
INITIALIZATIONVECTOR
PLAINTEXT 1
CIPHERTEXT 1
INPUT BLOCK 1
CIPHERTEXT 1
PLAINTEXT 1
ENCR
YPT
DECRYPT
OUTPUT BLOCK n
INPUT BLOCK n
OUTPUT BLOCK n
PLAINTEXT n
CIPHERTEXT n
INPUT BLOCK n
CIPHERTEXT n
PLAINTEXT n
OUTPUT BLOCK 2
INPUT BLOCK 2
OUTPUT BLOCK 2
PLAINTEXT 2
CIPHERTEXT 2
INPUT BLOCK 2
CIPHERTEXT 2
PLAINTEXT 2
INITIALIZATIONVECTOR
CIPHK CIPHK
CIPHKCIPHKCIPHK
Figure4:TheOFBMode
Inboth OFBencryptionandOFB decryption,each forward cipherfunction (except the first)
dependsontheresultsofthepreviousforwardcipherfunction;therefore,multipleforwardcipher
functionscannotbeperformedinparallel. However,iftheIVisknown,theoutputblockscanbe
generatedpriortotheavailabilityoftheplaintextorciphertextdata.
TheOFBmoderequiresauniqueIVforeverymessagethatiseverencryptedunderthegiven
key. If,contraryto this requirement, thesameIVisusedfortheencryptionofmorethanone
message, then theconfidentialityof thosemessagesmay becompromised. Inparticular, ifa
plaintextblockofanyofthesemessagesisknown,say,thejthplaintextblock,thenthejthoutput
of the forward cipher function can be determined easily from thejth ciphertext block of the
message.Thisinformationallowsthejthplaintextblockofanyothermessagethatisencrypted
14
8/12/2019 Sp800-38a(Apuntes Sobre Algorimos de Criptografia)
22/66
usingthesameIVtobeeasilyrecoveredfromthejthciphertextblockofthatmessage.
Confidentialitymaysimilarlybecompromisedif anyoftheinputblockstotheforwardcipher
functionfortheencryptionofamessageisdesignatedastheIVfortheencryptionofanother
messageunderthegivenkey.
TheOFBmodeisillustratedinFigure4.
6.5 The Counter Mode
TheCounter(CTR)modeisaconfidentialitymodethatfeaturestheapplicationoftheforward
ciphertoasetof inputblocks,calledcounters,toproduceasequenceofoutputblocksthatare
exclusive-ORedwith theplaintexttoproduce theciphertext,andviceversa. Thesequenceof
countersmusthave theproperty that eachblock inthesequence isdifferent fromeveryother
block. Thisconditionisnotrestricted toa singlemessage:acrossallofthemessages thatare
encryptedunderthegivenkey,allofthecountersmustbedistinct.Inthisrecommendation,the
countersforagivenmessagearedenotedT1,T2, ,T . Methodsforgeneratingcountersarendiscussed inAppendixB. Given a sequence ofcounters,T1 , T2 , , T, theCTRmode isndefinedasfollows:
CTREncryption: Oj=CIPHK(Tj) forj=1,2 n;Cj=Pj Oj forj=1,2 n-1;
C*
=P*
MSB (O ).n n u n
CTRDecryption: Oj=CIPHK(Tj) forj=1,2 n;Pj =Cj Oj forj=1,2 n-1;P
*
n =C*
nMSBu(On).
In CTR encryption, the forward cipher function is invoked on each counter block, and the
resultingoutputblocksareexclusive-ORedwiththecorrespondingplaintextblockstoproduce
the ciphertext blocks. For the last block, which may be a partial block of u bits, the most
significantubitsofthelastoutputblockareusedfortheexclusive-ORoperation;theremainingb-ubitsofthelastoutputblockarediscarded.
In CTR decryption, the forward cipher function is invoked on each counter block, and the
resultingoutputblocksareexclusive-ORedwiththecorrespondingciphertextblockstorecover
the plaintext blocks. For the last block, which may be a partial block of u bits, the most
significantubitsofthelastoutputblockareusedfortheexclusive-ORoperation;theremaining
b-ubitsofthelastoutputblockarediscarded.
InbothCTRencryptionandCTRdecryption,theforwardcipherfunctionscanbeperformedin
parallel;similarly,theplaintextblockthatcorrespondstoanyparticularciphertextblockcanbe
recoveredindependentlyfromtheotherplaintextblocksifthecorrespondingcounterblockcan
bedetermined.Moreover,theforwardcipherfunctionscanbeappliedtothecounterspriortothe
availabilityoftheplaintextorciphertextdata.
15
8/12/2019 Sp800-38a(Apuntes Sobre Algorimos de Criptografia)
23/66
OUTPUT BLOCK 1
INPUT BLOCK 1
OUTPUT BLOCK 1
CIPHK
COUNTER 1
PLAINTEXT 1
CIPHERTEXT 1
INPUT BLOCK 1
CIPHERTEXT 1
PLAINTEXT 1
E
NCRYPT
DECRYPT
COUNTER 1
OUTPUT BLOCK 2
INPUT BLOCK 2
OUTPUT BLOCK 2
COUNTER 2
PLAINTEXT 2
CIPHERTEXT 2
INPUT BLOCK 2
CIPHERTEXT 2
PLAINTEXT 2
COUNTER 2
. . . . .CIPHK
CIPHKCIPHK
INPUT BLOCK n
OUTPUT BLOCK n
COUNTER n
PLAINTEXT n
CIPHK
OUTPUT BLOCK n
CIPHERTEXT n
INPUT BLOCK n
CIPHERTEXT n
COUNTER n
. . . . . CIPHK
PLAINTEXT n
Figure5:TheCTRMode
TheCTRmodeisillustratedinFigure5.
16
8/12/2019 Sp800-38a(Apuntes Sobre Algorimos de Criptografia)
24/66
Appendix A: Padding
FortheECB,CBC,andCFBmodes,theplaintextmustbeasequenceofoneormorecomplete
datablocks(or,forCFBmode,datasegments).Inotherwords,forthesethreemodes,thetotal
numberofbitsintheplaintextmustbeapositivemultipleoftheblock(orsegment)size.
Ifthedatastringtobeencrypteddoesnotinitiallysatisfythisproperty,thentheformattingofthe
plaintextmustentailanincreaseinthenumberofbits.Acommonwaytoachievethenecessary
increaseistoappendsomeextrabits,calledpadding,tothetrailingendofthedatastringasthe
laststep inthe formattingof theplaintext. An example of apadding methodis to appenda
single 1bittothedatastringandthentopadtheresultingstringbyasfew 0bits,possibly
none,asarenecessarytocompletethefinalblock(segment). Othermethodsmaybeused;in
general,theformattingoftheplaintextisoutsidethescopeofthisrecommendation.
For theabovepaddingmethod,thepaddingbitscanbe removedunambiguously,providedthe
receivercandeterminethatthemessageisindeedpadded. Onewaytoensurethatthereceiverdoesnotmistakenlyremovebitsfromanunpaddedmessageistorequirethesendertopadevery
message, includingmessagesinwhichthe finalblock(segment)is alreadycomplete.Forsuch
messages,anentireblock(segment)ofpaddingisappended. Alternatively,suchmessagescan
besentwithoutpaddingif,foreverymessage,theexistenceofpaddingcanbereliablyinferred,
e.g.,fromamessagelengthindicator.
17
8/12/2019 Sp800-38a(Apuntes Sobre Algorimos de Criptografia)
25/66
Appendix B: Generation of Counter Blocks
ThespecificationoftheCTRmoderequiresauniquecounterblockforeachplaintextblockthat
is ever encrypted under a given key, across all messages. If, contrary to this requirement, a
counter block is used repeatedly, then the confidentiality of all of the plaintext blockscorrespondingtothatcounterblockmaybecompromised. Inparticular,if anyplaintextblock
that isencryptedusingagivencounterblockisknown,then theoutputoftheforwardcipher
functioncanbedeterminedeasilyfromtheassociatedciphertextblock. Thisoutputallowsany
otherplaintext blocksthat areencryptedusing thesame counterblock tobeeasilyrecovered
fromtheirassociatedciphertextblocks.
Therearetwoaspectstosatisfyingtheuniquenessrequirement.First,anincrementingfunction
forgeneratingthecounterblocksfromanyinitialcounterblockcanensurethatcounterblocksdo
not repeatwithinagiven message. Second, the initialcounterblocks,T1,mustbe chosen to
ensurethatcountersareuniqueacrossallmessagesthatareencryptedunderthegivenkey.
B.1 The Standard Incrementing Function
In general, given the initial counter block for a message, the successive counter blocks are
derivedbyapplyinganincrementingfunction.Asintheabovespecificationsofthemodes,nis
thenumberofblocksinthegivenplaintextmessage,and bisthenumberofbitsintheblock.
Thestandardincrementingfunctioncanapplyeithertoanentireblockortoapartofablock.
Let m be the number of bitsin thespecific partof theblock to be incremented;thus, misa
positiveintegersuchthatmb.Anystringofmbitscanberegardedasthebinaryrepresentation
ofanon-negativeintegerxthatisstrictlylessthan2m.Thestandardincrementingfunctiontakes
[x]mandreturns[x+1mod2m] .m
For example, let thestandard incrementing function apply to thefive least significantbits of
eightbitblocks,sothatb=8andm=5(unrealisticallysmallvalues);let*representeachunknown
bit in this example, and let ***11110 represent a block to be incremented. The following
sequenceofblocksresultsfromfourapplicationsofthestandardincrementingfunction:
***11110
***11111
***00000
***00001
***00010.
Counter blocks inwhich a given set of m bits are incremented by thestandard incrementing
function satisfy the uniqueness requirement within the given message provided that n 2m
.
Whethertheuniquenessrequirementforcounterblocksissatisfiedacrossallmessagesthatare
encryptedunderagivenkey thendepends onthechoicesoftheinitialcounterblocksfor the
messages,asdiscussedinthenextsection.
18
8/12/2019 Sp800-38a(Apuntes Sobre Algorimos de Criptografia)
26/66
Thisrecommendationpermitstheuseofanyotherincrementingfunctionthatgeneratesnunique
stringsofmbitsinsuccessionfromtheallowableinitialstrings.Forexample,iftheinitialstring
ofm bits isnot the zero string, i.e., if itcontains at leastone1 bit,then anincrementing
functioncanbeconstructedfroma linearfeedbackshiftregisterthat isspecializedtoensurea
sufficientlylargeperiod;seeRef.[5]forinformationaboutlinearfeedbackshiftregisters.
B.2 Choosing Initial Counter Blocks
Theinitialcounterblocks, T1,foreachmessagethatisencryptedunderthegivenkeymustbe
choseninamannerthanensurestheuniquenessofallthecounterblocksacrossallthemessages.
Twoexamplesofapproachestochoosingtheinitialcounterblocksaregiveninthissection.
Inthefirstapproach,foragivenkey,allplaintextmessagesareencryptedsequentially.Within
themessages,thesamefixedsetofmbitsofthecounterblockis incrementedbythestandard
incrementing function. The initialcounterblock forthe initialplaintextmessagemaybeany
string of b bits. The initial counter block for any subsequent message can be obtained by
applyingthestandardincrementingfunctiontothefixedsetof mbitsofthefinalcounterblockofthepreviousmessage. Ineffect,alloftheplaintextmessagesthatareeverencryptedunderthe
givenkeyareconcatenated into asinglemessage;consequently, the total number ofplaintext
blocksmustnotexceed2m. Proceduresshouldbeestablishedtoensurethemaintenanceofthe
state of the final counter block of the latest encrypted message, and to ensure the proper
sequencingofthemessages.
Asecondapproach tosatisfyingtheuniquenesspropertyacrossmessages istoassigntoeach
messageauniquestringof b/2bits(roundingup, ifbisodd),inotherwords,amessagenonce,
andtoincorporatethemessagenonceintoeverycounterblockforthemessage.Theleadingb/2
bits (rounding up, if b is odd) of each counter block would be the message nonce, and the
standardincrementingfunctionwouldbeappliedtotheremainingmbitstoprovideanindextothecounterblocksforthemessage. Thus,ifNisthemessagenonceforagivenmessage,then
thejthcounterblockisgivenby Tj=N | [j] ,forj=1n. Thenumberofblocks,n,inany
messagemustsatisfyn
8/12/2019 Sp800-38a(Apuntes Sobre Algorimos de Criptografia)
27/66
Appendix C: Generation of Initialization Vectors
The CBC, CFB, and OFB modes require an initialization vector as input, in addition to the
plaintext. AnIVmustbegeneratedforeachexecutionoftheencryptionoperation,andthesame
IVisnecessaryforthecorrespondingexecutionofthedecryptionoperation.Therefore,theIV,orinformation that is sufficient to calculate the IV, must be available to each party to the
communication.
The IV need not be secret, so the IV, or information sufficient todetermine the IV, may be
transmittedwiththeciphertext.
For the CBC and CFB modes, the IVs must be unpredictable. In particular, for any given
plaintext, itmustnot be possible topredict the IV that will be associated to the plaintext in
advanceofthegenerationoftheIV.
TherearetworecommendedmethodsforgeneratingunpredictableIVs. Thefirstmethod istoapply the forward cipher function, under the same key that is used for the encryption of the
plaintext,toanonce.Thenoncemustbeadatablockthatisuniquetoeachexecutionofthe
encryptionoperation. Forexample,thenoncemaybeacounter,asdescribedinAppendixB,or
a message number. The second method is to generate a random data block using a FIPS-
approvedrandomnumbergenerator.
FortheOFBmode,theIVneednotbeunpredictable,butitmustbeanoncethatisuniqueto
each execution of the encryption operation. For example, the nonce may be a counter, as
describedinAppendixB,oramessagenumber.
If,contrarytothisrequirement,thesameIVisusedfortheOFBencryptionofmorethanonemessage, then theconfidentialityof thosemessagesmay becompromised. Inparticular, ifa
plaintextblockofanyofthesemessagesisknown,say,thejthplaintextblock,thenthejthoutput
of the forward cipher function can be determined easily from thejth ciphertext block of the
message.Thisinformationallowsthejthplaintextblockofanyothermessagethatisencrypted
usingthesameIVtobeeasilyrecoveredfromthejthciphertextblockofthatmessage.
Confidentialitymaysimilarlybecompromisedif anyoftheinputblockstotheforwardcipher
function for the OFB encryptionof a message isdesignated as the IV for the encryption of
anothermessageunderthegivenkey.OneconsequenceofthisobservationisthatIVsforthe
OFBmodeshouldnotbegeneratedbyinvokingtheblockcipheronanotherIV.
Validation that an implementation of the CBC, CFB, or OFB mode conforms to this
recommendation will typically include an examination of the procedures for assuring the
unpredictabilityoruniquenessoftheIV.
20
8/12/2019 Sp800-38a(Apuntes Sobre Algorimos de Criptografia)
28/66
Appendix D: Error Properties
Abiterroristhesubstitutionofa 0bitfora1bit,orviceversa. Thisappendixcontainsa
discussionoftheeffectsofbiterrorsinciphertextblocks(orsegments),counterblocks,andIVs
on themodes inthisrecommendation. Insertionordeletionofbits intociphertextblocks (orsegments)isalsodiscussed.
Foranyconfidentialitymode,ifthereareanybiterrorsinasingleciphertextblock(orsegment),
thenthedecryptionofthatciphertextblock(orsegment)willbeincorrect,i.e.,itwilldifferfrom
theoriginalplaintextblock(orsegment). IntheCFB,OFB,andCTRmodes,thebiterror(s)in
thedecryptedciphertextblock(orsegment)occurinthesamebitposition(s)asintheciphertext
block(orsegment);theotherbitpositionsarenotaffected. IntheECBandCBCmodes,abit
errormay occur,independently, inany bitpositionofthedecryptedciphertextblock,with an
expectederrorrateoffiftypercent,dependingonthestrengthoftheunderlyingblockcipher.
For the ECB, OFB, and CTR modes, bit errors within a ciphertext block do not affect thedecryptionofanyotherblocks. IntheCBCmode,anybitpositionsthatcontainbiterrorsina
ciphertextblockwillalsocontainbiterrorsinthedecryptionofthesucceedingciphertextblock;
theotherbitpositionsarenotaffected.IntheCFBmode,biterrorsinaciphertextsegmentaffect
thedecryptionofthenextb/s(roundeduptothenearestinteger)ciphertextsegments. Abiterror
may occur, independently, inany bit position in these decrypted segments,withanexpected
errorrateoffiftypercent.
Similarly,fortheCTRmode,ifthereisabiterrorinacounterblock,thenabiterrormayoccur,
independently, in any bit position of the decryption of the corresponding ciphertext, withan
expectederrorrateoffiftypercent.
BiterrorsinIVsalsoaffectthedecryptionprocess.IntheOFBmode,biterrorsintheIVaffect
the decryption of every ciphertext block. In theCFBmode, bit errors in the IV affect, at a
minimum, the decryption of the first ciphertext segment, and possibly successive ciphertext
segments,dependingonthebitpositionoftherightmostbiterrorintheIV.(Ingeneral,abit
errorintheithmostsignificantbitpositionaffectsthedecryptionsofthefirst i/s(roundingup)
ciphertextsegments.) ForboththeOFBandCFBmodes,abiterrormayoccur,independently,
inanybitpositionoftheaffectedciphertextblocks(orsegments),withanexpectederrorrateof
fiftypercent. IntheCBCmode,ifbiterrorsoccurintheIV,thenthefirstciphertextblockwill
bedecryptedincorrectly,andbiterrorswilloccurinexactlythesamebitpositionsasintheIV;
thedecryptionsoftheotherciphertextblocksarenotaffected.
Consequently,fortheCBCmode,thedecryptionofthefirstciphertextblockisvulnerabletothe
(deliberate)introductionofbiterrorsinspecificbitpositionsoftheIViftheintegrityoftheIVis
notprotected.Similarly,fortheOFBandCTRmodes,thedecryptionofanyciphertextblockis
vulnerabletotheintroductionofspecificbiterrorsintothatciphertextblockifitsintegrityisnot
protected. ThesamepropertyalsoholdsfortheciphertextsegmentsintheCFBmode;however,
foreveryciphertextsegmentexceptthelastone,theexistenceofsuchbiterrorsmaybedetected
bytheirrandomizingeffectonthedecryptionofthesucceedingciphertextsegment.
21
8/12/2019 Sp800-38a(Apuntes Sobre Algorimos de Criptografia)
29/66
TableD.1summarizestheeffectsofbiterrorsinaciphertextblockorIVonthedecryptionofthe
ciphertextforeachofthefiveconfidentialitymodes.
TableD.1efiveconfidentialitymodes.
TableD.2:SummaryofEffectofBitErrorsonDecryption
Mode EffectofBitErrorsinCj EffectofBitErrorsintheIV
ECB RBEinthedecryptionofCj Notapplicable
CBCRBEinthedecryptionofCjSBEinthedecryptionofCj+1
SBEinthedecryptionofC1
CFBSBEinthedecryptionofCjRBEinthedecryptionofCj+1,,Cj+b/s
RBEinthedecryptionofC1,C2,,Cjforsomejbetween1andb/s
OFB SBEinthedecryptionofCj RBEinthedecryptionofC1,C2,,Cn
CTR SBEinthedecryptionofCj Notapplicable*
RBE:randombiterrors,i.e.,biterrorsoccurindependentlyinanybitpositionwithan
expectedprobabilityof.
SBE:specificbiterrors,i.e.,biterrorsoccurinthesamebitposition(s)astheoriginalbit
error(s).
*Biterrorsinthejthcounterblock,Tj,resultinRBEinthedecryptionofCj.
Thedeletionorinsertionofbitsintoaciphertextblock(orsegment)spoilsthesynchronizationof
the block (or segment) boundaries; in effect, bit errors may occur in the bit position of the
insertedordeletedbit,andineverysubsequentbitposition.Therefore,thedecryptionsofthe
subsequent ciphertext blocks (or segments) will almost certainly be incorrect until the
synchronization is restored. When the 1-bit CFB mode is used, then the synchronization is
automaticallyrestoredb+1positionsaftertheinsertedordeletedbit.Forothervaluesof sinthe
CFBmode,andfortheotherconfidentialitymodesinthisrecommendation,thesynchronization
mustberestoredexternally.
22
8/12/2019 Sp800-38a(Apuntes Sobre Algorimos de Criptografia)
30/66
Appendix E: Modes of Triple DES
FIPS Pub 46-3 [FIPS 46-3] specifies the Data Encryption Standard (DES) algorithm and
approvesitsthree-fold,compoundoperationthatisspecifiedinANSIX9.52[1]:theTripleData
EncryptionAlgorithm(TDEA). Essentially,theTDEAconsistsoftheapplicationoftheforwardDESalgorithm,i.e,DESencryption,underonekey,followedbytheapplicationoftheinverse
DES algorithm, i.e.,DES decryption, under a secondkey, followedby the applicationof the
forwardDESalgorithmunderathirdkey. TheTDEAisoftencalledTripleDES.
FIPSPub46-3alsoapprovesthesevenmodesofoperationofTripleDESthatarespecifiedin
ANSIX9.52. Fourof thosemodesare equivalentto modes inthis recommendationwith the
TDEA as the underlying block cipher. Inparticular, the TECB,TCBC,andTOFB modes in
ANSIX9.52areequivalenttotheECB,CBC,andOFBmodesinthisrecommendation,withthe
TDEAastheunderlyingblockcipher;theTCFBmodeinANSIX9.52isequivalenttotheCFB
modeinthisrecommendation,withtheTDEAastheunderlyingblockcipher,providedthatthe
possiblechoicesoftheparameters(thesegmentsize)arerestrictedtothreevalues:1,8,and64.TheremainingthreemodesinANSIX9.52areTCBC-I,TCFB-P,andTOFB-I;theyaremode
variants that allow for interleaving or pipelining; this recommendation does not provide
analoguesofthesethreemodes.
The Triple DES modes in ANSI X9.52 should not be used as the underlying block cipher
algorithm for the modes in this recommendation. However, the Triple DES algorithm, i.e.,
TDEA,asdescribedabove,may beused as theunderlyingblockcipheralgorithmforthe six
modes in this recommendation. One of the resulting modes of Triple DES is new, i.e., not
specifiedinANSIX9.52:theCTRmodeoftheTDEA.
23
8/12/2019 Sp800-38a(Apuntes Sobre Algorimos de Criptografia)
31/66
Appendix F: Example Vectors for Modes of Operation of the AES
Inthisappendix,threeexamplesareprovidedforeachofthemodesinthisrecommendationwith
the AES algorithm [2] as the underlying block cipher:one example isgiven for each of the
allowedkeysizes(128,192,and256bits). Someintermediateresultsarepresented. Forthefiveconfidentialitymodes,examplesareprovidedforbothencryptionanddecryption. Examplesare
providedfor1-bit,8-bit,and128bitCFB.Theplaintextforallbuttwooftheseexamplesis
equivalenttothefollowingstringofhexadecimalcharacters,formattedintofour128bitblocks:
6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e5130c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710.
Fortheexampleof1-bitCFB,theplaintextisthefirst16bitsintheabovestring;fortheexample
of8-bitCFB,theplaintextisthefirst18octetsintheabovestring.Allstringsarepresentedin
hexadecimal notation,exceptin theexampleof1-bitCFB,wheretheplaintextandciphertext
segmentsaresinglebits.
F.1 ECB Example Vectors
F.1.1 ECB-AES128.EncryptKey 2b7e151628aed2a6abf7158809cf4f3cBlock#1Plaintext 6bc1bee22e409f96e93d7e117393172aInputBlock 6bc1bee22e409f96e93d7e117393172aOutputBlock 3ad77bb40d7a3660a89ecaf32466ef97
Ciphertext 3ad77bb40d7a3660a89ecaf32466ef97Block#2Plaintext ae2d8a571e03ac9c9eb76fac45af8e51InputBlock ae2d8a571e03ac9c9eb76fac45af8e51OutputBlock f5d3d58503b9699de785895a96fdbaafCiphertext f5d3d58503b9699de785895a96fdbaafBlock#3Plaintext 30c81c46a35ce411e5fbc1191a0a52efInputBlock 30c81c46a35ce411e5fbc1191a0a52efOutputBlock 43b1cd7f598ece23881b00e3ed030688Ciphertext 43b1cd7f598ece23881b00e3ed030688Block#4Plaintext f69f2445df4f9b17ad2b417be66c3710
InputBlock f69f2445df4f9b17ad2b417be66c3710OutputBlock 7b0c785e27e8ad3f8223207104725dd4Ciphertext 7b0c785e27e8ad3f8223207104725dd4
F.1.2 ECB-AES128.DecryptKey 2b7e151628aed2a6abf7158809cf4f3cBlock#1Ciphertext 3ad77bb40d7a3660a89ecaf32466ef97InputBlock 3ad77bb40d7a3660a89ecaf32466ef97
24
8/12/2019 Sp800-38a(Apuntes Sobre Algorimos de Criptografia)
32/66
OutputBlock 6bc1bee22e409f96e93d7e117393172aPlaintext 6bc1bee22e409f96e93d7e117393172aBlock#2Ciphertext f5d3d58503b9699de785895a96fdbaafInputBlock f5d3d58503b9699de785895a96fdbaafOutputBlock ae2d8a571e03ac9c9eb76fac45af8e51
Plaintext ae2d8a571e03ac9c9eb76fac45af8e51Block#3Ciphertext 43b1cd7f598ece23881b00e3ed030688InputBlock 43b1cd7f598ece23881b00e3ed030688OutputBlock 30c81c46a35ce411e5fbc1191a0a52efPlaintext 30c81c46a35ce411e5fbc1191a0a52efBlock#4Ciphertext 7b0c785e27e8ad3f8223207104725dd4InputBlock 7b0c785e27e8ad3f8223207104725dd4OutputBlock f69f2445df4f9b17ad2b417be66c3710Plaintext f69f2445df4f9b17ad2b417be66c3710
F.1.3 ECB-AES192.EncryptKey 8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7bBlock#1Plaintext 6bc1bee22e409f96e93d7e117393172aInputBlock 6bc1bee22e409f96e93d7e117393172aOutputBlock bd334f1d6e45f25ff712a214571fa5ccCiphertext bd334f1d6e45f25ff712a214571fa5ccBlock#2Plaintext ae2d8a571e03ac9c9eb76fac45af8e51InputBlock ae2d8a571e03ac9c9eb76fac45af8e51OutputBlock 974104846d0ad3ad7734ecb3ecee4eefCiphertext 974104846d0ad3ad7734ecb3ecee4eefBlock#3Plaintext 30c81c46a35ce411e5fbc1191a0a52efInputBlock 30c81c46a35ce411e5fbc1191a0a52efOutputBlock ef7afd2270e2e60adce0ba2face6444eCiphertext ef7afd2270e2e60adce0ba2face6444eBlock#4Plaintext f69f2445df4f9b17ad2b417be66c3710InputBlock f69f2445df4f9b17ad2b417be66c3710OutputBlock 9a4b41ba738d6c72fb16691603c18e0eCiphertext 9a4b41ba738d6c72fb16691603c18e0e
F.1.4 ECB-AES192.DecryptKey 8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7bBlock#1
Ciphertext bd334f1d6e45f25ff712a214571fa5ccInputBlock bd334f1d6e45f25ff712a214571fa5ccOutputBlock 6bc1bee22e409f96e93d7e117393172aPlaintext 6bc1bee22e409f96e93d7e117393172aBlock#2Ciphertext 974104846d0ad3ad7734ecb3ecee4eefInputBlock 974104846d0ad3ad7734ecb3ecee4eefOutputBlock ae2d8a571e03ac9c9eb76fac45af8e51Plaintext ae2d8a571e03ac9c9eb76fac45af8e51
25
8/12/2019 Sp800-38a(Apuntes Sobre Algorimos de Criptografia)
33/66
Block#3Ciphertext ef7afd2270e2e60adce0ba2face6444eInputBlock ef7afd2270e2e60adce0ba2face6444eOutputBlock 30c81c46a35ce411e5fbc1191a0a52efPlaintext 30c81c46a35ce411e5fbc1191a0a52efBlock#4
Ciphertext 9a4b41ba738d6c72fb16691603c18e0eInputBlock 9a4b41ba738d6c72fb16691603c18e0eOutputBlock f69f2445df4f9b17ad2b417be66c3710Plaintext f69f2445df4f9b17ad2b417be66c3710
F.1.5 ECB-AES256.EncryptKey 603deb1015ca71be2b73aef0857d7781
1f352c073b6108d72d9810a30914dff4Block#1Plaintext 6bc1bee22e409f96e93d7e117393172aInputBlock 6bc1bee22e409f96e93d7e117393172aOutputBlock f3eed1bdb5d2a03c064b5a7e3db181f8Ciphertext f3eed1bdb5d2a03c064b5a7e3db181f8
Block#2Plaintext ae2d8a571e03ac9c9eb76fac45af8e51InputBlock ae2d8a571e03ac9c9eb76fac45af8e51OutputBlock 591ccb10d410ed26dc5ba74a31362870Ciphertext 591ccb10d410ed26dc5ba74a31362870Block#3Plaintext 30c81c46a35ce411e5fbc1191a0a52efInputBlock 30c81c46a35ce411e5fbc1191a0a52efOutputBlock b6ed21b99ca6f4f9f153e7b1beafed1dCiphertext b6ed21b99ca6f4f9f153e7b1beafed1dBlock#4Plaintext f69f2445df4f9b17ad2b417be66c3710InputBlock f69f2445df4f9b17ad2b417be66c3710OutputBlock 23304b7a39f9f3ff067d8d8f9e24ecc7Ciphertext 23304b7a39f9f3ff067d8d8f9e24ecc7
F.1.6 ECB-AES256.DecryptKey 603deb1015ca71be2b73aef0857d7781
1f352c073b6108d72d9810a30914dff4Block#1Ciphertext f3eed1bdb5d2a03c064b5a7e3db181f8InputBlock f3eed1bdb5d2a03c064b5a7e3db181f8OutputBlock 6bc1bee22e409f96e93d7e117393172aPlaintext 6bc1bee22e409f96e93d7e117393172aBlock#2
Ciphertext 591ccb10d410ed26dc5ba74a31362870InputBlock 591ccb10d410ed26dc5ba74a31362870OutputBlock ae2d8a571e03ac9c9eb76fac45af8e51Plaintext ae2d8a571e03ac9c9eb76fac45af8e51Block#3Ciphertext b6ed21b99ca6f4f9f153e7b1beafed1dInputBlock b6ed21b99ca6f4f9f153e7b1beafed1dOutputBlock 30c81c46a35ce411e5fbc1191a0a52efPlaintext 30c81c46a35ce411e5fbc1191a0a52ef
26
8/12/2019 Sp800-38a(Apuntes Sobre Algorimos de Criptografia)
34/66
Block#4Ciphertext 23304b7a39f9f3ff067d8d8f9e24ecc7InputBlock 23304b7a39f9f3ff067d8d8f9e24ecc7OutputBlock f69f2445df4f9b17ad2b417be66c3710Plaintext f69f2445df4f9b17ad2b417be66c3710
F.2 CBC Example Vectors
F.2.1 CBC-AES128.EncryptKey 2b7e151628aed2a6abf7158809cf4f3cIV 000102030405060708090a0b0c0d0e0fBlock#1Plaintext 6bc1bee22e409f96e93d7e117393172aInputBlock 6bc0bce12a459991e134741a7f9e1925OutputBlock 7649abac8119b246cee98e9b12e9197dCiphertext 7649abac8119b246cee98e9b12e9197dBlock#2Plaintext ae2d8a571e03ac9c9eb76fac45af8e51
InputBlock d86421fb9f1a1eda505ee1375746972cOutputBlock 5086cb9b507219ee95db113a917678b2Ciphertext 5086cb9b507219ee95db113a917678b2Block#3Plaintext 30c81c46a35ce411e5fbc1191a0a52efInputBlock 604ed7ddf32efdff7020d0238b7c2a5dOutputBlock 73bed6b8e3c1743b7116e69e22229516Ciphertext 73bed6b8e3c1743b7116e69e22229516Block#4Plaintext f69f2445df4f9b17ad2b417be66c3710InputBlock 8521f2fd3c8eef2cdc3da7e5c44ea206OutputBlock 3ff1caa1681fac09120eca307586e1a7Ciphertext 3ff1caa1681fac09120eca307586e1a7
F.2.2 CBC-AES128.DecryptKey 2b7e151628aed2a6abf7158809cf4f3cIV 000102030405060708090a0b0c0d0e0fBlock#1Ciphertext 7649abac8119b246cee98e9b12e9197dInputBlock 7649abac8119b246cee98e9b12e9197dOutputBlock 6bc0bce12a459991e134741a7f9e1925Plaintext 6bc1bee22e409f96e93d7e117393172aBlock#2Ciphertext 5086cb9b507219ee95db113a917678b2InputBlock 5086cb9b507219ee95db113a917678b2OutputBlock d86421fb9f1a1eda505ee1375746972cPlaintext ae2d8a571e03ac9c9eb76fac45af8e51Block#3Ciphertext 73bed6b8e3c1743b7116e69e22229516InputBlock 73bed6b8e3c1743b7116e69e22229516OutputBlock 604ed7ddf32efdff7020d0238b7c2a5dPlaintext 30c81c46a35ce411e5fbc1191a0a52efBlock#4Ciphertext 3ff1caa1681fac09120eca307586e1a7InputBlock 3ff1caa1681fac09120eca307586e1a7
27
8/12/2019 Sp800-38a(Apuntes Sobre Algorimos de Criptografia)
35/66
OutputBlock 8521f2fd3c8eef2cdc3da7e5c44ea206Plaintext f69f2445df4f9b17ad2b417be66c3710
F.2.3 CBC-AES192.EncryptKey 8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7bIV 000102030405060708090a0b0c0d0e0f
Block#1Plaintext 6bc1bee22e409f96e93d7e117393172aInputBlock 6bc0bce12a459991e134741a7f9e1925OutputBlock 4f021db243bc633d7178183a9fa071e8Ciphertext 4f021db243bc633d7178183a9fa071e8Block#2Plaintext ae2d8a571e03ac9c9eb76fac45af8e51InputBlock e12f97e55dbfcfa1efcf7796da0fffb9OutputBlock b4d9ada9ad7dedf4e5e738763f69145aCiphertext b4d9ada9ad7dedf4e5e738763f69145aBlock#3Plaintext 30c81c46a35ce411e5fbc1191a0a52efInputBlock 8411b1ef0e2109e5001cf96f256346b5
OutputBlock 571b242012fb7ae07fa9baac3df102e0Ciphertext 571b242012fb7ae07fa9baac3df102e0Block#4Plaintext f69f2445df4f9b17ad2b417be66c3710InputBlock a1840065cdb4e1f7d282fbd7db9d35f0OutputBlock 08b0e27988598881d920a9e64f5615cdCiphertext 08b0e27988598881d920a9e64f5615cd
F.2.4 CBC-AES192.DecryptKey 8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7bIV 000102030405060708090a0b0c0d0e0fBlock#1
Ciphertext 4f021db243bc633d7178183a9fa071e8InputBlock 4f021db243bc633d7178183a9fa071e8OutputBlock 6bc0bce12a459991e134741a7f9e1925Plaintext 6bc1bee22e409f96e93d7e117393172aBlock#2Ciphertext b4d9ada9ad7dedf4e5e738763f69145aInputBlock b4d9ada9ad7dedf4e5e738763f69145aOutputBlock e12f97e55dbfcfa1efcf7796da0fffb9Plaintext ae2d8a571e03ac9c9eb76fac45af8e51Block#3Ciphertext 571b242012fb7ae07fa9baac3df102e0InputBlock 571b242012fb7ae07fa9baac3df102e0OutputBlock 8411b1ef0e2109e5001cf96f256346b5
Plaintext 30c81c46a35ce411e5fbc1191a0a52efBlock#4Ciphertext 08b0e27988598881d920a9e64f5615cdInputBlock 08b0e27988598881d920a9e64f5615cdOutputBlock a1840065cdb4e1f7d282fbd7db9d35f0Plaintext f69f2445df4f9b17ad2b417be66c3710
F.2.5 CBC-AES256.EncryptKey 603deb1015ca71be2b73aef0857d7781
28
8/12/2019 Sp800-38a(Apuntes Sobre Algorimos de Criptografia)
36/66
1f352c073b6108d72d9810a30914dff4
IV 000102030405060708090a0b0c0d0e0fBlock#1Plaintext 6bc1bee22e409f96e93d7e117393172aInputBlock 6bc0bce12a459991e134741a7f9e1925OutputBlock f58c4c04d6e5f1ba779eabfb5f7bfbd6
Ciphertext f58c4c04d6e5f1ba779eabfb5f7bfbd6Block#2Plaintext ae2d8a571e03ac9c9eb76fac45af8e51InputBlock 5ba1c653c8e65d26e929c4571ad47587OutputBlock 9cfc4e967edb808d679f777bc6702c7dCiphertext 9cfc4e967edb808d679f777bc6702c7dBlock#3Plaintext 30c81c46a35ce411e5fbc1191a0a52efInputBlock ac3452d0dd87649c8264b662dc7a7e92OutputBlock 39f23369a9d9bacfa530e26304231461Ciphertext 39f23369a9d9bacfa530e26304231461Block#4Plaintext f69f2445df4f9b17ad2b417be66c3710
InputBlock cf6d172c769621d8081ba318e24f2371OutputBlock b2eb05e2c39be9fcda6c19078c6a9d1bCiphertext b2eb05e2c39be9fcda6c19078c6a9d1b
F.2.6 CBC-AES256.DecryptKey 603deb1015ca71be2b73aef0857d7781
1f352c073b6108d72d9810a30914dff4IV 000102030405060708090a0b0c0d0e0fBlock#1Ciphertext f58c4c04d6e5f1ba779eabfb5f7bfbd6InputBlock f58c4c04d6e5f1ba779eabfb5f7bfbd6OutputBlock 6bc0bce12a459991e134741a7f9e1925Plaintext 6bc1bee22e409f96e93d7e117393172aBlock#2Ciphertext 9cfc4e967edb808d679f777bc6702c7dInputBlock 9cfc4e967edb808d679f777bc6702c7dOutputBlock 5ba1c653c8e65d26e929c4571ad47587Plaintext ae2d8a571e03ac9c9eb76fac45af8e51Block#3Ciphertext 39f23369a9d9bacfa530e26304231461InputBlock 39f23369a9d9bacfa530e26304231461OutputBlock ac3452d0dd87649c8264b662dc7a7e92Plaintext 30c81c46a35ce411e5fbc1191a0a52efBlock#4Ciphertext b2eb05e2c39be9fcda6c19078c6a9d1b
InputBlock b2eb05e2c39be9fcda6c19078c6a9d1bOutputBlock cf6d172c769621d8081ba318e24f2371Plaintext f69f2445df4f9b17ad2b417be66c3710
F.3 CFB Example Vectors
F.3.1 CFB1-AES128.EncryptKey 2b7e151628aed2a6abf7158809cf4f3c
000102030405060708090a0b0c0d0e0f
29
IV
8/12/2019 Sp800-38a(Apuntes Sobre Algorimos de Criptografia)
37/66
Segment#1InputBlockOutputBlockPlaintextCiphertextSegment#2
InputBlockOutputBlockPlaintextCiphertextSegment#3InputBlockOutputBlockPlaintextCiphertextSegment#4InputBlockOutputBlockPlaintext
CiphertextSegment#5InputBlockOutputBlockPlaintextCiphertextSegment#6InputBlockOutputBlockPlaintextCiphertextSegment#7InputBlock
OutputBlockPlaintextCiphertextSegment#8InputBlockOutputBlockPlaintextCiphertextSegment#9InputBlockOutputBlockPlaintext
CiphertextSegment#10InputBlockOutputBlockPlaintextCiphertextSegment#11InputBlockOutputBlockPlaintext
000102030405060708090a0b0c0d0e0f50fe67cc996d32b6da0937e99bafec6000
00020406080a0c0e10121416181a1c1e19cf576c7596e702f298b35666955c7911
0004080c1014181c2024282c3034383d59e17759acd02b801fa321ea059e331f11
0008101820283038404850586068707b71f415b0cc109e8b0faa14ab740c22f40
0
00102030405060708090a0b0c0d0e0f63fb76d3d1048179964597a0f64d5adad11
0020406080a0c0e10121416181a1c1ed4c943b4bac54ab974e3e52326d29aaa100
004080c1014181c2024282c3034383da
c94da41eb3d3acf1993a512ab1e8203f10
008101820283038404850586068707b4e07f5e98778f75dbb2691c3f582c395310
0102030405060708090a0b0c0d0e0f6802ef5fc8961efcce8568bc0731262dc71
1
020406080a0c0e10121416181a1c1ed19f5a30367065efbe914b53698c8716b710
04080c1014181c2024282c3034383da2d018cfb81d0580edbff955ed74d382db0
30
8/12/2019 Sp800-38a(Apuntes Sobre Algorimos de Criptografia)
38/66
Ciphertext 1Segment#12InputBlock 08101820283038404850586068707b45OutputBlock 81272ab351e08e0b695b94b8164d86f4Plaintext 0Ciphertext 1
Segment#13InputBlock 102030405060708090a0b0c0d0e0f68bOutputBlock 094d33f856483d3fa01ba94f7e5ab3e7Plaintext 0Ciphertext 0Segment#14InputBlock 20406080a0c0e10121416181a1c1ed16OutputBlock 609900ad61923c8c102cd8d0d7947a2cPlaintext 0Ciphertext 0Segment#15InputBlock 4080c1014181c2024282c3034383da2cOutputBlock 9e5a154de966ab4db9c88b22a398134e
Plaintext 0Ciphertext 1Segment#16InputBlock 8101820283038404850586068707b459OutputBlock 7fe16252b338bc4de3725c4156dfed20Plaintext 1Ciphertext 1
F.3.2 CFB1-AES128.DecryptKey 2b7e151628aed2a6abf7158809cf4f3cIV 000102030405060708090a0b0c0d0e0fSegment#1InputBlock 000102030405060708090a0b0c0d0e0fOutputBlock 50fe67cc996d32b6da0937e99bafec60Ciphertext 0Plaintext 0Segment#2InputBlock 00020406080a0c0e10121416181a1c1eOutputBlock 19cf576c7596e702f298b35666955c79Ciphertext 1Plaintext 1Segment#3InputBlock 0004080c1014181c2024282c3034383dOutputBlock 59e17759acd02b801fa321ea059e331fCiphertext 1
Plaintext 1Segment#4InputBlock 0008101820283038404850586068707bOutputBlock 71f415b0cc109e8b0faa14ab740c22f4Ciphertext 0Plaintext 0Segment#5InputBlock 00102030405060708090a0b0c0d0e0f6OutputBlock 3fb76d3d1048179964597a0f64d5adad
31
8/12/2019 Sp800-38a(Apuntes Sobre Algorimos de Criptografia)
39/66
CiphertextPlaintextSegment#6InputBlockOutputBlockCiphertext
PlaintextSegment#7InputBlockOutputBlockCiphertextPlaintextSegment#8InputBlockOutputBlockCiphertextPlaintextSegment#9InputBlock
OutputBlockCiphertextPlaintextSegment#10InputBlockOutputBlockCiphertextPlaintextSegment#11InputBlockOutputBlockCiphertextPlaintext
Segment#12InputBlockOutputBlockCiphertextPlaintextSegment#13InputBlockOutputBlockCiphertextPlaintextSegment#14InputBlock
OutputBlockCiphertextPlaintextSegment#15InputBlockOutputBlockCiphertextPlaintextSegment#16InputBlock
11
0020406080a0c0e10121416181a1c1ed4c943b4bac54ab974e3e52326d29aaa10
0
004080c1014181c2024282c3034383dac94da41eb3d3acf1993a512ab1e8203f01
008101820283038404850586068707b4e07f5e98778f75dbb2691c3f582c395301
0102030405060708090a0b0c0d0e0f68
02ef5fc8961efcce8568bc0731262dc711
020406080a0c0e10121416181a1c1ed19f5a30367065efbe914b53698c8716b701
04080c1014181c2024282c3034383da2d018cfb81d0580edbff955ed74d382db10
08101820283038404850586068707b4581272ab351e08e0b695b94b8164d86f410
102030405060708090a0b0c0d0e0f68b094d33f856483d3fa01ba94f7e5ab3e700
20406080a0c0e10121416181a1c1ed16
609900ad61923c8c102cd8d0d7947a2c00
4080c1014181c2024282c3034383da2c9e5a154de966ab4db9c88b22a398134e10
8101820283038404850586068707b459
32
8/12/2019 Sp800-38a(Apuntes Sobre Algorimos de Criptografia)
40/66
OutputBlock 7fe16252b338bc4de3725c4156dfed20Ciphertext 1Plaintext 1
F.3.3 CFB1-AES192.EncryptKey 8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b
IV 000102030405060708090a0b0c0d0e0fSegment#1InputBlock 000102030405060708090a0b0c0d0e0fOutputBlock a609b38df3b1133dddff2718ba09565ePlaintext 0Ciphertext 1Segment#2InputBlock 00020406080a0c0e10121416181a1c1fOutputBlock a0e2bee6eb1734379bd4908be6a991a0Plaintext 1Ciphertext 0Segment#3InputBlock 0004080c1014181c2024282c3034383e
OutputBlock b1a1766bedec7ee3ba9cd3f34fbed4c6Plaintext 1Ciphertext 0Segment#4InputBlock 0008101820283038404850586068707cOutputBlock b294ae5f393ae0179e6d3d8c45a7a4b9Plaintext 0Ciphertext 1Segment#5InputBlock 00102030405060708090a0b0c0d0e0f9OutputBlock f0f703ff5d0634aa8aee7f1e26aafca3Plaintext 1Ciphertext 0Segment#6InputBlock 0020406080a0c0e10121416181a1c1f2OutputBlock 4d67df426abdb8c89e7de9fb3069d8bePlaintext 0Ciphertext 0Segment#7InputBlock 004080c1014181c2024282c3034383e4OutputBlock 30bc892338dfa10664118b9f4ba348d2Plaintext 1Ciphertext 1Segment#8InputBlock 008101820283038404850586068707c9
OutputBlock 763ad8c63ed78d66452bb44c8bb7a8c8Plaintext 1Ciphertext 1Segment#9InputBlock 0102030405060708090a0b0c0d0e0f93OutputBlock bfc36f5cfbc1306859b48f8fa62a43dfPlaintext 1Ciphertext 0Segment#10
33
8/12/2019 Sp800-38a(Apuntes Sobre Algorimos de Criptografia)
41/66
InputBlock 020406080a0c0e10121416181a1c1f26OutputBlock 16e27adac112a0bf6a69c95cbdf584a3Plaintext 1Ciphertext 1Segment#11InputBlock 04080c1014181c2024282c3034383e4d
OutputBlock 1e9d21c3da3de9186251160045756ce0Plaintext 0Ciphertext 0Segment#12InputBlock 08101820283038404850586068707c9aOutputBlock b836e0f661b51d8bd38c448e0e5a11bbPlaintext 0Ciphertext 1Segment#13InputBlock 102030405060708090a0b0c0d0e0f935OutputBlock c5efcdd09dbb92d1faada8f6c9bab052Plaintext 0Ciphertext 1
Segment#14InputBlock 20406080a0c0e10121416181a1c1f26bOutputBlock 7c99710018d88e40bd4ac8f1b2bf4dbbPlaintext 0Ciphertext 0Segment#15InputBlock 4080c1014181c2024282c3034383e4d6OutputBlock 173bcd8b4dad60ae6646813fdcb81f5bPlaintext 0Ciphertext 0Segment#16InputBlock 8101820283038404850586068707c9acOutputBlock 09844c6d2272d148d5af1c7bf01bb439
Plaintext 1Ciphertext 1
F.3.4 CFB1-AES192.DecryptKey 8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7bIV 000102030405060708090a0b0c0d0e0fSegment#1InputBlock 000102030405060708090a0b0c0d0e0fOutputBlock a609b38df3b1133dddff2718ba09565eCiphertext 1Plaintext 0Segment#2
InputBlock 00020406080a0c0e10121416181a1c1fOutputBlock a0e2bee6eb1734379bd4908be6a991a0Ciphertext 0Plaintext 1Segment#3InputBlock 0004080c1014181c2024282c3034383eOutputBlock b1a1766bedec7ee3ba9cd3f34fbed4c6Ciphertext 0Plaintext 1
34
8/12/2019 Sp800-38a(Apuntes Sobre Algorimos de Criptografia)
42/66
Segment#4InputBlockOutputBlockCiphertextPlaintextSegment#5
InputBlockOutputBlockCiphertextPlaintextSegment#6InputBlockOutputBlockCiphertextPlaintextSegment#7InputBlockOutputBlockCiphertext
PlaintextSegment#8InputBlockOutputBlockCiphertextPlaintextSegment#9InputBlockOutputBlockCiphertextPlaintextSegment#10InputBlock
OutputBlockCiphertextPlaintextSegment#11InputBlockOutputBlockCiphertextPlaintextSegment#12InputBlockOutputBlockCiphertext
PlaintextSegment#13InputBlockOutputBlockCiphertextPlaintextSegment#14InputBlockOutputBlockCiphertext
0008101820283038404850586068707cb294ae5f393ae0179e6d3d8c45a7a4b910
00102030405060708090a0b0c0d0e0f9f0f703ff5d0634aa8aee7f1e26aafca301
0020406080a0c0e10121416181a1c1f24d67df426abdb8c89e7de9fb3069d8be00
004080c1014181c2024282c3034383e430bc892338dfa10664118b9f4ba348d21
1
008101820283038404850586068707c9763ad8c63ed78d66452bb44c8bb7a8c811
0102030405060708090a0b0c0d0e0f93bfc36f5cfbc1306859b48f8fa62a43df01
020406080a0c0e10121416181a1c1f26
16e27adac112a0bf6a69c95cbdf584a311
04080c1014181c2024282c3034383e4d1e9d21c3da3de9186251160045756ce000
08101820283038404850586068707c9ab836e0f661b51d8bd38c448e0e5a11bb1
0
102030405060708090a0b0c0d0e0f935c5efcdd09dbb92d1faada8f6c9bab05210
20406080a0c0e10121416181a1c1f26b7c99710018d88e40bd4ac8f1b2bf4dbb0
35
8/12/2019 Sp800-38a(Apuntes Sobre Algorimos de Criptografia)
43/66
8/12/2019 Sp800-38a(Apuntes Sobre Algorimos de Criptografia)
44/66
OutputBlock bb9e05db9855a9e7e3837a648dd4c3b0Plaintext 1Ciphertext 0Segment#9InputBlock 0102030405060708090a0b0c0d0e0f90OutputBlock a413c5714f70287dfcd943004bf7ac8e
Plaintext 1Ciphertext 0Segment#10InputBlock 020406080a0c0e10121416181a1c1f20OutputBlock a7310abf87610d66edf6c892a84460d5Plaintext 1Ciphertext 0Segment#11InputBlock 04080c1014181c2024282c3034383e40OutputBlock 8aec6712d89bd147c83b51d787b11399Plaintext 0Ciphertext 1Segment#12
InputBlock 08101820283038404850586068707c81OutputBlock 2ff05b620f68134f4ba92deffbfc93b2Plaintext 0Ciphertext 0Segment#13InputBlock 102030405060708090a0b0c0d0e0f902OutputBlock 819208afd5284316065a76bead028ad3Plaintext 0Ciphertext 1Segment#14InputBlock 20406080a0c0e10121416181a1c1f205OutputBlock 1914ed64b2115167ce2ca4c813da5245Plaintext 0
Ciphertext 0Segment#15InputBlock 4080c1014181c2024282c3034383e40aOutputBlock 638abae8724a954ae9e1e2e119deb6e1Plaintext 0Ciphertext 0Segment#16InputBlock 8101820283038404850586068707c814OutputBlock 2b4f488a3f958c52a3f1db2da938360ePlaintext 1Ciphertext 1
F.3.6 CFB1-AES256.DecryptKey 603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4000102030405060708090a0b0c0d0e0f
Segment#1InputBlock 000102030405060708090a0b0c0d0e0fOutputBlock b7bf3a5df43989dd97f0fa97ebce2f4aCiphertext 1Plaintext 0
37
IV
8/12/2019 Sp800-38a(Apuntes Sobre Algorimos de Criptografia)
45/66
Segment#2InputBlockOutputBlockCiphertextPlaintextSegment#3
InputBlockOutputBlockCiphertextPlaintextSegment#4InputBlockOutputBlockCiphertextPlaintextSegment#5InputBlockOutputBlockCiphertext
PlaintextSegment#6InputBlockOutputBlockCiphertextPlaintextSegment#7InputBlockOutputBlockCiphertextPlaintextSegment#8InputBlock
OutputBlockCiphertextPlaintextSegment#9InputBlockOutputBlockCiphertextPlaintextSegment#10InputBlockOutputBlockCiphertext
PlaintextSegment#11InputBlockOutputBlockCiphertextPlaintextSegment#12InputBlockOutputBlockCiphertext
00020406080a0c0e10121416181a1c1fee93d380e0f01117fffd78017599514a01
0004080c1014181c2024282c3034383e857749898b3602aad91e699911de89b001
0008101820283038404850586068707cdce81c80810e2ba343a6bb402716b7a810
00102030405060708090a0b0c0d0e0f9e5517bfcdccea00501350a601f7548230
1
0020406080a0c0e10121416181a1c1f215799c7f4081a78cc41f29955349c5a000
004080c1014181c2024282c3034383e484d246bdb391f6a7979ff5ccb846726201
008101820283038404850586068707c8
bb9e05db9855a9e7e3837a648dd4c3b001
0102030405060708090a0b0c0d0e0f90a413c5714f70287dfcd943004bf7ac8e01
020406080a0c0e10121416181a1c1f20a7310abf87610d66edf6c892a84460d50
1
04080c1014181c2024282c3034383e408aec6712d89bd147c83b51d787b1139910
08101820283038404850586068707c812ff05b620f68134f4ba92deffbfc93b20
38
8/12/2019 Sp800-38a(Apuntes Sobre Algorimos de Criptografia)
46/66
Plaintext 0Segment#13InputBlock 102030405060708090a0b0c0d0e0f902OutputBlock 819208afd5284316065a76bead028ad3Ciphertext 1Plaintext 0
Segment#14InputBlock 20406080a0c0e10121416181a1c1f205OutputBlock 1914ed64b2115167ce2ca4c813da5245Ciphertext 0Plaintext0Segment#15InputBlock 4080c1014181c2024282c3034383e40aOutputBlock 638abae8724a954ae9e1e2e119deb6e1Ciphertext 0Plaintext 0Segment#16InputBlock 8101820283038404850586068707c814OutputBlock 2b4f488a3f958c52a3f1db2da938360e
Ciphertext 1Plaintext 1
F.3.7 CFB8-AES128.EncryptKey 2b7e151628aed2a6abf7158809cf4f3cIV 000102030405060708090a0b0c0d0e0fSegment#1InputBlock 000102030405060708090a0b0c0d0e0fOutputBlock 50fe67cc996d32b6da0937e99bafec60Plaintext 6bCiphertext 3bSegment#2InputBlock 0102030405060708090a0b0c0d0e0f3bOutputBlock b8eb865a2b026381abb1d6560ed20f68Plaintext c1Ciphertext 79Segment#3InputBlock 02030405060708090a0b0c0d0e0f3b79OutputBlock fce6033b4edce64cbaed3f61ff5b927cPlaintext beCiphertext 42Segment#4InputBlock 030405060708090a0b0c0d0e0f3b7942OutputBlock ae4e5e7ffe805f7a4395b180004f8ca8Plaintext e2
Ciphertext 4cSegment#5InputBlock 0405060708090a0b0c0d0e0f3b79424cOutputBlock b205eb89445b62116f1deb988a81e6ddPlaintext 2eCiphertext 9cSegment#6InputBlock 05060708090a0b0c0d0e0f3b79424c9cOutputBlock 4d21d456a5e239064fff4be0c0f85488
39
8/12/2019 Sp800-38a(Apuntes Sobre Algorimos de Criptografia)
47/66
PlaintextCiphertextSegment#7InputBlockOutputBlockPlaintext
CiphertextSegment#8InputBlockOutputBlockPlaintextCiphertextSegment#9InputBlockOutputBlockPlaintextCiphertextSegment#10InputBlock
OutputBlockPlaintextCiphertextSegment#11InputBlockOutputBlockPlaintextCiphertextSegment#12InputBlockOutputBlockPlaintextCiphertext
Segment#13InputBlockOutputBlockPlaintextCiphertextSegment#14InputBlockOutputBlockPlaintextCiphertextSegment#15InputBlock
OutputBlockPlaintextCiphertextSegment#16InputBlockOutputBlockPlaintextCiphertextSegment#17InputBlock
400d
060708090a0b0c0d0e0f3b79424c9c0d4b2f5c3895b9efdc85ee0c5178c7fd339f
d4
0708090a0b0c0d0e0f3b79424c9c0dd4a0976d856da260a34104d1a80953db4c9636
08090a0b0c0d0e0f3b79424c9c0dd43653674e5890a2c71b0f6a27a094e5808ce9ba
090a0b0c0d0e0f3b79424c9c0dd436ba
f34cd32ffed495f8bc8adba194eccb7a3dce
0a0b0c0d0e0f3b79424c9c0dd436bacee08cf2407d7ed676c9049586f1d48ba67e9e
0b0c0d0e0f3b79424c9c0dd436bace9e1f5c88a19b6ca28e99c9aeb8982a6dd8110e
0c0d0e0f3b79424c9c0dd436bace9e0ea70e63df781cf395a208bd2365c8779b73d4
0d0e0f3b79424c9c0dd436bace9e0ed4cbcfe8b3bcf9ac202ce18420013319ab9358
0e0f3b79424c9c0dd436bace9e0ed458
7d9fac6604b3c8c5b1f8c5a00956cf56176a
0f3b79424c9c0dd436bace9e0ed4586a65c3fa64bf0343986825c636f4a1efd22a4f
3b79424c9c0dd436bace9e0ed4586a4f
40
8/12/2019 Sp800-38a(Apuntes Sobre Algorimos de Criptografia)
48/66
OutputBlock 9cff5e5ff4f554d56c924b9d6a6de21dPlaintext aeCiphertext 32Segment#18InputBlock 79424c9c0dd436bace9e0ed4586a4f32OutputBlock 946c3dc1584cc18400ecd8c6052c44b1
Plaintext 2dCiphertext b9
F.3.8 CFB8-AES128.DecryptKey 2b7e151628aed2a6abf7158809cf4f3cIV 000102030405060708090a0b0c0d0e0fSegment#1InputBlock 000102030405060708090a0b0c0d0e0fOutputBlock 50fe67cc996d32b6da0937e99bafec60Ciphertext 3bPlaintext 6bSegment#2InputBlock 0102030405060708090a0b0c0d0e0f3b
OutputBlock b8eb865a2b026381abb1d6560ed20f68Ciphertext 79Plaintext c1Segment#3InputBlock 02030405060708090a0b0c0d0e0f3b79OutputBlock fce6033b4edce64cbaed3f61ff5b927cCiphertext 42Plaintext beSegment#4InputBlock 030405060708090a0b0c0d0e0f3b7942OutputBlock ae4e5e7ffe805f7a4395b180004f8ca8Ciphertext 4cPlaintext e2Segment#5InputBlock 0405060708090a0b0c0d0e0f3b79424cOutputBlock b205eb89445b62116f1deb988a81e6ddCiphertext 9cPlaintext 2eSegment#6InputBlock 05060708090a0b0c0d0e0f3b79424c9cOutputBlock 4d21d456a5e239064fff4be0c0f85488Ciphertext 0dPlaintext 40Segment#7InputBlock 060708090a0b0c0d0e0f3b79424c9c0d
OutputBlock