3

From what I understand, in stream-cipher (or AES CTR mode) the key is actually being encrypted using the IV (or in general, from key K we produce pseudo-random bytes). Than, we use this key to encrypt the plaintext using XOR.

But from what I understand, assuming that the same key K is being used, a change of one bit in the plaintext changes only 1 bit the ciphertext.

Am I right, or did I get it totally wrong?

And if I am right, isn't it less secure than CBC? (Because in CBC a change of one bit in the plaintext, changes all the bits in ciphertext from the point of the change an on)

Thanks !!!

TCS
  • 5,790
  • 5
  • 54
  • 86

4 Answers4

4

You are correct, that is why there are modes that incorporate both CTR mode and data authentication, commonly referred to as AEAD modes, for example CCM and GCM modes.

President James K. Polk
  • 40,516
  • 21
  • 95
  • 125
3

Apparently, the CTR mode violates Shannon's diffusion principle, since changing a bit in the plaintext only changes a bit in the output. However this is only part of the story. In fact, you also have to change the IV for each message. Therefore many bits will change in the following message even if you change only a single bit in the plaintext or even if the message remains the same.

On the other hand, if you are concerned with malicous modification of messages, neither CTR nor CBC are safe against those attacks and, as @GregS said, you should use authenticated encryption modes such as CCM, GCM, or EAX.

Giacomo Verticale
  • 656
  • 4
  • 8
  • CTR mode just implements a stream cipher using a block cipher. – President James K. Polk Nov 26 '10 at 21:44
  • @GregS No, that's OFB (Output Feedback) mode. – Nick Johnson Nov 27 '10 at 07:59
  • 2
    Or rather, yes, CTR mode allows you to use a block cipher like a stream cipher, but that's not all it does, since it also allows random access. – Nick Johnson Nov 27 '10 at 07:59
  • Also CFB is a stream cipher mode (a self-synchronizing one). OFB, CFB and CTR are the 3 most popular ways of running a stream cipher using a block cipher. They have different trade-offs. CTR seems to be the most popular nowadays, among other things due to the random access property. – Henno Brandsma Feb 06 '11 at 10:05
3

This is exactly why you must never repeat a portion of the keystream when using CTR mode, just as with a stream cipher. The counter used on the encrypting side must only ever go forward, until the key is changed.

caf
  • 233,326
  • 40
  • 323
  • 462
1

Yes, you are right. Except not key is being encrypted, but IV (counter) is encrypted using the key. This approach allows random access to encrypted stream (since counter is known for each portion of data).

Nickolay Olshevsky
  • 13,706
  • 1
  • 34
  • 48