|
In cryptography, ciphertext stealing (CTS) is a general method of using a block cipher mode of operation that allows for processing of messages that are not evenly divisible into blocks without resulting in any expansion of the ciphertext, at the cost of slightly increased complexity. ==General characteristics== Ciphertext stealing is a technique for encrypting plaintext using a block cipher, without padding the message to a multiple of the block size, so the ciphertext is the same size as the plaintext. It does this by altering processing of the last two blocks of the message. The processing of all but the last two blocks is unchanged, but a portion of the ''second''-last block's ciphertext is "stolen" to pad the last plaintext block. The padded final block is then encrypted as usual. The final ciphertext, for the last two blocks, consists of the partial penultimate block (with the "stolen" portion omitted) plus the full final block, which are the same size as the original plaintext. Decryption requires decrypting the final block first, then restoring the stolen ciphertext to the penultimate block, which can then be decrypted as usual. In principle any block-oriented block cipher mode of operation can be used, but stream-cipher-like modes can already be applied to messages of arbitrary length without padding, so they do not benefit from this technique. The common modes of operation that are coupled with ciphertext stealing are Electronic Codebook (ECB) and Cipher Block Chaining (CBC). Ciphertext stealing for ECB mode requires the plaintext to be longer than one block. A possible workaround is to use a stream cipher-like block cipher mode of operation when the plaintext length is one block or less, such as the CTR, CFB or OFB modes. Ciphertext stealing for CBC mode doesn't necessarily require the plaintext to be longer than one block. In the case where the plaintext is one block long or less, the Initialization vector (IV) can act as the prior block of ciphertext. In this case a modified IV must be sent to the receiver. This may not be possible in situations where the IV can not be freely chosen by the sender when the ciphertext is sent (e.g., when the IV is a derived or pre-established value), and in this case ciphertext stealing for CBC mode can only occur in plaintexts longer than one block. To implement CTS encryption or decryption for data of unknown length, the implementation must delay processing (and buffer) the two most recent blocks of data, so that they can be properly processed at the end of the data stream. 抄文引用元・出典: フリー百科事典『 ウィキペディア(Wikipedia)』 ■ウィキペディアで「Ciphertext stealing」の詳細全文を読む スポンサード リンク
|