In May 2021, NIST initiated a review process for several publications, including the Special Publication (SP) 800-38A, Recommendation for Block Cipher Modes of Operation: Methods and Techniques and its addendum, Three Variants of Ciphertext Stealing for CBC Mode.

In response to the public comments received, NIST proposes to revise SP 800-38A to:

1. change the technical content as described below, and
2. convert (i.e., merge) SP 800-38A Addendum into the revised SP 800-38A.

Public comments on this proposal may be submitted to cryptopubreviewboard@nist.gov by April 25, 2022. Please use “Comments on SP 800-38A Decision Proposal” in the Subject.

More information about the review process is available at NIST's Crypto Publication Review Project.

Rationale for the Revision of SP 800-38A

SP 800-38A specifies five confidentiality modes of operation for block ciphers: Electronic Codebook (ECB), Cipher Block Chaining (CBC), Cipher Feedback (CFB), Output Feedback (OFB), and Counter (CTR).

The ECB mode encrypts plaintext blocks independently, without randomization; therefore, the inspection of any two ciphertext blocks reveals whether or not the corresponding plaintext blocks are equal. In the NIST National Vulnerability Database (NVD), the use of ECB to encrypt confidential information constitutes a severe security vulnerability; for example, see CVE-2020-11500. In the revision, NIST proposes to limit the approval of ECB to instances that are specifically allowed by other NIST standards or guidance.

In contrast to the ECB mode, the CBC, CFB, OFB, and CTR modes use an Initialization Vector (IV) or a unique sequence of counter blocks to randomize the ciphertext. However, incorrectly generated IVs or counter blocks are a source of practical vulnerabilities, such as the BEAST attack on SSL/TLS (CVE-2011-3389). To address such vulnerabilities, NIST plans to clarify the requirements for generating IVs and counter blocks in the revision of SP 800-38A.

The CBC, CFB, OFB, and CTR modes are malleable, meaning that it is possible to introduce changes into the ciphertext that lead to predictable changes in the plaintext. This property may constitute a significant vulnerability; for example, Fujita et al. recently showed how to modify CBC-encrypted binary files so that the decryption allows arbitrary code execution. One way to mitigate the malleability of the CBC, CFB, OFB, and CTR modes is to introduce a Message Authentication Code (MAC) to ensure the integrity of plaintexts and ciphertexts.

Even when a MAC is used, the application may have a security vulnerability. A series of practical attacks have appeared, starting with Vaudenay’s padding oracle attack on SSL/TLS. Eventually, this led to recommendations to use authenticated encryption modes in protocols. For example, confidentiality-only modes of operation are not included in the latest version of TLS. In the revision of SP 800-38A, NIST plans to develop guidance about the incorporation of authentication into confidentiality applications, while considering exceptions for widely used protocols if countermeasures exist to mitigate vulnerabilities.