OUTPUT FEEDBACK MODE
The output
feedback (OFB) mode is similar
in structure to that of CFB. As can be
seen in Figure 6.6, it is the output of the encryption function that is fed back to the shift register in OFB, whereas
in CFB, the ciphertext unit is fed back to the shift register. The other difference is that the OFB mode operates on full blocks
of plaintext and ciphertext, not on an s-bit
subset. Encryption can be expressed as
Cj = Pj Ⓧ E(K, [Cj - i Ⓧ Pj - 1])
By rearranging terms, we can demonstrate that decryption works.
Pj = Cj Ⓧ E(K, [Cj - 1 Ⓧ Pj - 1])
Let the size of a block be b. If the last block of plaintext
contains u bits (indi- cated by *), with u 6 b, the most significant u bits of the
last output block
ON are used for the XOR operation; the remaining b -u bits
of the last output block are discarded.
As with CBC and CFB, the OFB mode requires an initialization vector.
In the case of OFB, the IV must be a nonce;
that is, the IV must be unique to each execu- tion of the encryption operation. The reason for this is that the sequence of encryp-
tion output blocks, Oi, depends only on the key and the IV and does not depend on
the plaintext. Therefore, for a given key and IV,
the stream of output bits used to XOR with the stream of plaintext bits
is fixed. If two different messages had an identical block of plaintext
in the identical position, then an attacker
would be able to determine that portion of the Oi stream.
One advantage of the OFB
method is that bit errors in transmission do not propagate. For example, if a
bit error occurs in C1, only the recovered value of P1 is affected; subsequent
plaintext units are not corrupted. With CFB, C1 also serves as input to the
shift register and therefore causes additional corruption downstream. The
disadvantage of OFB is that it is more vulnerable to a message stream
modification attack than is CFB. Consider that complementing a bit in the
cipher- text complements the corresponding bit in the recovered plaintext.
Thus, controlled changes to the recovered plaintext can be made. This may make
it possible for an opponent, by making the necessary changes to the checksum
portion of the message as well as to the data portion, to alter the ciphertext
in such a way that it is not detected by an error-correcting code. For a
further discussion, see [VOYD83].
OFB has the structure
of a typical stream cipher,
because the cipher generates
a stream of bits as a function
of an initial value and a key, and that stream of bits is
XORed with the plaintext bits (see Figure 3.1).
The generated stream that is XORed with the plaintext is itself
independent of the plaintext; this is highlighted by dashed boxes in Figure 6.6. One distinction from the stream
ciphers we discuss
in Chapter 7 is that OFB encrypts plaintext a full block at a time,
where typically a block is 64 or 128 bits.
Many stream ciphers
encrypt one byte at a time.
Related Topics
Privacy Policy, Terms and Conditions, DMCA Policy and Compliant
Copyright © 2018-2024 BrainKart.com; All Rights Reserved. Developed by Therithal info, Chennai.