Security Basics mailing list archives
RE: (semi-OT): Correct definition of the DES OFB?
From: "Adrian Floarea" <adrian.floarea () uti ro>
Date: Tue, 26 Jul 2005 20:57:49 +0300
This is a complete description of OFB mode. More details you can find in the Handbook of Applied Cryptography, by A. Menezes, P. van Oorschot, and S. Vanstone, CRC Press, 1996. (iv) OFB mode The output feedback (OFB) mode of operation may be used for applications in which all error propagation must be avoided. It is similar to CFB, and allows encryption of various block sizes (characters), but differs in that the output of the encryption block function E (rather than the ciphertext) serves as the feedback. Two versions of OFB using an n-bit block cipher are common. The ISO version ( requires an n-bit feedback, and is more secure (Note 7.24). The earlier FIPS version (Algorithm 7.21) allows r < n bits of feedback. 7.20 Algorithm OFB mode with full feedback (per ISO 10116) INPUT: k-bit key K; n-bit IV ; r-bit plaintext blocks x1; : : : ; xu (1 r n). SUMMARY: produce r-bit ciphertext blocks c1; : : : ; cu; decrypt to recover plaintext. 1. Encryption: I1 IV . For 1 j u, given plaintext block xj : (a) Oj EK(Ij). (Compute the block cipher output.) (b) tj the r leftmost bits of Oj . (Assume the leftmost is identified as bit 1.) (c) cj xjtj . (Transmit the r-bit ciphertext block cj .) (d) Ij+1 Oj . (Update the block cipher input for the next block.) 2. Decryption: I1 IV . For 1 j u, upon receiving cj : xj cjtj, where tj , Oj, and Ij are computed as above. 7.21 Algorithm OFB mode with r-bit feedback (per FIPS 81) INPUT: k-bit key K; n-bit IV ; r-bit plaintext blocks x1; : : : ; xu (1 r n). SUMMARY: produce r-bit ciphertext blocks c1; : : : ; cu; decrypt to recover plaintext. As per Algorithm 7.20, but with Ij+1 Oj replaced by: Ij+1 2r Ij + tj mod 2n. (Shift output tj into right end of shift register.) Properties of the OFB mode of operation: 1. Identical plaintexts: as perCBC andCFB modes, changing the IV results in the same plaintext being enciphered to a different output. 2. Chaining dependencies: the keystream is plaintext-independent (see Remark 7.22). 3. Error propagation: one or more bit errors in any ciphertext character cj affects the decipherment of only that character, in the precise bit position(s) cj is in error, causing the corresponding recovered plaintext bit(s) to be complemented. 4. Error recovery: the OFB mode recovers from ciphertext bit errors, but cannot selfsynchronize after loss of ciphertext bits, which destroys alignment of the decrypting keystream (in which case explicit re-synchronization is required). 5. Throughput: for r < throughput is decreased as per the CFB mode. However, in all cases, since the keystream is independent of plaintext or ciphertext, it may be pre-computed (given the key and IV ). Regards, Security Product Team Leader Adrian Floarea Information Security Department IT&C Division, UTI Systems SA Bucharest, Romania Email: adrian.floarea () uti ro -----Original Message----- From: Clement Dupuis [mailto:cdupuis () cccure org] Sent: Sunday, July 24, 2005 8:22 PM To: security-basics () securityfocus com Subject: RE: (semi-OT): Correct definition of the DES OFB? Good day, The best reference for any of the DES Modes of operation is FIPS81 at: http://www.columbia.edu/~ariel/ssleay/fip81/fip81.html You cannot go wrong and it is well explained with illustrations. If you wish to get more details and targeted responses, you could post your questions to CISSP specific mailing list such as the CISSPStudy mailing list at www.cccure.org Visit http://cccure.org/mailman/listinfo/cisspstudy_cccure.org to subscribe. Take care Clement Clément Dupuis, CD President/Security Evangelist/Chief Learning Officer (CLO) CCCure Enterprise Security & Training Inc. CISSP, GCFW, GCIA, Security+, CEH, CCSA, MBNS, MBIS, MBHS, CCSE, ACE Maintainer of : The CISSP and SSCP Open Study Guides Web Site http://www.cccure.org The Professional Security Testers Warehouse http://www.professionalsecuritytesters.org
-----Original Message----- From: Saqib Ali [mailto:docbook.xml () gmail com] Sent: Sunday, July 24, 2005 9:37 AM To: webappsec () securityfocus com; security-basics () securityfocus com! Subject: (semi-OT): Correct definition of the DES OFB? Hello All, I was reading the CISSP Exam Guide by Shon Harris (2nd Edition). She gives the following definition for DES in the OFB (Output Feedback) Mode. "...if DES is working in Output Feedback (OFB) Mode, it is functioning like a stream cipher by generating a stream of random binary bits to be combined with the plaintext to create ciphertext. The ciphertext is fed back to the algorithm to form a portion of the next input to encrypt the next stream of bits." (page 486) I thin, the last sentence "The ciphertext is fed back to the algorithm to form a portion of the next input to encrypt the next stream of bits" is incorrect. That is what happen in the Cipher Feeback (CFB) Mode, and NOT theOFB mode. In OFB mode, the "random value" is fed back into the algorithm. i.e. the "Random Value" from the previous operation becomes the IV for the next operation. Am I correct? Can anyone please validate this? Thanks. -- In Peace, Saqib Ali http://www.xml-dev.com/blog/
Current thread:
- RE: (semi-OT): Correct definition of the DES OFB? Clement Dupuis (Jul 26)
- RE: (semi-OT): Correct definition of the DES OFB? Adrian Floarea (Jul 29)