RE: (semi-OT): Correct definition of the DES OFB?

From: Adrian Floarea (adrian.floarea_at_uti.ro)
Date: 07/26/05

  • Next message: Micheal Espinola Jr: "Fwd: ftp server windows" 
    To: <security-basics@securityfocus.com>
Date: Tue, 26 Jul 2005 20:57:49 +0300

     This is a complete description of OFB mode.

    More details you can find in the Handbook of Applied Cryptography, by A.
    Menezes, P. van
    Oorschot, and S. Vanstone, CRC Press, 1996.

    (iv) OFB mode

    The output feedback (OFB) mode of operation may be used for applications in
    which all
    error propagation must be avoided. It is similar to CFB, and allows
    encryption of various
    block sizes (characters), but differs in that the output of the encryption
    block function E
    (rather than the ciphertext) serves as the feedback.

    Two versions of OFB using an n-bit block cipher are common.
     The ISO version ( requires an n-bit feedback, and is more secure (Note
    7.24).

    The earlier FIPS version (Algorithm 7.21) allows r < n bits of feedback.
    7.20 Algorithm OFB mode with full feedback (per ISO 10116)
    INPUT: k-bit key K; n-bit IV ; r-bit plaintext blocks x1; : : : ; xu (1  r
     n).
    SUMMARY: produce r-bit ciphertext blocks c1; : : : ; cu; decrypt to recover
    plaintext.
    1. Encryption: I1 IV . For 1  j  u, given plaintext block xj :
    (a) Oj EK(Ij). (Compute the block cipher output.)
    (b) tj the r leftmost bits of Oj . (Assume the leftmost is identified as bit
    1.)
    (c) cj xjtj . (Transmit the r-bit ciphertext block cj .)
    (d) Ij+1 Oj . (Update the block cipher input for the next block.)
    2. Decryption: I1 IV . For 1  j  u, upon receiving cj :
    xj cjtj, where tj , Oj, and Ij are computed as above.

    7.21 Algorithm OFB mode with r-bit feedback (per FIPS 81)
    INPUT: k-bit key K; n-bit IV ; r-bit plaintext blocks x1; : : : ; xu (1  r
     n).
    SUMMARY: produce r-bit ciphertext blocks c1; : : : ; cu; decrypt to recover
    plaintext.
    As per Algorithm 7.20, but with “Ij+1 Oj” replaced by:
    Ij+1 2r  Ij + tj mod 2n. (Shift output tj into right end of shift
    register.)
    Properties of the OFB mode of operation:
    1. Identical plaintexts: as perCBC andCFB modes, changing the IV results in
    the same
    plaintext being enciphered to a different output.
    2. Chaining dependencies: the keystream is plaintext-independent (see Remark
    7.22).
    3. Error propagation: one or more bit errors in any ciphertext character cj
    affects the
    decipherment of only that character, in the precise bit position(s) cj is in
    error, causing
    the corresponding recovered plaintext bit(s) to be complemented.
    4. Error recovery: the OFB mode recovers from ciphertext bit errors, but
    cannot selfsynchronize
    after loss of ciphertext bits, which destroys alignment of the decrypting
    keystream (in which case explicit re-synchronization is required).
    5. Throughput: for r < throughput is decreased as per the CFB mode. However,
    in all cases, since the keystream is independent of plaintext or ciphertext,
    it may be
    pre-computed (given the key and IV ).

    Regards,

    Security Product Team Leader
    Adrian Floarea
    Information Security Department
    IT&C Division, UTI Systems SA
    Bucharest, Romania
    Email: adrian.floarea@uti.ro

    -----Original Message-----
    From: Clement Dupuis [mailto:cdupuis@cccure.org]
    Sent: Sunday, July 24, 2005 8:22 PM
    To: security-basics@securityfocus.com
    Subject: RE: (semi-OT): Correct definition of the DES OFB?

    Good day,
     
    The best reference for any of the DES Modes of operation is FIPS81 at:
    http://www.columbia.edu/~ariel/ssleay/fip81/fip81.html

    You cannot go wrong and it is well explained with illustrations.
     
    If you wish to get more details and targeted responses, you could post your
    questions to CISSP specific mailing list such as the CISSPStudy mailing list
    at www.cccure.org
     
    Visit http://cccure.org/mailman/listinfo/cisspstudy_cccure.org to subscribe.
     
    Take care

    Clement
     
    Clément Dupuis, CD
    President/Security Evangelist/Chief Learning Officer (CLO) CCCure Enterprise
    Security & Training Inc.
    CISSP, GCFW, GCIA, Security+, CEH, CCSA, MBNS, MBIS, MBHS, CCSE, ACE

    Maintainer of :
     
    The CISSP and SSCP Open Study Guides Web Site http://www.cccure.org

    The Professional Security Testers Warehouse
    http://www.professionalsecuritytesters.org

    > -----Original Message-----
    > From: Saqib Ali [mailto:docbook.xml@gmail.com]
    > Sent: Sunday, July 24, 2005 9:37 AM
    > To: webappsec@securityfocus.com; security-basics@securityfocus.com!
    > Subject: (semi-OT): Correct definition of the DES OFB?
    >
    > Hello All,
    >
    > I was reading the CISSP Exam Guide by Shon Harris (2nd Edition). She
    > gives the following definition for DES in the OFB (Output Feedback)
    > Mode.
    >
    > "...if DES is working in Output Feedback (OFB) Mode, it is functioning
    > like a stream cipher by generating a stream of random binary bits to
    > be combined with the plaintext to create ciphertext. The ciphertext
    > is fed back to the algorithm to form a portion of the next input to
    > encrypt the next stream of bits." (page 486)
    >
    > I thin, the last sentence "The ciphertext is fed back to the algorithm
    > to form a portion of the next input to encrypt the next stream of
    > bits" is incorrect. That is what happen in the Cipher Feeback (CFB)
    > Mode, and NOT theOFB mode.
    >
    > In OFB mode, the "random value" is fed back into the algorithm. i.e.
    > the "Random Value" from the previous operation becomes the IV for the
    > next operation.
    >
    > Am I correct? Can anyone please validate this? Thanks.
    >
    > --
    > In Peace,
    > Saqib Ali
    > http://www.xml-dev.com/blog/

  • Next message: Micheal Espinola Jr: "Fwd: ftp server windows"