public abstract class CfbBlockMechanism extends BlockMechanism
CFB mode is a confidentiality mode that features the feedback of successive ciphertext segments into the input blocks of the forward cipher to generate output blocks that are exclusive-ORed with the plaintext to produce the ciphertext, and vice versa. CFB mode requires an initialization vector (IV) as the initial input block. The IV need not be secret, but it must be unpredictable.
CFB mode also requires an integer parameter (representing the segment size),
denoted s, such that 1 <= s <= b, where
b is the symmetric cipher block size. However, since Entrust's
(and Java'a) symmetric block cipher architecture is byte oriented (as opposed
to bit oriented), s must also be a multiple of 8. In the
specification of CFB mode below, each plaintext segment (
P#j) and ciphertext segment (
C#j) consists of s bits. The
value of s is sometimes incorporated into the name of the mode,
e.g., the 8-bit CFB mode, the 64-bit CFB mode, or the 128-bit CFB mode. CFB
mode is defined as follows:
CFB Encryption:
I1 = IV
Ij = LSBb-s(Ij -1) | C#j-1 for j = 2...n
Oj = CIPHK(Ij) for j = 1, 2..n
C#j = P#j xor MSBs(Oj) for j = 1, 2..n-1
C#n = P#n xor MSBu(On)
CFB Decryption:
I1 = IV
Ij = LSBb-s(Ij-1 )| C#j-1 for j = 2..n
Oj = CIPHK(Ij) for j = 1, 2..n
P#j = C#j xor MSBs(Oj) for j = 1, 2..n-1
P#n = C#n xor MSBu(On)
During encryption, the first input block is the IV, and the forward cipher
operation is applied to the IV to produce the first output block. The first
ciphertext segment is produced by exclusive-ORing the first plaintext segment
with the s most significant bits of the first output block. (The
remaining b-s bits of the first output block are discarded.) The
b-s least significant bits of the IV are then concatenated with
the s bits of the first ciphertext segment to form the second
input block. An alternative description of the formation of the second input
block is that the bits of the first input block circularly shift
s positions to the left, and then the ciphertext segment
replaces the s least significant bits of the result.
The process is repeated with the successive input blocks until a ciphertext
segment is produced from every plaintext segment except the last one. For the
last segment, which may be a partial segment of u bits, the most
significant u bits of the last output block are used for the
exclusive-OR operation; the remaining s-u bits of the last
output block are discarded.
In general, each successive input block is enciphered to produce an output
block. The s most significant bits of each output block are
exclusive-ORed with the corresponding plaintext segment to form a ciphertext
segment. Part of each ciphertext segment (except the last one) is "fed back"
into the previous input block, as described above, to form a new input block.
The feedback can be described in terms of the individual bits in the strings
as follows: if i1i2..ib is the
jth input block, and
c1c2..cs is the j
th ciphertext segment, then the (j+1)th input block is
is+1is+2..ibc1c2..cs
.
During decryption, the IV is the first input block, and each successive input
block is formed as in CFB encryption, by concatenating the b-s
least significant bits of the previous input block with the s
most significant bits of the previous ciphertext. The forward cipher function
is applied to each input block to produce the output blocks. The
s most significant bits of the output blocks are exclusive-ORed
with the corresponding ciphertext segments to recover the plaintext segments.
For CFB it is not required that the plaintext be a sequence of one or more
complete data segments. Thus, padding is not required by CFB mode; however,
padding can still be used with CFB mode. When using padding, the total number
of bits in the plaintext becomes a positive multiple of the block mechanism
segment size (s) by appending some extra bits to the trailing
end of the data string as the last step in the formatting of the plaintext.
The padding bits must then be removed unambiguously by the receiver following
decryption of the ciphertext to arrive at the original message. In Entrust's
symmetric cipher architecture, this is accomplished by using a
PaddingMechanism in conjunction with the symmetric cipher operating in CFB
mode.
For CFB mode, if there are any bit errors (the substitution of a '0' bit for
a '1' bit, or vice versa) in a single ciphertext segment, then the decryption
of that ciphertext segment will be incorrect, i.e., it will differ from the
original plaintext or segment. The bit error(s) in the decrypted ciphertext
segment occur in the same bit position(s) as in the ciphertext or segment;
the other bit positions are not affected. Bit errors in a ciphertext segment
affect the decryption of the next b/s (rounded up to the nearest
integer) ciphertext segments. A bit error may occur, independently, in any
bit position in these decrypted segments, with an expected error rate of
fifty percent.
Bit errors in IVs also affect the decryption process. Bit errors in the IV
affect, at a minimum, the decryption of the first ciphertext segment, and
possibly successive ciphertext segments, depending on the bit position of the
rightmost bit error in the IV. (In general, a bit error in the i
th most significant bit position affects the decryptions of the first
i/s (rounding up) ciphertext segments.) A bit error may occur,
independently, in any bit position of the affected ciphertext segments, with
an expected error rate of fifty percent. Thus, the decryption of any
ciphertext segment is vulnerable to the introduction of specific bit errors
into that ciphertext block if the integrity of the IV is not protected.
However, for every ciphertext segment except the last one, the existence of
such bit errors may be detected by their randomizing effect on the decryption
of the succeeding ciphertext segment.
The deletion or insertion of bits into a ciphertext segment spoils the synchronization of the segment boundaries; in effect, bit errors may occur in the bit position of the inserted or deleted bit, and in every subsequent bit position. Therefore, the decryptions of the subsequent ciphertext segments will almost certainly be incorrect until the synchronization is restored.