public abstract class OfbBlockMechanism extends BlockMechanism
OFB mode is a confidentiality mode that features the iteration of the forward cipher on an IV to generate a sequence of output blocks that are exclusive-ORed with the plaintext segment to produce the ciphertext segment, and vice versa. The OFB mode requires that the IV is a nonce, i.e., the IV must be unique for each execution of the mode under the given key.
OFB mode also requires an integer parameter (representing the segment size),
denoted s, such that 1 <= s <= b, where
b is the symmetric cipher block size. However, since Entrust's
(and Java's)
symmetric block cipher architecture is byte oriented (as opposed to bit
oriented), s must also be a multiple of 8. In the specification
of OFB mode below, each plaintext segment (
P#j) and ciphertext segment (
C#j) consists of s bits. The
value of s is sometimes incorporated into the name of the mode,
e.g., the 8-bit OFB mode, the 64-bit OFB mode, or the 128-bit OFB mode. OFB
mode is defined as follows:
OFB Encryption:
I1 = IV
Ij = LSBb-s(Ij–1) | MSBsOj-1 for j = 2..n
Oj = CIPHK(Ij) for j = 1, 2..n
C#j = P#j xor MSBs(Oj) for j = 1, 2..n-1
C#n = P#n xor MSBu(On)
OFB Decryption:
I1 = IV
Ij = LSBb-s(Ij-1) | MSBsOj-1 for j = 2..n
Oj = CIPHK(Ij) for j = 1, 2..n
P#j = C#j xor MSBs(Oj) for j = 1, 2..n-1
P#n = C#n xor MSBu(On)
During encryption, the first input block is the IV, and the forward cipher
operation is applied to the IV to produce the first output block. The first
ciphertext segment is produced by exclusive-ORing the first plaintext segment
with the s most significant bits of the first output block. (The
remaining b-s bits of the first output block are discarded.) The
b-s least significant bits of the IV are then concatenated with
the s most significant bits of the first output block to form
the second input block. An alternative description of the formation of the
second input block is that the bits of the first input block circularly shift
s positions to the left, and then the s most
significant bits of the output block replaces the s least
significant bits of the result.
The process is repeated with the successive input blocks until a ciphertext
segment is produced from every plaintext segment except the last one. For the
last segment, which may be a partial segment of u bits, the most
significant u bits of the last output block are used for the
exclusive-OR operation; the remaining s-u bits of the last
output block are discarded.
In general, each successive input block is enciphered to produce an output
block. The s most significant bits of each output block are
exclusive-ORed with the corresponding plaintext segment to form a ciphertext
segment. Part of each output block (except the last one) is "fed back" into
the previous input block, as described above, to form a new input block. The
feedback can be described in terms of the individual bits in the strings as
follows: if i1i2..ib is the
jth input block, and
o1o2..ob is the j
th output block, then the (j+1)th input block is
is+1is+2..ibo1o2..os
.
During decryption, the IV is the first input block, and each successive input
block is formed as in OFB encryption, by concatenating the b-s
least significant bits of the previous input block with the s
most significant bits of the previous output block. The forward cipher
function is applied to each input block to produce the output blocks. The
s most significant bits of the output blocks are exclusive-ORed
with the corresponding ciphertext segments to recover the plaintext segments.
The OFB mode requires a unique IV for every message that is ever encrypted
under the given key. If, contrary to this requirement, the same IV is used
for the encryption of more than one message, then the confidentiality of
those messages may be compromised. In particular, if a plaintext block of any
of these messages is known, say, the jth plaintext block, then
the jth output of the forward cipher function can be determined
easily from the jth ciphertext block of the message. This
information allows the jth plaintext block of any other message
that is encrypted using the same IV to be easily recovered from the
jth ciphertext block of that message.
Confidentiality may similarly be compromised if any of the input blocks to the forward cipher function for the encryption of a message is designated as the IV for the encryption of another message under the given key.
For OFB it is not required that the plaintext be a sequence of one or more
complete data segments. Thus, padding is not required by OFB mode; however,
padding can still be used with OFB mode. When using padding, the total number
of bits in the plaintext becomes a positive multiple of the block mechanism
segment size (s) by appending some extra bits to the trailing
end of the data string as the last step in the formatting of the plaintext.
The padding bits must then be removed unambiguously by the receiver following
decryption of the ciphertext to arrive at the original message. In Entrust's
symmetric cipher architecture, this is accomplished by using a
PaddingMechanism in conjunction with the symmetric cipher operating in OFB
mode.
For OFB mode, if there are any bit errors (the substitution of a '0' bit for a '1' bit, or vice versa) in a single ciphertext segment, then the decryption of that ciphertext segment will be incorrect, i.e., it will differ from the original plaintext segment. The bit error(s) in the decrypted ciphertext segment occur in the same bit position(s) as in the ciphertext segment; the other bit positions are not affected. Bit errors within a ciphertext block do not affect the decryption of any other blocks.
Bit errors in IVs also affect the decryption process. Bit errors in the IV affect the decryption of every ciphertext block. A bit error may occur, independently, in any bit position of the affected ciphertext blocks (or segments), with an expected error rate of fifty percent. Thus, the decryption of any ciphertext block is vulnerable to the introduction of specific bit errors into that ciphertext block if the integrity of the IV is not protected.
The deletion or insertion of bits into a ciphertext segment spoils the synchronization of the segment boundaries; in effect, bit errors may occur in the bit position of the inserted or deleted bit, and in every subsequent bit position. Therefore, the decryptions of the subsequent ciphertext segments will almost certainly be incorrect until the synchronization is restored.