21.03.2013 Views

Problem - Kevin Tafuro

Problem - Kevin Tafuro

Problem - Kevin Tafuro

SHOW MORE
SHOW LESS

You also want an ePaper? Increase the reach of your titles

YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.

shares many properties with CTR mode, although CTR mode has additional benefits.<br />

Therefore, OFB mode is seeing less and less use these days.<br />

OFB mode has been standardized by NIST.<br />

The primary disadvantages of OFB mode are:<br />

• Bit-flipping attacks are easy, as with any streaming mode. Again, integrity checks<br />

are a must.<br />

• Reusing a {key, none} pair is disastrous (but is easy to avoid). Generally, if there<br />

is any significant risk of reusing a {key, nonce} pair (e..g., across reboot), it is<br />

best to avoid reusing a single key across multiple messages or data streams. (See<br />

Recipe 4.11 for advice if you wish to use one base secret, and derive multiple<br />

secrets from it.)<br />

• Keystream computation cannot be done in parallel.<br />

The primary advantages of OFB mode are:<br />

• Keystreams can be precomputed.<br />

• For ciphers where raw encryption and decryption operations require separate<br />

algorithms (particularly AES), only a single algorithm is necessary. In such a<br />

case, the faster of the two algorithms can be used (though you will get incompatible<br />

results if you use decryption where someone else uses encryption).<br />

• It does not have nonce-size problems when used with 64-bit block ciphers.<br />

• When used properly, it leaks information at the same (slow) rate that CTR mode<br />

does.<br />

We discuss OFB mode in Recipe 5.8.<br />

Cipher Feedback (CFB) mode<br />

CFB mode generally works similarly to OFB mode, except that in its most common<br />

configuration, it produces keystream by always encrypting the last block of ciphertext,<br />

instead of the last block of keystream.<br />

CFB mode has been standardized by NIST.<br />

The primary disadvantages of CFB mode are:<br />

• Bit-flipping attacks are easy, as with any streaming mode. Again, integrity checks<br />

are a must.<br />

• Reusing a {key, nonce} pair is disastrous (but is easy to avoid). Generally, if<br />

there is any significant risk of reusing a {key, nonce} pair (e.g., across reboot), it<br />

is best to avoid reusing a single key across multiple messages or data streams.<br />

• Encryption cannot be parallelized (though decryption can be).<br />

This is the Title of the Book, eMatter Edition<br />

Copyright © 2007 O’Reilly & Associates, Inc. All rights reserved.<br />

Selecting a Cipher Mode | 167

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!