21.03.2013 Views

Problem - Kevin Tafuro

Problem - Kevin Tafuro

Problem - Kevin Tafuro

SHOW MORE
SHOW LESS

Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

shares many properties with CTR mode, although CTR mode has additional benefits.<br />

Therefore, OFB mode is seeing less and less use these days.<br />

OFB mode has been standardized by NIST.<br />

The primary disadvantages of OFB mode are:<br />

• Bit-flipping attacks are easy, as with any streaming mode. Again, integrity checks<br />

are a must.<br />

• Reusing a {key, none} pair is disastrous (but is easy to avoid). Generally, if there<br />

is any significant risk of reusing a {key, nonce} pair (e..g., across reboot), it is<br />

best to avoid reusing a single key across multiple messages or data streams. (See<br />

Recipe 4.11 for advice if you wish to use one base secret, and derive multiple<br />

secrets from it.)<br />

• Keystream computation cannot be done in parallel.<br />

The primary advantages of OFB mode are:<br />

• Keystreams can be precomputed.<br />

• For ciphers where raw encryption and decryption operations require separate<br />

algorithms (particularly AES), only a single algorithm is necessary. In such a<br />

case, the faster of the two algorithms can be used (though you will get incompatible<br />

results if you use decryption where someone else uses encryption).<br />

• It does not have nonce-size problems when used with 64-bit block ciphers.<br />

• When used properly, it leaks information at the same (slow) rate that CTR mode<br />

does.<br />

We discuss OFB mode in Recipe 5.8.<br />

Cipher Feedback (CFB) mode<br />

CFB mode generally works similarly to OFB mode, except that in its most common<br />

configuration, it produces keystream by always encrypting the last block of ciphertext,<br />

instead of the last block of keystream.<br />

CFB mode has been standardized by NIST.<br />

The primary disadvantages of CFB mode are:<br />

• Bit-flipping attacks are easy, as with any streaming mode. Again, integrity checks<br />

are a must.<br />

• Reusing a {key, nonce} pair is disastrous (but is easy to avoid). Generally, if<br />

there is any significant risk of reusing a {key, nonce} pair (e.g., across reboot), it<br />

is best to avoid reusing a single key across multiple messages or data streams.<br />

• Encryption cannot be parallelized (though decryption can be).<br />

This is the Title of the Book, eMatter Edition<br />

Copyright © 2007 O’Reilly & Associates, Inc. All rights reserved.<br />

Selecting a Cipher Mode | 167

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!