Analysis of Certain Aspects of Output Feedback Mode
The Output Feedback (OFB) mode of operation of the Data Encryption Standard (DES) is discussed, and compared to the other DES modes. The advantages of the Output Feedback mode’s insensitivity to transmission errors and the applicability to bulk encryption of multiple users’ transmissions are presented, along with the disadvantages of an increased sensitivity to bit slippage and a requirement for more complex synchronization procedures.
It is concluded that the Manipulation Detection Code technique suggested in draft Federal Standards 1025 and 1026 is unsound, and that therefore there are only differences of degree in the vulnerability to active (spoofing) attacks between the various modes. Two separate encryption operations are required to provide cryptographic protection against both the passive and the active threat, but a quadratic residue checksum is proposed as a possible alternative. However, considerations of the physical media involved and the types of traffic carried may make even this level of protection unnecessary for many applications.
The problem of transmission in depth is discussed, and Output Feedback mode is analyzed with respect to the probability of repeating a given output prior to exhausting the space of 264 variables. Reiterating the advice of Davies and Parkin, the user is cautioned not to use K<64 bit feedback and it is recommended that FIPS PUB 81 be revised to delete that option. Numerical data are presented for various reinitialization rates which indicate that when OFB is used not more than four billion iterations or 10,000 reinitializations or one day of operation should occur between DES key changes. One week to one month between master key changes is suggested, especially for cryptographic networks of more than two stations. Blakley’s shadow key concept is recommended as a way of minimizing the possibility of human compromise.
Appendices discuss the existence of 256 weak, semi-weak, and demi-semi-weak keys, plus the derivations of the formulas for the probability of repetition for the various cases.
Key WordsData Encryption Standard DES Output Feedback mode non-error multiplicative ciphers data-independent ciphers active attack spoofing Manipulation Detection Codes DES cycle length transmission in depth crypto period weak keys semi-weak keys demi-semi-weak keys cryptographic synchronization key change schedule.
Unable to display preview. Download preview PDF.
- 1.DES modes of operation, Federal information processing standards publication 81. National Bureau of Standards, Sept. 25, 1980.Google Scholar
- 2.Data encryption standard, FIPS PUB 46. U.S. Dept. of Commerce/National Bureau of Standards, Jan. 15, 1977.Google Scholar
- 3.Orceyre, M. J., and Heller, R. M. An approach to secure voice communication based on the data encryption standard. IEEE Communications, Nov. 1978, pp. 41–50.Google Scholar
- 4.Campbell, C. M. Design and specification of cryptographic capabilities. IEEE Communications, Nov. 1978, pp. 1519Google Scholar
- 5.Davies, D. W. and Parkin, G.I.P. The average cycle size of the key stream in Output Feedback encipherment. Advances in Cryptography: Proceedings of CRYPTO 82. Plenum Publishing Corp., 233 Spring Street, New York, NY 10013.Google Scholar
- 6.Proposed Federal Standard 1025. Telecommunications: Interoperability and security requirements for the use of Data Encryption Standard in the network and transport layers of data communications. National Communications System, Washington, D.C. 20305. Draft of June 1, 1981.Google Scholar
- 7.Proposed Federal Standard 1026. Telecommuncations: Interoperability and security requirements for the use of Data Encryption Standard in the physical and data link layers of data communications. National Communications System, Washington, D.C. 20305. Draft of June 1, 1981.Google Scholar
- 9.Knuth, D. E., The Art of Computer Programming; Volume 1: Fundamental Algorithms. Reading, MA: Addison Wesley.Google Scholar
- 10.Knuth, D. E., The Art of Computer Programming; Volume 2: Seminumerical Algorithms. Reading, MA: Addison Wesley.Google Scholar
- 12.Hellman, M. E. and Reyneri, J. M. The distribution of drainage and the DES. Advances in Cryptography; Proceedings of CRYPTO 82. Plenum Publishing Corp., 233 Spring Street, New York, NY 10013.Google Scholar
- 13.Blakley, G. R. Safeguarding cryptographic keys. Proceedings of the National Computer Conference, 1979. AFIPS Press, Vol. 47 (1979), pp. 313–317.Google Scholar
- 15.Meyer, C. H. Ciphertext/plaintext and ciphertext/key dependence vs. number of rounds for the data encryption standard. Proceedings of the 1978 National Computer conference, AFIPS Press, Montvale, NJ.Google Scholar
- 16.Davies, D. W. Private communication, August 3, 1982.Google Scholar