Advertisement

Analysis of Certain Aspects of Output Feedback Mode

  • Robert R. Jueneman

Abstract

The Output Feedback (OFB) mode of operation of the Data Encryption Standard (DES) is discussed, and compared to the other DES modes. The advantages of the Output Feedback mode’s insensitivity to transmission errors and the applicability to bulk encryption of multiple users’ transmissions are presented, along with the disadvantages of an increased sensitivity to bit slippage and a requirement for more complex synchronization procedures.

It is concluded that the Manipulation Detection Code technique suggested in draft Federal Standards 1025 and 1026 is unsound, and that therefore there are only differences of degree in the vulnerability to active (spoofing) attacks between the various modes. Two separate encryption operations are required to provide cryptographic protection against both the passive and the active threat, but a quadratic residue checksum is proposed as a possible alternative. However, considerations of the physical media involved and the types of traffic carried may make even this level of protection unnecessary for many applications.

The problem of transmission in depth is discussed, and Output Feedback mode is analyzed with respect to the probability of repeating a given output prior to exhausting the space of 264 variables. Reiterating the advice of Davies and Parkin, the user is cautioned not to use K<64 bit feedback and it is recommended that FIPS PUB 81 be revised to delete that option. Numerical data are presented for various reinitialization rates which indicate that when OFB is used not more than four billion iterations or 10,000 reinitializations or one day of operation should occur between DES key changes. One week to one month between master key changes is suggested, especially for cryptographic networks of more than two stations. Blakley’s shadow key concept is recommended as a way of minimizing the possibility of human compromise.

Appendices discuss the existence of 256 weak, semi-weak, and demi-semi-weak keys, plus the derivations of the formulas for the probability of repetition for the various cases.

Key Words

Data Encryption Standard DES Output Feedback mode non-error multiplicative ciphers data-independent ciphers active attack spoofing Manipulation Detection Codes DES cycle length transmission in depth crypto period weak keys semi-weak keys demi-semi-weak keys cryptographic synchronization key change schedule. 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    DES modes of operation, Federal information processing standards publication 81. National Bureau of Standards, Sept. 25, 1980.Google Scholar
  2. 2.
    Data encryption standard, FIPS PUB 46. U.S. Dept. of Commerce/National Bureau of Standards, Jan. 15, 1977.Google Scholar
  3. 3.
    Orceyre, M. J., and Heller, R. M. An approach to secure voice communication based on the data encryption standard. IEEE Communications, Nov. 1978, pp. 41–50.Google Scholar
  4. 4.
    Campbell, C. M. Design and specification of cryptographic capabilities. IEEE Communications, Nov. 1978, pp. 1519Google Scholar
  5. 5.
    Davies, D. W. and Parkin, G.I.P. The average cycle size of the key stream in Output Feedback encipherment. Advances in Cryptography: Proceedings of CRYPTO 82. Plenum Publishing Corp., 233 Spring Street, New York, NY 10013.Google Scholar
  6. 6.
    Proposed Federal Standard 1025. Telecommunications: Interoperability and security requirements for the use of Data Encryption Standard in the network and transport layers of data communications. National Communications System, Washington, D.C. 20305. Draft of June 1, 1981.Google Scholar
  7. 7.
    Proposed Federal Standard 1026. Telecommuncations: Interoperability and security requirements for the use of Data Encryption Standard in the physical and data link layers of data communications. National Communications System, Washington, D.C. 20305. Draft of June 1, 1981.Google Scholar
  8. 8.
    Diffie, W., and Hellman, M. E. Privacy and authentication: an introduction to cryptography. Proceedings of the IEEE, Vol. 67, No. 3, March 1979, pp. 397–427.CrossRefGoogle Scholar
  9. 9.
    Knuth, D. E., The Art of Computer Programming; Volume 1: Fundamental Algorithms. Reading, MA: Addison Wesley.Google Scholar
  10. 10.
    Knuth, D. E., The Art of Computer Programming; Volume 2: Seminumerical Algorithms. Reading, MA: Addison Wesley.Google Scholar
  11. 11.
    Gait, J. A new non-linear pseudo-random number generator, IEEE Transactions on Software Engineering. Vol. SE-3, No. 5, Sept. 1977, pp. 359–363.CrossRefGoogle Scholar
  12. 12.
    Hellman, M. E. and Reyneri, J. M. The distribution of drainage and the DES. Advances in Cryptography; Proceedings of CRYPTO 82. Plenum Publishing Corp., 233 Spring Street, New York, NY 10013.Google Scholar
  13. 13.
    Blakley, G. R. Safeguarding cryptographic keys. Proceedings of the National Computer Conference, 1979. AFIPS Press, Vol. 47 (1979), pp. 313–317.Google Scholar
  14. 14.
    Shamir, A. How to share a secret. Comm. of the ACM, Vol. 22 (1979), pp. 612–613.CrossRefGoogle Scholar
  15. 15.
    Meyer, C. H. Ciphertext/plaintext and ciphertext/key dependence vs. number of rounds for the data encryption standard. Proceedings of the 1978 National Computer conference, AFIPS Press, Montvale, NJ.Google Scholar
  16. 16.
    Davies, D. W. Private communication, August 3, 1982.Google Scholar

Copyright information

© Springer Science+Business Media New York 1983

Authors and Affiliations

  • Robert R. Jueneman
    • 1
  1. 1.Satellite Business SystemsMcLeanUSA

Personalised recommendations