Block cipher modes of operation#Output feedback .28OFB.29

Output Feedback Mode ( OFB ) is a mode can be operated in the block ciphers. Here, a block cipher such as the Data Encryption Standard (block length 64 bit ) or Advanced Encryption Standard (block length is 128 bits ) used to form it into a (synchronous ) stream cipher.

In this mode, as shown in the figure, the output of the block cipher with the plaintext bit-wise XOR ( exclusive OR) linked, in order to form the ciphertext. This process results in a stream cipher. The output of the block cipher is fed back to its input, so that a continuous stream of ciphertext blocks is created. For the link to the plain text only so many bits are used as necessary. This does not correspond to a full block length. The bit stream is pseudo-random, because it depends on the block cipher, the key and the initialization vector. Therefore, this system is referred to as a pseudo -one -time pad. The initialization vector is similar to the Cipher Block Chaining mode to see as the start value and the selected ( secret) key independent.

One of the advantages is that the bit sequence to which the plaintext data is bitwise XORed, can already be calculated in advance. Further, there is at OFB as with all stream ciphers the advantage that in the decryption transmission errors ( bit errors ) in the ciphertext only affect the corresponding bit position in the decrypted plaintext and the error does not propagate in plain text. For other modes, only one bit error in the ciphertext leads to at least one completely destroyed plaintext data block. This complicates and makes a forward error correction impossible. On the other hand, the fact that the induced bit errors are predictable in plain text, be exploited to distort messages unnoticed.

A further advantage of the method is that no separate decoding function is necessary for encryption and decryption are the same. Also, only the encryption algorithm of the block (or only decryption ) is required. The construction is even the case that are also suitable method as a block algorithm, that are not bijective. For example, could be used as a block algorithm, a secure hash function such as SHA -256. The block size would be the output size of the hash function in SHA -256 so 256 bits.

A disadvantage of OFB is the complicated synchronization of block ciphers between transmitter and receiver, as OFB unlike Cipher Feedback Mode ( CFB) basically is not self-synchronizing. The block cipher at the receiver is in this case as shown in the figure above, also operated as the encryption, ie produced with the same initialization vector and the same key, the same binary data sequence with the XOR operation of the transmitter can be undone. The necessary, precise temporal interaction must be ensured by appropriate procedures in the transmission protocols.

If multiple messages are encrypted with the same key, a different initialization vector must be used for each message, otherwise the same key stream is generated. In this case, the trial of a simple attack is vulnerable, in which two ciphers are XORed. As a result, the used for encryption ( same ) Delete key streams, and as a result is the XOR of the two plaintexts from which the plaintexts can be easily determined. Is even the plain text of a message is known, a plaintext attack can be carried out: by XORing the plaintext and ciphertext one can determine the key stream used and decrypt the corresponding sections of other messages.