ECB, CBC, CFB, OFB

Johnson, Michael P (Mike) JohnsMP at LOUISVILLE.STORTEK.COM
Sat Dec 20 17:51:32 PST 1997




>Somebody asked:
>>Can somebody more experienced than I am explain the strengths and weaknesses
>>of these encryption modes as applied to CAST, IDEA, DES, and Blowfish?
>
>>              ecb    Electronic codebook mode
>>                     c[i] = f1(K, p[i])
>>                     p[i] = f2(K, c[i])

This is the weakest mode. Patterns in the plain text tend to cause
repeated blocks in the output, causing some information leakage. This
mode is really only suitable if you have exactly one block or less to
encrypt or if random access at the block level is critical. An error in
the ciphertext or plaintext only affects one block, as long as bit count
integrity is maintained.

>>              cbc    Ciphertext block chaining mode
>>                     c[i] = f1(K, p[i]) ^ c[i-1]
>>                     p[i] = f2(K, c[i]) ^ c[i-1]

This is good at preventing information leakage. A one bit error in the
ciphertext causes a one block error in the plain text => reasonable
balance between tamper detection and error resistance. This mode is
commonly used.

>>              cfb    Ciphertext feeback mode
>>                     c[i] = f1(K, c[i-1]) ^ p[i]
>>                     p[i] = f1(K, c[i-1]) ^ c[i]

This is good at preventing information leakage. A one bit error in the
ciphertext causes a one bit error in the plain text => good for use in
high noise environments where error detection and correction is
(inexplicably) not used and tamper detection is not as critical. Doesn't
require a decryption mode, so a hash function like SHA1 could be used in
this mode instead of a general block cipher.

>>              ofb    Output feeback mode
>>                     h[i] = f1(K, h[i-1])
>>                     c[i] = p[i] ^ h[i]
>>                     p[i] = c[i] ^ h[i]

This mode essentially turns a block cipher into a stream cipher without
feedback. It must be used with the same caution as such a cipher. In
other words, the same stream should not be reused, but a new starting
point (initialization vector = h[-1]) and/or key should be chosen for
each message. No padding or data size expansion is necessary.

Several other modes are possible...

For really slow performance, you can try some kind of key feedback. :-)
   K[i] = K[i-1] ^ p[i-1]   or maybe   K[i] = e(K[i-1], K[i-2])
   c[i] = e(K[i], p[i])
   p[i] = d(K[i], c[i])
Caution: bizarre modes may not be well analyzed... although I think some
key feedback modes have merit when you are trying to slow an attacker
down. They might really mess up specialized cracking hardware. :-)








More information about the cypherpunks-legacy mailing list