exclusive-or;initialization vector;seed;encryption;DES;plaintext;feedback;decryption">


Question 83. What are the CFB and OFB modes?

The Cipher Feedback (CFB) mode and the Output Feedback (OFB) mode are two more standard modes of operation (see Question 82) for a block cipher.

In CFB mode (see Figure 5), the previous ciphertext block is encrypted and the output produced is combined with the plaintext block using exclusive-or to produce the current ciphertext block. It is possible to define CFB mode so that it uses feedback that is less than one full data block. An initialization vector (see Question 82) or value c0 is used as a "seed" for the process.

Figure 5. Cipher Feedback Mode

CFB mode is as secure as the underlying cipher and plaintext patterns are concealed in the ciphertext by the use of the exclusive-or operation. Plaintext cannot be manipulated directly except by the removal of blocks from the beginning or the end of the ciphertext. With CFB mode and full feedback, when two ciphertext blocks are identical, the outputs from the DES operation at the next step are also identical. This allows information about plaintext blocks to leak. When using full feedback, the speed of encryption is identical to that of the block cipher, but the encryption process cannot be easily parallelized.

OFB mode (see Figure 6) is similar to the CFB mode except that the quantity exclusive-ored with each plaintext block is generated independently of both the plaintext and ciphertext. An initialization vector s0 is used as a "seed" for a sequence of data blocks si,, and each data block si is derived from the encryption of the previous data block si-1. The encryption of a plaintext block is derived by taking the exclusive-or of the plaintext block with the relevant data block.

Figure 6. Output Feedback Mode

Feedback widths less than a full block are not recommended for security [DP83] [Jue83]. OFB mode has an advantage over CFB mode in that any bit errors that might occur during transmission are not propagated to affect the decryption of subsequent blocks. However, by changing the ciphertext the plaintext can easily be manipulated. The speed of encryption is identical to that of the block cipher. Even though the process cannot easily parallelized, time can be saved by generating the key stream before the data is available for encryption.