question about the OFB mode of operation
in [Cryptography]
|
Prev: English Version of Julien Havet
Next: berufsunfähigkeitsversicherungen vergleichen, volksfürsorge versicherung, berufsunfähigkeitsversicherung arzt, bu versicherung vergleich, bu versicherung kündigen,
From: yawnmoth on 26 Feb 2010 14:18 On Feb 26, 10:36 am, bmearns <mearn...(a)gmail.com> wrote: > On Feb 26, 11:04 am, yawnmoth <terra1...(a)yahoo.com> wrote: > > > > > On Feb 25, 12:34 pm, Tom St Denis <t...(a)iahu.ca> wrote: > > > > On Feb 25, 1:08 pm, yawnmoth <terra1...(a)yahoo.com> wrote: > > > > > DES_init() > > > > DES_set_key('aaaaaaaa'); > > > > DES_set_iv('bbbbbbbb'); > > > > DES_set_mode('ofb'); > > > > ciphertext = DES_encrypt("\0\0\0\0\0\0\0\0") > > > > > DES_init() > > > > DES_set_key('aaaaaaaa') > > > > DES_set_mode('ecb') > > > > plaintext = DES_decrypt(ciphertext) > > > > > Correct me if I'm wrong, but shouldn't an ECB decryption of an OFB > > > > encrypted string of null bytes produce a string whose first eight > > > > bytes (assuming that that's the block size) are equal to the IV? ie. > > > > in the case of the pseodocode I provided, 'bbbbbbbb'? Certainly > > > > that's the impression I get from wikipedia.org: > > > > >http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Output_f... > > > > In OFB mode you encrypt the IV first then XOR it against the message > > > [otherwise the first block encryption is known]. > > > > So you'd expect the DES_'aaaaaaaa'('bbbbbbbb') not the plaintext. > > > > Tom > > > By DES_'aaaaaaaa'('bbbbbbbb'), I assume you mean > > DES_encrypt('aaaaaaaa','bbbbbbbb')? Because that's what you get when > > XOR'ing "\0\0\0\0\0\0\0\0" against the keystream. ie. if you encrypt > > "\0\0\0\0\0\0\0\0" you get the keystream. Of course, you can get the > > keystream for any other known plaintext, too (just XOR the plaintext > > against the ciphertext and you get the keystream), but that's a bit > > beside the point. > > > If you can get the keystream and the keystream is > > DES_encrypt('aaaaaaaa','bbbbbbbb') then you should also be able to get > > the IV - assuming you know the key (not the keystream) by doing > > DES_decrypt('aaaaaaaa', DES_encrypt('aaaaaaaa', 'bbbbbbbb')), which is > > basically the same as DES_decrypt('aaaaaaaa', "\0\0\0\0\0\0\0\0" ^ > > DES_encrypt('aaaaaaaa', 'bbbbbbbb')), where "\0\0\0\0\0\0\0\0" is the > > plaintext and "\0\0\0\0\0\0\0\0" ^ DES_encrypt('aaaaaaaa', 'bbbbbbbb') > > is the ciphertext. > > But what would you even gain from getting the IV? It's not generally > required that the IV be secret, just that it be unique for each > message that is encoded with the same key. The reason I'm asking is more for verification purposes. ie. if my understanding is correct, then mcrypt's implementation of ofb and, for that matter, cfb are wrong.
From: bmearns on 26 Feb 2010 15:34
On Feb 26, 2:18 pm, yawnmoth <terra1...(a)yahoo.com> wrote: > On Feb 26, 10:36 am, bmearns <mearn...(a)gmail.com> wrote: > > > > > On Feb 26, 11:04 am, yawnmoth <terra1...(a)yahoo.com> wrote: > > > > On Feb 25, 12:34 pm, Tom St Denis <t...(a)iahu.ca> wrote: > > > > > On Feb 25, 1:08 pm, yawnmoth <terra1...(a)yahoo.com> wrote: > > > > > > DES_init() > > > > > DES_set_key('aaaaaaaa'); > > > > > DES_set_iv('bbbbbbbb'); > > > > > DES_set_mode('ofb'); > > > > > ciphertext = DES_encrypt("\0\0\0\0\0\0\0\0") > > > > > > DES_init() > > > > > DES_set_key('aaaaaaaa') > > > > > DES_set_mode('ecb') > > > > > plaintext = DES_decrypt(ciphertext) > > > > > > Correct me if I'm wrong, but shouldn't an ECB decryption of an OFB > > > > > encrypted string of null bytes produce a string whose first eight > > > > > bytes (assuming that that's the block size) are equal to the IV? ie. > > > > > in the case of the pseodocode I provided, 'bbbbbbbb'? Certainly > > > > > that's the impression I get from wikipedia.org: > > > > > >http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Output_f... > > > > > In OFB mode you encrypt the IV first then XOR it against the message > > > > [otherwise the first block encryption is known]. > > > > > So you'd expect the DES_'aaaaaaaa'('bbbbbbbb') not the plaintext. > > > > > Tom > > > > By DES_'aaaaaaaa'('bbbbbbbb'), I assume you mean > > > DES_encrypt('aaaaaaaa','bbbbbbbb')? Because that's what you get when > > > XOR'ing "\0\0\0\0\0\0\0\0" against the keystream. ie. if you encrypt > > > "\0\0\0\0\0\0\0\0" you get the keystream. Of course, you can get the > > > keystream for any other known plaintext, too (just XOR the plaintext > > > against the ciphertext and you get the keystream), but that's a bit > > > beside the point. > > > > If you can get the keystream and the keystream is > > > DES_encrypt('aaaaaaaa','bbbbbbbb') then you should also be able to get > > > the IV - assuming you know the key (not the keystream) by doing > > > DES_decrypt('aaaaaaaa', DES_encrypt('aaaaaaaa', 'bbbbbbbb')), which is > > > basically the same as DES_decrypt('aaaaaaaa', "\0\0\0\0\0\0\0\0" ^ > > > DES_encrypt('aaaaaaaa', 'bbbbbbbb')), where "\0\0\0\0\0\0\0\0" is the > > > plaintext and "\0\0\0\0\0\0\0\0" ^ DES_encrypt('aaaaaaaa', 'bbbbbbbb') > > > is the ciphertext. > > > But what would you even gain from getting the IV? It's not generally > > required that the IV be secret, just that it be unique for each > > message that is encoded with the same key. > > The reason I'm asking is more for verification purposes. ie. if my > understanding is correct, then mcrypt's implementation of ofb and, for > that matter, cfb are wrong. I see. In that case, I'll delegate to this who no better. Which is to say, I can't tell you with any confidence whether or not your assumption is correct. -Brian |