question about the OFB mode of operation
in [Cryptography]
|
Prev: English Version of Julien Havet
Next: berufsunfähigkeitsversicherungen vergleichen, volksfürsorge versicherung, berufsunfähigkeitsversicherung arzt, bu versicherung vergleich, bu versicherung kündigen,
From: yawnmoth on 25 Feb 2010 13:08 DES_init() DES_set_key('aaaaaaaa'); DES_set_iv('bbbbbbbb'); DES_set_mode('ofb'); ciphertext = DES_encrypt("\0\0\0\0\0\0\0\0") DES_init() DES_set_key('aaaaaaaa') DES_set_mode('ecb') plaintext = DES_decrypt(ciphertext) Correct me if I'm wrong, but shouldn't an ECB decryption of an OFB encrypted string of null bytes produce a string whose first eight bytes (assuming that that's the block size) are equal to the IV? ie. in the case of the pseodocode I provided, 'bbbbbbbb'? Certainly that's the impression I get from wikipedia.org: http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Output_feedback_.28OFB.29
From: Tom St Denis on 25 Feb 2010 13:34 On Feb 25, 1:08 pm, yawnmoth <terra1...(a)yahoo.com> wrote: > DES_init() > DES_set_key('aaaaaaaa'); > DES_set_iv('bbbbbbbb'); > DES_set_mode('ofb'); > ciphertext = DES_encrypt("\0\0\0\0\0\0\0\0") > > DES_init() > DES_set_key('aaaaaaaa') > DES_set_mode('ecb') > plaintext = DES_decrypt(ciphertext) > > Correct me if I'm wrong, but shouldn't an ECB decryption of an OFB > encrypted string of null bytes produce a string whose first eight > bytes (assuming that that's the block size) are equal to the IV? ie. > in the case of the pseodocode I provided, 'bbbbbbbb'? Certainly > that's the impression I get from wikipedia.org: > > http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Output_f... In OFB mode you encrypt the IV first then XOR it against the message [otherwise the first block encryption is known]. So you'd expect the DES_'aaaaaaaa'('bbbbbbbb') not the plaintext. Tom
From: bmearns on 26 Feb 2010 06:27 On Feb 25, 1:34 pm, Tom St Denis <t...(a)iahu.ca> wrote: > On Feb 25, 1:08 pm, yawnmoth <terra1...(a)yahoo.com> wrote: > > > > > DES_init() > > DES_set_key('aaaaaaaa'); > > DES_set_iv('bbbbbbbb'); > > DES_set_mode('ofb'); > > ciphertext = DES_encrypt("\0\0\0\0\0\0\0\0") > > > DES_init() > > DES_set_key('aaaaaaaa') > > DES_set_mode('ecb') > > plaintext = DES_decrypt(ciphertext) > > > Correct me if I'm wrong, but shouldn't an ECB decryption of an OFB > > encrypted string of null bytes produce a string whose first eight > > bytes (assuming that that's the block size) are equal to the IV? ie. > > in the case of the pseodocode I provided, 'bbbbbbbb'? Certainly > > that's the impression I get from wikipedia.org: > > >http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Output_f... > > In OFB mode you encrypt the IV first then XOR it against the message > [otherwise the first block encryption is known]. > > So you'd expect the DES_'aaaaaaaa'('bbbbbbbb') not the plaintext. > > Tom yawnmoth- It doesn't matter anyway, the IV need not be a secret. -Brian
From: yawnmoth on 26 Feb 2010 11:04 On Feb 25, 12:34 pm, Tom St Denis <t...(a)iahu.ca> wrote: > On Feb 25, 1:08 pm, yawnmoth <terra1...(a)yahoo.com> wrote: > > > > > DES_init() > > DES_set_key('aaaaaaaa'); > > DES_set_iv('bbbbbbbb'); > > DES_set_mode('ofb'); > > ciphertext = DES_encrypt("\0\0\0\0\0\0\0\0") > > > DES_init() > > DES_set_key('aaaaaaaa') > > DES_set_mode('ecb') > > plaintext = DES_decrypt(ciphertext) > > > Correct me if I'm wrong, but shouldn't an ECB decryption of an OFB > > encrypted string of null bytes produce a string whose first eight > > bytes (assuming that that's the block size) are equal to the IV? ie. > > in the case of the pseodocode I provided, 'bbbbbbbb'? Certainly > > that's the impression I get from wikipedia.org: > > >http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Output_f... > > In OFB mode you encrypt the IV first then XOR it against the message > [otherwise the first block encryption is known]. > > So you'd expect the DES_'aaaaaaaa'('bbbbbbbb') not the plaintext. > > Tom By DES_'aaaaaaaa'('bbbbbbbb'), I assume you mean DES_encrypt('aaaaaaaa','bbbbbbbb')? Because that's what you get when XOR'ing "\0\0\0\0\0\0\0\0" against the keystream. ie. if you encrypt "\0\0\0\0\0\0\0\0" you get the keystream. Of course, you can get the keystream for any other known plaintext, too (just XOR the plaintext against the ciphertext and you get the keystream), but that's a bit beside the point. If you can get the keystream and the keystream is DES_encrypt('aaaaaaaa','bbbbbbbb') then you should also be able to get the IV - assuming you know the key (not the keystream) by doing DES_decrypt('aaaaaaaa', DES_encrypt('aaaaaaaa', 'bbbbbbbb')), which is basically the same as DES_decrypt('aaaaaaaa', "\0\0\0\0\0\0\0\0" ^ DES_encrypt('aaaaaaaa', 'bbbbbbbb')), where "\0\0\0\0\0\0\0\0" is the plaintext and "\0\0\0\0\0\0\0\0" ^ DES_encrypt('aaaaaaaa', 'bbbbbbbb') is the ciphertext.
From: bmearns on 26 Feb 2010 11:36
On Feb 26, 11:04 am, yawnmoth <terra1...(a)yahoo.com> wrote: > On Feb 25, 12:34 pm, Tom St Denis <t...(a)iahu.ca> wrote: > > > > > On Feb 25, 1:08 pm, yawnmoth <terra1...(a)yahoo.com> wrote: > > > > DES_init() > > > DES_set_key('aaaaaaaa'); > > > DES_set_iv('bbbbbbbb'); > > > DES_set_mode('ofb'); > > > ciphertext = DES_encrypt("\0\0\0\0\0\0\0\0") > > > > DES_init() > > > DES_set_key('aaaaaaaa') > > > DES_set_mode('ecb') > > > plaintext = DES_decrypt(ciphertext) > > > > Correct me if I'm wrong, but shouldn't an ECB decryption of an OFB > > > encrypted string of null bytes produce a string whose first eight > > > bytes (assuming that that's the block size) are equal to the IV? ie. > > > in the case of the pseodocode I provided, 'bbbbbbbb'? Certainly > > > that's the impression I get from wikipedia.org: > > > >http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Output_f.... > > > In OFB mode you encrypt the IV first then XOR it against the message > > [otherwise the first block encryption is known]. > > > So you'd expect the DES_'aaaaaaaa'('bbbbbbbb') not the plaintext. > > > Tom > > By DES_'aaaaaaaa'('bbbbbbbb'), I assume you mean > DES_encrypt('aaaaaaaa','bbbbbbbb')? Because that's what you get when > XOR'ing "\0\0\0\0\0\0\0\0" against the keystream. ie. if you encrypt > "\0\0\0\0\0\0\0\0" you get the keystream. Of course, you can get the > keystream for any other known plaintext, too (just XOR the plaintext > against the ciphertext and you get the keystream), but that's a bit > beside the point. > > If you can get the keystream and the keystream is > DES_encrypt('aaaaaaaa','bbbbbbbb') then you should also be able to get > the IV - assuming you know the key (not the keystream) by doing > DES_decrypt('aaaaaaaa', DES_encrypt('aaaaaaaa', 'bbbbbbbb')), which is > basically the same as DES_decrypt('aaaaaaaa', "\0\0\0\0\0\0\0\0" ^ > DES_encrypt('aaaaaaaa', 'bbbbbbbb')), where "\0\0\0\0\0\0\0\0" is the > plaintext and "\0\0\0\0\0\0\0\0" ^ DES_encrypt('aaaaaaaa', 'bbbbbbbb') > is the ciphertext. But what would you even gain from getting the IV? It's not generally required that the IV be secret, just that it be unique for each message that is encoded with the same key. -Brian |