09-06.html

Wiley - Applied Cryptography, Protocols, Algorthms, and Source Code in C

			<option value="">-----------
			<option value="/reference/dir.archive1.html">Free Archive		
			</SELECT>
			</font></td>
	</tr>
	</table>
	</form>
<!-- LEFT NAV SEARCH END -->

		</td>
		
<!-- PUB PARTNERS END -->
<!-- END LEFT NAV -->

<td rowspan="8" align="right" valign="top"><img src="/images/iswbls.gif" width=1 height=400 alt="" border="0"></td>
<td><img src="/images/white.gif" width="5" height="1" alt="" border="0"></td>
<!-- end of ITK left NAV -->

<!-- begin main content -->
<td width="100%" valign="top" align="left">


<!-- END SUB HEADER -->

<!--Begin Content Column -->

<FONT FACE="Arial,Helvetica" SIZE="-1">
To access the contents, click the chapter and section titles.
</FONT>
<P>
<B>Applied Cryptography, Second Edition: Protocols,  Algorthms, and Source Code in C (cloth)</B>
<FONT SIZE="-1">
<BR>
<I>(Publisher: John Wiley & Sons, Inc.)</I>
<BR>
Author(s): Bruce Schneier
<BR>
ISBN: 0471128457
<BR>
Publication Date: 01/01/96
</FONT>
<P>
<form name="Search" method="GET" action="http://search.earthweb.com/search97/search_redir.cgi">

<INPUT TYPE="hidden" NAME="Action" VALUE="Search">
<INPUT TYPE="hidden" NAME="SearchPage" VALUE="http://search.earthweb.com/search97/samples/forms/srchdemo.htm">
<INPUT TYPE="hidden" NAME="Collection" VALUE="ITK">
<INPUT TYPE="hidden" NAME="ResultTemplate" VALUE="itk-full.hts">
<INPUT TYPE="hidden" NAME="ViewTemplate" VALUE="view.hts">

<font face="arial, helvetica" size=2><b>Search this book:</b></font><br>
<INPUT NAME="queryText" size=50 VALUE="">&nbsp;<input type="submit" name="submitbutton" value="Go!">
<INPUT type=hidden NAME="section_on" VALUE="on">
<INPUT type=hidden NAME="section" VALUE="http://www.itknowledge.com/reference/standard/0471128457/">

</form>


<!-- Empty Reference Subhead -->

<!--ISBN=0471128457//-->
<!--TITLE=APPLIED CRYPTOGRAPHY, SECOND EDITION: Protocols, Algorithms, and Source Code in C//-->
<!--AUTHOR=Bruce Schneier//-->
<!--PUBLISHER=Wiley Computer Publishing//-->
<!--CHAPTER=09//-->
<!--PAGES=202-205//-->
<!--UNASSIGNED1//-->
<!--UNASSIGNED2//-->

<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="09-05.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="09-07.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>
<P><BR></P>
<P>Synchronous stream ciphers also protect against any insertions and deletions in the ciphertext, because these cause a loss of synchronization and will be immediately detected. They do not, however, fully protect against bit toggling. Like block ciphers in CFB mode, Mallory can toggle individual bits in the stream. If he knows the plaintext, he can make those bits decrypt to whatever he wants. Subsequent bits will decrypt correctly, so in certain applications Mallory can still do considerable damage.
</P>
<P><FONT SIZE="+1"><B><I>Insertion Attack</I></B></FONT></P>
<P>Synchronous stream ciphers are vulnerable to an <B>insertion attack</B> [93]. Mallory has recorded a ciphertext stream, but does not know the plaintext or the keystream used to encrypt the plaintext.</P>
<!-- CODE SNIP //-->
<PRE>
     Original plaintext:    <I>p</I><SUB>1</SUB> <I>p</I><SUB>2</SUB> <I>p</I><SUB>3</SUB> <I>p</I><SUB>4</SUB> ...
     Original keystream:    <I>k</I><SUB>1</SUB> <I>k</I><SUB>2</SUB> <I>k</I><SUB>3</SUB> <I>k</I><SUB>4</SUB> ...
     Original ciphertext:   <I>c</I><SUB>1</SUB> <I>c</I><SUB>2</SUB> <I>c</I><SUB>3</SUB> <I>c</I><SUB>4</SUB> ...
</PRE>
<!-- END CODE SNIP //-->
<P>Mallory inserts a single known bit, <I>p&#146;</I>, into the plaintext after p1 and then manages to get the modified plaintext encrypted with the same keystream. He records the resultant new ciphertext:</P>
<!-- CODE SNIP //-->
<PRE>
New plaintext:           <I>p</I><SUB>1</SUB>    <I>p</I>&#146;   <I>p</I><SUB>2</SUB>    <I>p</I><SUB>3</SUB>    <I>p</I><SUB>4</SUB>    ...
Original keystream:      <I>k</I><SUB>1</SUB>    <I>k</I><SUB>2</SUB>    <I>k</I><SUB>3</SUB>    <I>k</I><SUB>4</SUB>    <I>k</I><SUB>5</SUB>    ...
Updated ciphertext:      <I>c</I><SUB>1</SUB>    <I>c</I>&#146;<SUB>2</SUB>   <I>c</I>&#146;<SUB>3</SUB>   <I>c</I>&#146;<SUB>4</SUB>   <I>c</I>&#146;<SUB>5</SUB>      ...
</PRE>
<!-- END CODE SNIP //-->
<P>Assuming he knows the value of <I>p&#146;</I>, he can determine the entire plaintext after that bit from the original ciphertext and new ciphertext:</P>
<!-- CODE SNIP //-->
<PRE>
<I>k</I><SUB>2</SUB> = <I>c</I>&#146;<SUB>2</SUB> &#8853; <I>p</I>&#146;, and then <I>p</I><SUB>2</SUB> = <I>c</I><SUB>2</SUB> &#8853; <I>k</I><SUB>2</SUB>
<I>k</I><SUB>3</SUB> = <I>c</I>&#146;<SUB>3</SUB> &#8853; <I>p</I><SUB>2</SUB>, and then <I>p</I><SUB>3</SUB> = <I>c</I><SUB>3</SUB> &#8853; <I>k</I><SUB>3</SUB>
<I>k</I><SUB>4</SUB> = <I>c</I>&#146;<SUB>4</SUB> &#8853; <I>p</I><SUB>3</SUB>, and then <I>p</I><SUB>4</SUB> = <I>c</I><SUB>4</SUB> &#8853; <I>k</I><SUB>4</SUB>
</PRE>
<!-- END CODE SNIP //-->
<P>Mallory doesn&#146;t even have to know the exact position in which the bit was inserted; he can just compare the original and updated ciphertexts to see where they begin to differ. To protect against this attack, never use the same keystream to encrypt two different messages.
</P>
<H3><A NAME="Heading9"></A><FONT COLOR="#000077">9.8 Output-Feedback Mode</FONT></H3>
<P><B>Output-feedback (OFB)</B> mode is a method of running a block cipher as a synchronous stream cipher. It is similar to CFB mode, except that <I>n</I> bits of the previous output block are moved into the right-most positions of the queue (see Figure 9.11). Decryption is the reverse of this process. This is called <I>n-</I>bit OFB. On both the encryption and the decryption sides, the block algorithm is used in its encryption mode. This is sometimes called <B>internal feedback</B>, because the feedback mechanism is independent of both the plaintext and the ciphertext streams [291].</P>
<P>If <I>n</I> is the block size of the algorithm, then <I>n-</I>bit OFB looks like (see Figure 9.12):</P>
<DL>
<DD><I>C</I><SUB>i</SUB> = <I>P</I><SUB>i</SUB> &#8853; <I>S</I><SUB>i</SUB>; <I>S</I><SUB>i</SUB> = <I>E</I><SUB>K</SUB>(<I>S</I><SUB>i-1</SUB>)
<DD><I>P</I><SUB>i</SUB> = <I>C</I><SUB>i</SUB> &#8853; <I>S</I><SUB>1</SUB>; <I>S</I><SUB>i</SUB> = <I>E</I><SUB>K</SUB>(<I>S</I><SUB>i-1</SUB>)
</DL>
<I><P><A NAME="Fig11"></A><A HREF="javascript:displayWindow('images/09-11.jpg',309,155 )"><IMG SRC="images/09-11t.jpg"></A>
<BR><A HREF="javascript:displayWindow('images/09-11.jpg',309,155)"><FONT COLOR="#000077"><B>Figure 9.11</B></FONT></A>&nbsp;&nbsp;8-bit output-feedback mode.</I>
</P>
<P><I>S</I><SUB>i</SUB> is the state, which is independent of either the plaintext or the ciphertext.</P>
<P>One nice feature of OFB mode is that most of the work can occur offline, before the plaintext message even exists. When the message finally arrives, it can be XORed with the output of the algorithm to produce the ciphertext.</P>
<P><FONT SIZE="+1"><B><I>Initialization Vector</I></B></FONT></P>
<P>The OFB shift register must also be initially loaded with an IV. It should be unique but does not have to be secret.
</P>
<P><FONT SIZE="+1"><B><I>Error Propagation</I></B></FONT></P>
<P>OFB mode has no error extension. A single-bit error in the ciphertext causes a single-bit error in the recovered plaintext. This can be useful in some digitized analog transmissions, like digitized voice or video, where the occasional single-bit error can be tolerated but error extension cannot.
</P>
<P>On the other hand, a loss of synchronization is fatal. If the shift registers on the encryption end and the decryption end are not identical, then the recovered plaintext will be gibberish. Any system that uses OFB mode must have a mechanism for detecting a synchronization loss and a mechanism to fill both shift registers with a new (or the same) IV to regain synchronization.</P>
<I><P><A NAME="Fig12"></A><A HREF="javascript:displayWindow('images/09-12.jpg',178,102 )"><IMG SRC="images/09-12t.jpg"></A>
<BR><A HREF="javascript:displayWindow('images/09-12.jpg',178,102)"><FONT COLOR="#000077"><B>Figure 9.12</B></FONT></A>&nbsp;&nbsp;</I>n-<I>bit OFB with an</I> n-<I>bit algorithm.</I>
</P>
<P><FONT SIZE="+1"><B><I>Security Problems with OFB</I></B></FONT></P>
<P>An analysis of OFB mode [588,430,431,789] demonstrates that OFB should be used only when the feedback size is the same as the block size. For example, you should only use a 64-bit algorithm in 64-bit OFB mode. Even though the U.S. government authorizes other feedback sizes for DES [1143], avoid them.
</P>
<P>OFB mode XORs a keystream with the text. This keystream will eventually repeat. It is important that it does not repeat with the same key; otherwise, there is no security. When the feedback size equals the block size, the block cipher acts as a permutation of <I>m</I>-bit values (where <I>m</I> is the block length) and the average cycle length is 2<SUP><I>m</I></SUP>- 1. For a 64-bit block length, this is a very long number. When the feedback size <I>n</I> is less than the block length, the average cycle length drops to around 2<SUP><I>m</I>/2</SUP>. For a 64-bit block cipher, this is only 2<SUP>32</SUP>&#151;not long enough.</P>
<P><FONT SIZE="+1"><B><I>Stream Ciphers in OFB</I></B></FONT></P>
<P>A stream cipher can also run in OFB mode. In this case, the key affects the next-state function (see Figure 9.13). The output function does not depend on the key; very often it is something simple like a single bit of the internal state or the XOR of multiple bits of the internal state. The cryptographic complexity is in the next-state function; this function is key-dependent. This method is also called internal feedback [291], because the feedback mechanism is internal to the key generation algorithm.
</P>
<P>In a variant of this mode, the key determines just the initial state of the keystream generator. After the key sets the internal state of the generator, the generator runs undisturbed from then on.</P><P><BR></P>
<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="09-05.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="09-07.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>

[an error occurred while processing this directive]
<!-- all of the reference materials (books) have the footer and subfoot reveresed -->
<!-- reference_subfoot = footer -->
<!-- reference_footer = subfoot -->

<!-- BEGIN SUB FOOTER -->
		<br><br>
		</TD>
    </TR>
	</TABLE>

		
	<table width="640" border=0 cellpadding=0 cellspacing=0>
		<tr>
		<td align="left" width=135><img src="/images/white.gif" width=100 height="1" alt="" border="0"></td>
		
		
<!-- END SUB FOOTER -->

<!-- all of the books have the footer and subfoot reveresed -->
<!-- reference_subfoot = footer -->
<!-- reference_footer = subfoot -->

<!-- FOOTER -->
			
		<td width="515" align="left" bgcolor="#FFFFFF">
<font face="arial, helvetica" size="1"><b><a href="/products.html"><font color="#006666">Products</font></a>&nbsp;|&nbsp; <a href="/contactus.html"><font color="#006666">Contact Us</font></a>&nbsp;|&nbsp; <a href="/aboutus.html"><font color="#006666">About Us</font></a>&nbsp;|&nbsp; <a href="http://www.earthweb.com/corporate/privacy.html" target="_blank"><font color="#006666">Privacy</font></a> &nbsp;|&nbsp; <a href="http://www.itmarketer.com/" target="_blank"><font color="#006666">Ad Info</font></a> &nbsp;|&nbsp; <a href="/"><font color="#006666">Home</font></a></b>
		<br><br>
		
		Use of this site is subject to certain <a href="/agreement.html">Terms &amp; Conditions</a>, <a href="/copyright.html">Copyright &copy; 1996-1999 EarthWeb Inc.</a><br> 
All rights reserved.  Reproduction whole or in part in any form or medium without express written permision of EarthWeb is prohibited.</font><p>
</td>
		</tr>
</table>
</BODY>
</HTML>

<!-- END FOOTER -->