The Call of the Open Sidewalk

From a place slightly to the side of the more popular path

User Tools

Site Tools


OpenPGP's Improved Cipher Feedback Mode (OCFB)

OpenPGP uses something called the cipher feedback block encryption mode 1). It prevents some particular types of data leakage and imposes a penalty for unauthorized modifications of the protected messages/files.

OpenPGP does cipher feedback in a way that is superior to the conventional way. The difference is at the start of the message to be encrypted. This is the conventional start:

The “Unique Value” here is a value (usually just random) that makes the message unique, even if you have encrypted the same message in the past encrypted with the same key. The fact that you are sending the same or similar messages is a type of information leak.

The problem here is that the unique value is required to decrypt the message. So it has to be passed along with the message and can't be encrypted. So an attacker knows what it is and can change it to whatever they want. This allows them to, say, quietly chop off the start of the message without penalty.

This is (roughly) how OpenPGP starts up cipher feedback:

Now we have a fixed value of zero where the unique value used to be. So the attacker no longer has any ability to modify it. The result of encrypting a zero value produces an unpredictable value based on the key the attacker does not know. That value is combined with the unique value (that must be random in this case so that the attacker can't guess it) and becomes the start of the message (it is thrown away after decryption). This scheme provides the benefit of the conventional method while providing the attacker no useful information. Attempts to, say, chop off the start of the message will result in the traditional cipher feedback penalty.

This OpenPGP cipher feedback (OCFB) scheme works very well in combination with the OpenPGP Modification Detection Code.

See the Cipher Feedback article for more context
pgpfan/ocfb.txt · Last modified: 2022/12/27 22:56 by b.walzer