Analysis of Certain Aspects of Output Feedback Mode

The Output Feedback (OFB) mode of operation of the Data Encryption Standard (DES) is discussed, and compared to the other DES modes. The advantages of the Output Feedback mode’s insensitivity to transmission errors and the applicability to bulk encryption of multiple users’ transmissions are presented, along with the disadvantages of an increased sensitivity to bit slippage and a requirement for more complex synchronization procedures.It is concluded that the Manipulation Detection Code technique suggested in draft Federal Standards 1025 and 1026 is unsound, and that therefore there are only differences of degree in the vulnerability to active (spoofing) attacks between the various modes. Two separate encryption operations are required to provide cryptographic protection against both the passive and the active threat, but a quadratic residue checksum is proposed as a possible alternative. However, considerations of the physical media involved and the types of traffic carried may make even this level of protection unnecessary for many applications.The problem of transmission in depth is discussed, and Output Feedback mode is analyzed with respect to the probability of repeating a given output prior to exhausting the space of 264 variables. Reiterating the advice of Davies and Parkin, the user is cautioned not to use K<64 bit feedback and it is recommended that FIPS PUB 81 be revised to delete that option. Numerical data are presented for various reinitialization rates which indicate that when OFB is used not more than four billion iterations or 10,000 reinitializations or one day of operation should occur between DES key changes. One week to one month between master key changes is suggested, especially for cryptographic networks of more than two stations. Blakley’s shadow key concept is recommended as a way of minimizing the possibility of human compromise.Appendices discuss the existence of 256 weak, semi-weak, and demi-semi-weak keys, plus the derivations of the formulas for the probability of repetition for the various cases.