[Top] [All Lists]

Re: Low-level question about OpenPGP - why CFB mode?

2003-04-30 15:59:53

On 4/30/03 11:54 AM, "john(_dot_)dlugosz(_at_)kodak(_dot_)com" 

Why does OpenPGP use a custom CFB mode instead of CBC mode?  CFB with the
slide equal to the blocksize is basically different from CBC in that the
encryption is done before combining, rather than after.

I presume its simply always been that way, and it's not a problem so it was
never changed in an update.  But why was that chosen initially, if anybody
knows, and are there any propblems with CBC that this avoids?

It has, in fact, always been that way.

The reason is that CFB mode doesn't require padding.

The resync is there so you can easily tell if you have (most likely -- 1 in
64K chance of a miss) decrypted properly with the right key.

The downside is that there are attacks on CFB mode that don't exist on CBC
mode. The Jallal/Katz/Schneier attack of last summer is really an attack on
CFB mode. It's possible there are interesting CBC attacks (one was published
at last year's Crypto), but no one's made anything practical with it yet.
(But heck, the JKS attack is almost impractical.)