HOME

TheInfoList



Click Here for Items Related To - OCB Mode
OR:
OCB Mode on:   [Wikipedia]   [Google]   [Amazon]

Offset codebook mode (OCB mode) is an authenticated encryption mode of operation for cryptographic block ciphers. OCB mode was designed by Phillip Rogaway, who credits Mihir Bellare, John Black, and Ted Krovetz with assistance and comments on the designs. It is based on the '' integrity-aware parallelizeable mode'' (IAPM) of authenticated encryption by Charanjit S. Jutla. The ''OCB2'' version was proven insecure, while the original ''OCB1'' as well as ''OCB3'' from 2011 are still considered secure.


Encryption and authentication

OCB mode was designed to provide both message authentication and
privacy Privacy (, ) is the ability of an individual or group to seclude themselves or information about themselves, and thereby express themselves selectively. The domain of privacy partially overlaps with security, which can include the concepts of a ...
. It is essentially a scheme for integrating a
message authentication code In cryptography, a message authentication code (MAC), sometimes known as an authentication tag, is a short piece of information used for authentication, authenticating and Data integrity, integrity-checking a message. In other words, it is used t ...
(MAC) into the operation of a block cipher. In this way, OCB mode avoids the need to use two systems: a MAC for authentication and
encryption In Cryptography law, cryptography, encryption (more specifically, Code, encoding) is the process of transforming information in a way that, ideally, only authorized parties can decode. This process converts the original representation of the inf ...
for confidentiality. This results in lower computational cost compared to using separate encryption and authentication functions. There are three versions of OCB: OCB1, OCB2 and OCB3. OCB1 was published in 2001. OCB2 improves on OCB1 by allowing associated data to be included with the message, providing '' authenticated encryption with associated data'' (AEAD; that is, data that are not encrypted but should be authenticated) and a new method for generating a sequence of offsets. OCB2 was first published in 2003, originally named ''authenticated-encryption mode'', or ''advanced encryption mode'' (''AEM'') and was shown to be completely insecure in 2019. OCB3, published in 2011, changes again the way offsets are computed and introduces minor performance improvements. OCB2 was standardized in ISO/IEC19772:2009 (although it was removed from the standard following the publication of the attack) and a modified OCB3 in RFC7253. The RFC encodes the tag length into the internally formatted nonce.


Performance

OCB performance overhead is minimal compared to classical, non-authenticating modes like cipher block chaining. OCB requires one block cipher operation per block of encrypted and authenticated message, and one block cipher operation per block of associated data. There is also one extra block cipher operation required at the end of process. For comparison, CCM mode offering similar functionality requires twice as many block cipher operations per message block (associated data requires one, as in OCB).


Patents

While OCB is now public domain, Rogaway initially patented OCB mode so that they could charge for commercial licenses and in attempt to stop their work showing up in military-related projects. Rogaway intentionally abandoned their OCB patents in 2021. Two U.S. patents were issued for OCB mode. The patents have hindered approval by the
National Institute of Standards and Technology The National Institute of Standards and Technology (NIST) is an agency of the United States Department of Commerce whose mission is to promote American innovation and industrial competitiveness. NIST's activities are organized into Outline of p ...
. While OCB mode was patented, Rogaway made three licenses available to allow OCB mode to be freely used in software licensed under the
GNU General Public License The GNU General Public Licenses (GNU GPL or simply GPL) are a series of widely used free software licenses, or ''copyleft'' licenses, that guarantee end users the freedom to run, study, share, or modify the software. The GPL was the first ...
(later any open source license certified by the
Open Source Initiative The Open Source Initiative (OSI) is a California public benefit corporation "actively involved in Open Source community-building, education, and public advocacy to promote awareness and the importance of non-proprietary software". Governance The ...
), non-commercial non-military projects, and in OpenSSL. Since Rogaway only applied for patent protection in the U.S., the algorithm has always been free to use in software not developed and not sold inside the U.S.


Attacks

Niels Ferguson pointed out collision attacks on OCB, which limits the amount of data that can be securely processed under a single key to about 280 terabytes. In October 2018, Inoue and Minematsu presented an existential forgery attack against OCB2 that requires only a single prior encryption query and almost no computational power or storage. The attack does not extend to OCB1 or OCB3, and it requires that the associated data field of the forged ciphertext be empty. Poettering and Iwata improved the forgery attack to a full plaintext recovery attack just a couple of days later. The four authors later produced a joint report.


See also

* Block cipher mode of operation * CCM mode * CWC mode * EAX mode * Galois/Counter mode


References

*


External links


OCB homepage
*
/span>

{{Cryptography navbox , block , hash Block cipher modes of operation Authenticated-encryption schemes