Cryptography Reference
In-Depth Information
Offset Codebook (OCB) mode
. In contrast to CCM mode, OCB mode uses
techniques that are different from those that we have previously come across.
OCB encryption consists of XORing each message block with a sort of counter
both before and after it is encrypted with the block cipher. Like CTR mode, the
computation of the resulting ciphertext is thus easily parallelised. Data origin
authentication is provided by conducting a similar operation to encryption
on a checksum based on the message blocks and then XORing a separate
MAC computed on the associated data. Once again, the techniques used are
easily parallelised. Significantly, OCB mode thus requires just one block cipher
encryption operation for each message block. Like CCMmode it also requires
one block cipher encryption for each block of associateddata but, by decoupling
this from the message block encryption, OCB mode is even more efficient if
associated data only needs to be sent once at the start of a session. However,
unlike CCM mode, OCB mode has patent issues that are likely to restrict its
wide-scale adoption.
Authenticated-encryption primitives are relatively new in comparison to the
modes of operation discussed in Section 4.6. One advantage of this is that their
design has benefitted from the more rigorous modern requirements for formal
security proofs (see Section 3.2.5). Because they tend to combine efficiency of
processing with simpler key management, they are already being adopted by a
range of applications, as we will see in Chapter 12. Since confidentiality and data
origin authentication are almost always required together in an application, it is
likely that the use of authenticated-encryption primitives will increase.
In this chapter we discussed cryptographic mechanisms for providing different
levels of data integrity. Hash functions are multipurpose cryptographic primitives
and our discussion included an examination of their many different properties
and applications, not just those relating to data integrity. Hash functions, on their
own, are fairly weak data integrity mechanisms, but they can be used as part of
stronger mechanisms. We saw this in Section 6.3.4, where they were used in the
construction of a MAC. We will see this again in Section 7.3.4 when they are used
as components of digital signature schemes. MACs provide the stronger notion of
data origin authentication and we reviewed two general techniques for constructing
them.
Data integrity, in particular data origin authentication, is arguably amore important
requirement than confidentiality in many modern applications. Very few applications
that require confidentiality do not also require data origin authentication. Indeed, we
have not yet finished our discussion of data origin authentication, since Chapter 7 is
also dedicated to mechanisms that provide this important service.
