OFB mode, or Output FeedBack mode, is a method of turning a block cipher into a stream cipher. It is quite effective, and is relatively common, but for several reasons, Counter mode has replaced it in many applications (see there for details).

To encrypt in OFB mode, first choose an initialization vector, equal in size to the block cipher's block size (for example, for Blowfish the IV is 64 bits). This IV should be random and never be used again with the same cipher key. To encrypt the first block of ciphertext, encrypt the IV once, and XOR the result against the plaintext, producing the ciphertext. To encrypt the next block, encrypt what you produced the last time again, and XOR it against that block of the plaintext. Note that you don't encrypt the previous result after you XOR it with the plaintext - you just keep encrypting the IV again and again - thus, changing a plaintext bit only affects the single ciphertext bit, in the same place where you changed the plaintext. For this reason, you must never encrypt two different messages with the same key and IV - otherwise, you reduce the system to that of a running key cipher, which is very easy to break.

There is actually a variant of OFB, which is based on using parts of several previous blocks. I won't go into this variation in detail, because it was proven in the late 80s that this variation is extremely unsafe.

Some people dislike OFB mode, claiming that it does not provide authentication, like CBC does. The problem with this argument is that CBC mode doesn't provide authenticity either. OFB is perfectly safe, just as long as you use it with a message authentication code, like HMAC. Or you can use a cipher mode specifically designed for authenticity, like CCM, EAX, or CWC.

Sometimes people refer to stream ciphers (like RC4) as being OFB ciphers. This does make sense, in that, like a block cipher being used in OFB mode, the output of RC4 does not depend on the message, only the key. Personally, I find this usage confusing, but you will see it from time to time.

Log in or registerto write something here or to contact authors.