In CFB mode (see Figure 2.4), the previous ciphertext block is encrypted and the output produced is combined with the plaintext block using XOR to produce the current ciphertext block. It is possible to define CFB mode so it uses feedback that is less than one full data block. An initialization vector c0 is used as a "seed" for the process.
ci = Ek(ci-1) Åmi mi = Ek(ci-1) Åci
Figure 2.4: Cipher Feedback mode (click for a larger image)
CFB mode is as secure as the underlying cipher and plaintext patterns are concealed in the ciphertext by the use of the XOR operation. Plaintext cannot be manipulated directly except by the removal of blocks from the beginning or the end of the ciphertext; see next question for some additional comments. With CFB mode and full feedback, when two ciphertext blocks are identical, the outputs from the block cipher operation at the next step are also identical. This allows information about plaintext blocks to leak. The security considerations for the initialization vector are the same as in CBC mode, except that the attack described in Question 184.108.40.206 is not applicable. Instead, the last ciphertext block can be attacked.
When using full feedback, the speed of encryption is identical to that of the block cipher, but the encryption process cannot be easily parallelized.