More OCB2 Forgeries

This post builds on the content and code from the prior post about OCB2 mode forgeries. If you haven’t read that post I would recommend starting there. In this post we’ll explore how to do some further forgeries of OCB2 and also dive a little into code refactoring so that our implementation from the original post becomes a little more general.

Forging Tags for Data Encrypted in OCB2 Mode

OCB is a block cipher mode of operation, though a bit more esoteric when compared to ones like CBC and GCM. OCB2 (see section 10 of this paper) is a modification of OCB which enables it to operate as an authenticed encryption mode. This means we get confidentiality (via a ciphertext) and integrity (via a tag over the ciphertext). OCB2 was believed to be secure for over a decade thanks in part to security proofs and no known practical attacks.