Crypto-IT Logo
ου γαρ εστιν κρυπτον ο ου φανερον γενησεται ουδε αποκρυφον ο ου γνωσθησεται και εις φανερον ελθη
Wersja PL ENG Version

Block Ciphers Modes of Operation

The modes of operation of block ciphers are configuration methods that allow those ciphers to work with large data streams, without the risk of compromising the provided security.

It is not recommended, however it is possible while working with block ciphers, to use the same secret key bits for encrypting the same plaintext parts. Using one deterministic algorithm for a number of identical input data, results in some number of identical ciphertext blocks.

This is a very dangerous situation for the cipher's users. An intruder would be able to get much information by knowing the distribution of identical message parts, even if he would not be able to break the cipher and discover the original messages.

Luckily, there exist ways to blur the cipher output. The idea is to mix the plaintext blocks (which are known) with the ciphertext blocks (which have been just created), and to use the result as the cipher input for the next blocks. As a result, the user avoids creating identical output ciphertext blocks from identical plaintext data. These modifications are called the block cipher modes of operations.

ECB (Electronic Codebook) Mode

It is the simplest mode of encryption. Each plaintext block is encrypted separately. Similarly, each ciphertext block is decrypted separately. Thus, it is possible to encrypt and decrypt by using many threads simultaneously. However, in this mode the created ciphertext is not blurred.

encryption in ECB mode
Encryption in the ECB mode
decryption in ECB mode
Decryption in the ECB mode

A typical example of weakness of encryption using ECB mode is encoding a bitmap image (for example a .bmp file). Even a strong encryption algorithm used in ECB mode cannot blur efficiently the plaintext.

An original image
An image encrypted using DES ECB  An image encrypted using DES CBC
The bitmap image encrypted using DES and the same secret key. The ECB mode was used for the left image and the more complicated CBC mode was used for the right image.

A message that is encrypted using the ECB mode should be extended until a size that is equal to an integer multiple of the single block length. A popular method of aligning the length of the last block is about appending an additional bit equal to 1 and then filling the rest of the block with bits equal to 0. It allows to determine precisely the end of the original message. There exist more methods of aligning the message size.

Apart from revealing the hints regarding the content of plaintext, the ciphers that are used in ECB mode are also more vulnerable to replay attacks.

CBC (Cipher-Block Chaining) Mode

The CBC encryption mode was invented in IBM in 1976. This mode is about adding XOR each plaintext block to the ciphertext block that was previously produced. The result is then encrypted using the cipher algorithm in the usual way. As a result, every subsequent ciphertext block depends on the previous one. The first plaintext block is added XOR to a random initialization vector (commonly referred to as IV). The vector has the same size as a plaintext block.

Encryption in CBC mode can only be performed by using one thread. Despite this disadvantage, this is a very popular way of using block ciphers. CBC mode is used in many applications.

During decrypting of a ciphertext block, one should add XOR the output data received from the decryption algorithm to the previous ciphertext block. Because the receiver knows all the ciphertext blocks just after obtaining the encrypted message, he can decrypt the message using many threads simultaneously.

encryption in CBC mode
Encryption in the CBC mode
decryption in CBC mode
Decryption in the CBC mode

If one bit of a plaintext message is damaged (for example because of some earlier transmission error), all subsequent ciphertext blocks will be damaged and it will be never possible to decrypt the ciphertext received from this plaintext. As opposed to that, if one ciphertext bit is damaged, only two received plaintext blocks will be damaged. It might be possible to recover the data.

A message that is to be encrypted using the CBC mode, should be extended till the size that is equal to an integer multiple of a single block length (similarly, as in the case of using the ECB mode).

Security of the CBC mode

The initialization vector IV should be created randomly by the sender. During transmission it should be concatenated with ciphertext blocks, to allow decryption of the message by the receiver. If an intruder could predict what vector would be used, then the encryption would not be resistant to chosen-plaintext attacks:

Schemat ataku CPA na CBC

In the example presented above, if the intruder is able to predict that the vector IV1 will be used by the attacked system to produce the response c1, they can guess which one of the two encrypted messages m0 or m1 is carried by the response c1. This situation breaks the rule that the intruder shouldn't be able to distinguish between two ciphertexts even if they have chosen both plaintexts. Therefore, the attacked system is vulnerable to chosen-plaintext attacks.

If the vector IV is generated based on non-random data, for example the user password, it should be encrypted before use. One should use a separate secret key for this activity.

The initialization vector IV should be changed after using the secret key a number of times. It can be shown that even properly created IV used too many times, makes the system vulnerable to chosen-plaintext attacks. For AES cipher it is estimated to be 248 blocks, while for 3DES it is about 216 plaintext blocks.

PCBC (Propagating or Plaintext Cipher-Block Chaining) Mode

The PCBC mode is similar to the previously described CBC mode. It also mixes bits from the previous and current plaintext blocks, before encrypting them. In contrast to the CBC mode, if one ciphertext bit is damaged, the next plaintext block and all subsequent blocks will be damaged and unable to be decrypted correctly.

In the PCBC mode both encryption and decryption can be performed using only one thread at a time.

encryption in PCBC mode
Encryption in the PCBC mode
decryption in PCBC mode
Decryption in the PCBC mode

CFB (Cipher Feedback) Mode

The CFB mode is similar to the CBC mode described above. The main difference is that one should encrypt ciphertext data from the previous round (so not the plaintext block) and then add the output to the plaintext bits. It does not affect the cipher security but it results in the fact that the same encryption algorithm (as was used for encrypting plaintext data) should be used during the decryption process.

encryption in CFB mode
Encryption in the CFB mode
decryption in CFB mode
Decryption in the CFB mode

If one bit of a plaintext message is damaged, the corresponding ciphertext block and all subsequent ciphertext blocks will be damaged. Encryption in CFB mode can be performed only by using one thread.

On the other hand, as in CBC mode, one can decrypt ciphertext blocks using many threads simultaneously. Similarly, if one ciphertext bit is damaged, only two received plaintext blocks will be damaged.

As opposed to the previous block cipher modes, the encrypted message doesn't need to be extended till the size that is equal to an integer multiple of a single block length.

OFB (Output Feedback) Mode

Algorithms that work in the OFB mode create keystream bits that are used for encryption subsequent data blocks. In this regard, the way of working of the block cipher becomes similar to the way of working of a typical stream cipher.

encryption in OFB mode
Encryption in the OFB mode
decryption in OFB mode
Decryption in the OFB mode

Because of the continuous creation of keystream bits, both encryption and decryption can be performed using only one thread at a time. Similarly, as in the CFB mode, both data encryption and decryption uses the same cipher encryption algorithm.

If one bit of a plaintext or ciphertext message is damaged (for example because of a transmission error), only one corresponding ciphertext or respectively plaintext bit is damaged as well. It is possible to use various correction algorithms to restore the previous value of damaged parts of the received message.

The biggest drawback of OFB is that the repetition of encrypting the initialization vector may produce the same state that has occurred before. It is an unlikely situation but in such a case the plaintext will start to be encrypted by the same data as previously.

CTR (Counter) Mode

Using the CTR mode makes block cipher way of working similar to a stream cipher. As in the OFB mode, keystream bits are created regardless of content of encrypting data blocks. In this mode, subsequent values of an increasing counter are added to a nonce value (the nonce means a number that is unique: number used once) and the results are encrypted as usual. The nonce plays the same role as initialization vectors in the previous modes.

encryption in CTR mode
Encryption in the CTR mode
decryption in CTR mode
Decryption in the CTR mode

It is one of the most popular block ciphers modes of operation. Both encryption and decryption can be performed using many threads at the same time.

If one bit of a plaintext or ciphertext message is damaged, only one corresponding output bit is damaged as well. Thus, it is possible to use various correction algorithms to restore the previous value of damaged parts of received messages.

The CTR mode is also known as the SIC mode (Segment Integer Counter).

Security of the CTR mode

As in the case of the CBC mode, one should change the secret key after using it for encrypting a number of sent messages. It can be proved that the CTR mode generally provides quite good security and that the secret key needs to be changed less often than in the CBC mode.

For example, for the AES cipher the secret key should be changed after about 264 plaintext blocks.