Encyclopedia  |   World Factbook  |   World Flags  |   Reference Tables  |   List of Lists     
   Academic Disciplines  |   Historical Timeline  |   Themed Timelines  |   Biographies  |   How-Tos     
Sponsor by The Tattoo Collection
Block cipher modes of operation
Main Page | See live article | Alphabetical index

Block cipher modes of operation

In cryptography, a block cipher operates on blocks of fixed length, often 64 or 128 bits. To encrypt longer messages, several modes of operation may be used. While many modes provide only confidentiality, some modes also ensure message integrity.

Table of contents
1 Electronic Codebook (ECB)
2 Cipher-Block Chaining (CBC)
3 Cipher Feedback (CFB) and Output Feedback (OFB)
4 Counter (CTR)
5 Initialization Vector (IV)
6 Padding

Electronic Codebook (ECB)

The simplest of the encryption modes is the electronic codebook (ECB) mode, in which the message is split into blocks and each is encrypted separately. The disadvantage of this method is that identical plaintext blocks are encrypted to identical ciphertext blocks; it does not hide data patterns. The advantage is that error propagation is limited to a single block.

Here's a striking example of the degree to which ECB can reveal patterns in the plaintext. A pixel-map version of the image on the left was encrypted with ECB mode to create the center image:

Original Encrypted using ECB mode Encrypted securely

The image on the right is how the image might look encrypted with CBC, CTR or any of the other more secure modes -- indistinguishable from random noise. Note that the random appearance of the image on the right tells us very little about whether the image has been securely encrypted; many kinds of insecure encryption have been developed which would produce output just as random-looking.

Cipher-Block Chaining (CBC)

Main article: Cipher Block Chaining
In the cipher-block chaining (CBC) mode, each block of plaintext is XORed with the previous ciphertext block before being encrypted. This way, each ciphertext block is dependent on all plaintext blocks up to that point.

On the other hand, an error in (or attack upon) one ciphertext block impacts two plaintext blocks upon decryption:

Cipher Feedback (CFB) and Output Feedback (OFB)

The cipher feedback (CFB) and output feedback (OFB) modes make the block cipher into a stream cipher: they generate keystream blocks, which are then XORed with the plaintext blocks to get the ciphertext. Just as with other stream ciphers, flipping a bit in the ciphertext produces a flipped bit in the plaintext at the same location.

With cipher feedback a keystream block is computed by encrypting the previous ciphertext block.

Output feedback generates the next keystream block by encrypting the last one.

Counter (CTR)

Like OFB, counter mode turns a block cipher into a stream cipher. It generates the next keystream block by encrypting successive values of a "counter". The counter can be any simple function which produces a sequence which is guaranteed not to repeat for a long time, although an actual counter is the simplest and most popular. CTR mode has very similar characteristics to OFB, but also allows a random access property for decryption.

Initialization Vector (IV)

''Main article: Initialization vector
All modes (except ECB) require an initialization vector, or IV - a sort of dummy block to kick off the process for the first real block, and also provide some randomisation for the process. There is no need for the IV to be secret, but it is important that it is never reused with the same key. For CBC and CFB, reusing an IV leaks some information. For OFB and CTR, reusing an IV completely destroys security.


''Main article: Padding
Because a block cipher works on units of a fixed size, but messages come in a variety of lengths, it will also be necessary to pad the final block. Several padding schemes exist. A very simple one (really only suitable when the plaintext will be treated as C style stringss) is to simply pad with null bytes. A bit more complex is the original DES method, which is to add a single one bit, followed by enough zero bits to fill out the block (if the message ended on a block boundary, a whole padding block will be added). Most complex of all is ciphertext stealing, which avoids further message expansion.

Block ciphers
Algorithms: 3-Way | AES | Blowfish | Camellia | CAST-128 | CAST-256 | CMEA | DEAL | DES | DES-X | FEAL | G-DES | GOST | IDEA | Iraqi | KASUMI | KHAZAD | Khufu and Khafre; | LOKI89/91 | LOKI97 | Lucifer | MacGuffin | Madryga | MAGENTA | MARS | MISTY1 | MMB | NewDES | RC2 | RC5 | RC6 | Red Pike; | S-1 | SAFER | Serpent | SHARK | Skipjack | Square | TEA | Triple DES; | Twofish | XTEA
Design: Feistel network; | Key schedule; | Product cipher; | S-box | SPN   Attacks: Brute force; | Linear / Differential cryptanalysis | Mod n; | XSL   Standardisation: AES process; | CRYPTREC | NESSIE   Misc: Avalanche effect | Block size; | IV | Key size; | Modes of operation; | Piling-up lemma; | Weak key;