Applied Cryptography, Second Edition: Protocols, Algorthms, and Source Code in C (cloth)
(Publisher: John Wiley & Sons, Inc.)
Author(s): Bruce Schneier
ISBN: 0471128457
Publication Date: 01/01/96

Previous Table of Contents Next


9.11 Choosing a Cipher Mode

If simplicity and speed are your main concerns, ECB is the easiest and fastest mode to use a block cipher. It is also the weakest. Besides being vulnerable to replay attacks, an algorithm in ECB mode is the easiest to cryptanalyze. I don’t recommend ECB for message encryption.

For encrypting random data, such as other keys, ECB is a good mode to use. Since the data is short and random, none of the shortcomings of ECB matter for this application.

For normal plaintext, use CBC, CFB, or OFB. Which mode you choose depends on your specific requirements. Table 9.1 gives a summary of the security and efficiency of the various modes.

CBC is generally best for encrypting files. The increase in security is significant; and while there are sometimes bit errors in stored data, there are almost never synchronization errors. If your application is software-based, CBC is almost always the best choice.

Table 9.1
Summary of Block Cipher Modes
ECB: CBC:
Security: Security:
- Plaintext patterns are not concealed. + Plaintext patterns are concealed by XORing with previous ciphertext block.
- Input to the block cipher is not randomized; it is the same as the plaintext. +Input to the block cipher is randomized by XORing with the previous ciphertext block.
+More than one message can be encrypted with the same key. + More than one message can be encrypted with the same key.
- Plaintext is easy to manipulate, blocks can be removed, repeated, or interchanged. +/- Plaintext is somewhat difficult to manipulate; blocks can be removed from the beginning and end of the message, bits of the first block can be changed, and repetition allows some controlled changes.
Efficiency: Efficiency:
+ Speed is the same as the block cipher. + Speed is the same as the block cipher.
Ciphertext is up to one block longer than the plaintext, due to padding. - Ciphertext is up to one block longer than the plaintext, not counting the IV.
- No preprocessing is possible. - No preprocessing is possible.
+ Processing is parallelizable. +/- Encryptions not parallelizable; decryption is parallelizable and has a random-access property.
Fault-tolerance: Fault-tolerance:
- A ciphertext error affects one full block of plaintext. - A ciphertext error affects one full block of plaintext and the corresponding bit in the next block.
- Synchronization error is unrecoverable. - Synchronization error is unrecoverable.

CFB: OFB/Counter:
Security: Security:
+ Plaintext patterns are concealed. + Plaintext patterns are concealed.
+ Input to the block cipher is randomized. + Input to the block cipher is randomized.
+ More than one message can be encrypted with the same key provided that a different IV is used. + More than one message can be encrypted with the same key, provided that a different IV is used.
+/- Plaintext is somewhat difficult to manipulate;blocks can be removed from the beginning and end of the message, bits of the first block can be changed, and repetition allows some controlled changes. - Plaintext is very easy to manipulate, any change in ciphertext directly affects the plaintext.
Efficiency: Efficiency:
+ Speed is the same as the block cipher. + Speed is the same as the block cipher.
- Ciphertext is the same size as the plaintext, not counting the IV. - Ciphertext is the same size as the plaintext, not counting the IV.
+/- Encryption is not parallelizable; decryption is parallelizable and has a random-access property. + Processing is possible before the message is seen.
- Some preprocessing is possible before a block is seen; the previous ciphertext block can be encrypted. -/+ OFB processing is not parallelizable; counter processing is parallelizable.
+/- Encryption is not parallelizable; decryption is parallelizable and has a random-access property.
Fault-tolerance: Fault-tolerance:
- A ciphertext error affects the corresponding bit of plaintext and the next full block. + A ciphertext error affects only the corresponding bit of plaintext.
+Synchronization errors of full block sizes are recoverable. 1-bit CFB can recover from the addition or loss of single bits. -Synchronization error is unrecoverable.


Previous Table of Contents Next
[an error occurred while processing this directive]