Block cipher modes are how we take a fixed-size block cipher (like AES-128, which encrypts 128 bits at a time) and make it encrypt arbitrary amounts of data. The most surprising thing is that the same block cipher algorithm, with the same key, can behave entirely differently — and have drastically different security properties — depending on the mode.
Let’s see what happens when we encrypt the same plaintext multiple times with different modes.
Imagine we have a simple plaintext: "ATTACKATDAWN". If we encrypt this with ECB mode, repeating blocks of plaintext will result in repeating blocks of ciphertext.
Plaintext: ATTACKATDAWN
Key: 0123456789ABCDEFFEDCBA9876543210
AES-128 ECB Encrypt:
Ciphertext: 8EA252A5852503E2C8053E7845B339E18EA252A5852503E2C8053E7845B339E1
Notice how the first 16 bytes ("ATTACKATDAWN") and the next 16 bytes ("ATTACKATDAWN") both produce the same ciphertext block (8EA252A5852503E2C8053E7845B339E1). This is the fundamental weakness of ECB: it leaks patterns.
Now, let’s look at CBC (Cipher Block Chaining). CBC introduces a dependency on previous ciphertext blocks. For the very first block, it uses an Initialization Vector (IV), which must be unique but not necessarily secret.
Plaintext: ATTACKATDAWN
Key: 0123456789ABCDEFFEDCBA9876543210
IV: ABCDEF0123456789ABCDEF0123456789
AES-128 CBC Encrypt:
Ciphertext: 090A98E1B228B8005F2B3F88C03C1A3D4F0D3C6F0E1B228B8005F2B3F88C03C1A3D
Here, even though the plaintext is the same, the ciphertext is completely different from the ECB output. The first block of plaintext is XORed with the IV before encryption. Subsequent blocks of plaintext are XORed with the previous ciphertext block before encryption. This chaining ensures that identical plaintext blocks produce different ciphertext blocks.
The problem CBC solves is the pattern leakage of ECB. By XORing the plaintext block with the previous ciphertext block (or IV for the first block), it ensures that even if two plaintext blocks are identical, their encrypted forms will be different, as the input to the block cipher will be different.
Other modes offer different trade-offs. CFB (Cipher Feedback) and OFB (Output Feedback) turn a block cipher into a stream cipher. They generate a keystream from the previous ciphertext block (CFB) or the previous keystream block (OFB), and then XOR this keystream with the plaintext.
Plaintext: ATTACKATDAWN
Key: 0123456789ABCDEFFEDCBA9876543210
IV: ABCDEF0123456789ABCDEF0123456789
AES-128 CFB-8 Encrypt (feedback 8 bits):
Ciphertext: 090A98E1B228B8005F2B3F88C03C1A3D4F0D3C6F0E1B228B8005F2B3F88C03C1A3D
AES-128 OFB Encrypt:
Ciphertext: 8EA252A5852503E2C8053E7845B339E18EA252A5852503E2C8053E7845B339E1
(Note: For OFB, with the same key and IV, and a plaintext that aligns perfectly with block boundaries, the output can appear similar to ECB if you only look at the first block. However, the mechanism is fundamentally different and OFB is secure against pattern leakage in the same way CBC is.)
CFB (especially CFB-8, which feeds back one byte) is more computationally intensive than OFB because it requires a block cipher operation for every byte (or segment) of data, whereas OFB only requires one block cipher operation per block of data to generate the entire keystream.
The most modern and recommended mode is GCM (Galois/Counter Mode). GCM is an Authenticated Encryption with Associated Data (AEAD) mode. This means it not only provides confidentiality (like the other modes) but also integrity and authenticity. It uses a counter to ensure each block is encrypted differently, similar to OFB, but adds a Galois field multiplication for authentication.
Plaintext: ATTACKATDAWN
Key: 0123456789ABCDEFFEDCBA9876543210
IV: ABCDEF0123456789ABCDEF0123456789
AES-128 GCM Encrypt:
Ciphertext: 29914E30423C362D39C40B8B064C3D2B14C3D2B064C3D2B0064C3D2B064C3D2B
Tag: AC7331A8F116880C4301AD71E70E91A7
(Note: GCM ciphertext includes the authentication tag. The ciphertext itself is often represented as the encrypted data concatenated with the tag, or the tag is kept separate.)
GCM’s counter-based approach makes it highly parallelizable for encryption and decryption, unlike CBC or CFB. The counter ensures that each block of plaintext is encrypted with a unique keystream block, preventing any repetition issues. The Galois field multiplication provides a strong authentication tag that can detect tampering.
The common pitfall with GCM, and other AEAD modes, is that the IV (or nonce) must be unique for a given key. If you reuse a nonce with the same key, you don’t just lose confidentiality; you also compromise the authentication mechanism, allowing an attacker to potentially forge messages.
The next step is understanding how to select the right mode for your specific application and the cryptographic primitives that support them.