Block Cipher Modes – CompTIA Security+ SY0-501 – 6.2

Encrypting a block of data can be accomplished using a number of different methods. In this video, you’ll learn about block cipher modes and how these modes operate.

<< Previous Video: Symmetric Algorithms Next: Asymmetric Algorithms >>


One way of encrypting data is encrypting a block of information at a time. We would take a single piece of information and we would cut it into these single-sized blocks. And then perform encryption on a single block at a time.

This encryption that we would perform can be done in many different kinds of ways. We call this a mode of operation. And it defines how that encryption process will occur. Although this encryption process is using the same size blocks during the encryption process, your data may not fall perfectly into that particular block size. If the particular mode of operation that you’re using requires a fixed block size, that it’s very common to pad the data that you’ve added to come to the exact size that’s required for that encryption mode.

One of the simplest modes of operation is called ECB, or Electronic Codebook. This mode of operation is so simple that it’s not commonly used for most use cases that require encryption. Each block that we’re going to encrypt is going to be encrypted with exactly the same key. With ECB, we start with a block of plain text, and we have our key.

We put both of those into the block cipher encryption and we receive some ciphertext. We take the next block of information and we perform exactly the same function with exactly the same key. One of the challenges with ECB is that if we do have blocks of plain text that are identical, our key is obviously identical between all of these, and the block cipher encryption process is the same, which means that ciphertext at the end of these three identical plaintext blocks will also be identical to each other.

If we were to look at this visually we would see, for example, a picture that I might want to encrypt. And if I encrypt this using ECB, Electronic Codebook, without any other type of randomization for each block, you’ll see that it becomes very easy to discern exactly what it was that I originally was trying to encrypt.

A popular mode of operation that’s relatively easy to implement is CBC, or Cipher Block Chaining. With Cipher Block Chaining, we add some randomization into the block cipher process. We take each plaintext block and we XOR it with the previous ciphertext block that we created. This is adding the randomization that we didn’t have with our Electronic Codebook mode of operation. We obviously don’t have ciphertext for the first block that we’re using. So we’ll use an IV, or initialization vector, to be able to add randomization for the very first block that we encrypt.

The process for Cipher Block Chaining isn’t much more complicated than the Electronic Codebook. But we add the randomization with the initialization vector that is XORed with the plaintext block. That’s then added to the block cipher encryption with our key and we receive the final ciphertext of that block.

For the second block that we need to encrypt, instead of using the initialization vector we’ll take the ciphertext that we just encrypted and use that as the XOR to add more randomisation. That’s then added to the Cipher Block Chaining. We’ll add our key and receive the next block of ciphertext, and so on.

With these previous modes of operation there were fixed-size blocks. But what if you were streaming information and you never had a block worth of information to be able to encrypt at any particular time? For that type of encryption, we may want to use the CTR mode, or the Counter Mode, of encryption. This is a block cipher mode that acts like a stream cipher.

This mode uses a fixed-sized counter that takes the place of the fixed information and then we can add any particular size we’d like of the information to be encrypted. Instead of using a 128-bit block, for example, we could encrypt eight bits at a time. This starts with a counter. Then we can start this counter at zero, or any number that you would like. We would encrypt this using our key in Counter Mode. We would XOR the result with our plaintext block to create the ciphertext.

We would perform the same function on the next block but we’re going to increase the counter by one. We’re going to encrypt that using our counter encryption mode with our key. And then we’ll take our plaintext block and XOR those results to get the final ciphertext.

For subsequent blocks we will continue to increment that counter. And that’s also providing the randomization that we need if any of our plaintext blocks happen to be identical. If you need to combine authentication with these block mode encryption methods, you can use GCM, or Galois Counter Mode. This combines the Counter Mode that we just saw with some additional functions that were created by Evariste Galois, the mathematician.

One of the advantages of the GCM mode of operation is that we’re able to provide both encryption and authentication at the same time. And we’re able to do this with a minimum amount of latency and a minimum operational overhead. Because of this efficiency, it’s common to see GCM being used for network communication. You’ll see this on wireless networks and IPsec encrypted tunnels. And it’s commonly used for encryption to a web server using SSH or TLS.