Friday, October 22, 2010

AES CBC or AES CTR mode

In symmetric encryption sometimes it's hard to decide which mode to use. Especially between AES CBC mode and AES CTR (Counter) mode.

Here are some pro and cons of these two modes:

Padding: CBC requires message padding, CTR does not

Speed: Both modes require the same amount of computation, but CTR allows you to parallelize the computations arbitrarily, therefore allowing implementations to reach higher speed

Implementation: CTR only requires the block cipher encryption function; CBC requires both the encryption and decryption function to be implemented

Robustness: If you ever reuse the same nonce, CBC might leak some information about the initial plaintext block. CTR will leak information about the entire message.

Here is the tie break between AES CBC and AES CTR mode: padding oracle (see my blog: AES CBC Padding Oracle Attack).

AES CBC uses padding, thus it's susceptible to the Padding Oracle attack.

From now on I think we should all switch to AES CTR mode for symmetric key encryption.

The only exception I can think of is the case where the plaintext is exact on the block size (for AES128 it means the plaintext is on 16 bytes boundary). AES CBC could be used in this particular case. For me I will now only use AES CBC when I need to encrypt another symmetric key with current key (key wrapping).

4 comments:

  1. Hi John,

    This is all chinese for me. ;) I am developing a password manager for firefox and when i started off I didn't even know about different modes. Now, that I had a little time I looked into it and I dicovered I am using the CTR mode.

    What my add-on does (Paranoia Password Manager - it is still beta but already available) is that it allows you to crypt username+password data (1 or more passes with different keyphrases) and send it over to the server for storage. When you load it up again, data will be dectypted for use.

    The question is: When you say above in Robustness: ...CTR will leak information about the entire message... apart that I haven't got a clue what a nounce is - what do you mean?

    Do you recon AES CTR is good for this purpose or should i reconsider using some different flavour?

    thanks in advance
    adam

    ReplyDelete
  2. In response to previous comment:

    The Robustness remark applies when "you ever reuse the same nonce". This is not something that should be happening, as nonce stands for "Number used once": there's a reason you only use it once.

    If you don't, you might as well use plain-text. Remember wifi WEP encryption ?

    ReplyDelete
  3. Could you expand on this:

    "Implementation: CTR only requires the block cipher encryption function; CBC requires both the encryption and decryption function to be implemented"

    Why would CBC require both the encryption and decryption function to be implemented?

    ReplyDelete