Modes of Operation
Cryptography Fundamentals
Chapter 6 · Modes of Operation — ECB, CBC, CTR/GCM & Why Mode Choice Matters
Chapter 5 covered AES as a cipher that transforms exactly one 128-bit block at a time. Real messages are almost never exactly 128 bits — so every real use of a block cipher needs a mode of operation: a defined way of chaining repeated block-cipher operations together to handle messages of any length. This turns out to matter as much as the underlying cipher itself — a message encrypted with rock-solid AES, in the wrong mode, can still be catastrophically insecure.
ECB — Electronic Codebook
The most obvious approach: split the message into blocks, and encrypt each block independently with the same key.
This has one devastating property: identical plaintext blocks always produce identical ciphertext blocks. Any structure or repetition in the original data — rows of a spreadsheet, repeated fields in a record, or the flat colored regions of an image — survives directly into the ciphertext, just relabeled.
This is structurally the exact same weakness Chapter 2 spent an entire chapter exploiting in monoalphabetic substitution: a fixed mapping — there, letter-to-letter; here, block-to-block — always leaks the structure of whatever it's applied to, no matter how strong the underlying transformation is.
CBC — Cipher Block Chaining
CBC breaks ECB's fixed-mapping problem directly: before encrypting each block, XOR it with the previous block's ciphertext first. This makes every block's encryption depend on everything that came before it, so identical plaintext blocks no longer produce identical ciphertext.
The very first block has no "previous ciphertext" to XOR against, so CBC needs an initialization vector (IV) — a random, unpredictable value used only once, playing a role reminiscent of Chapter 5's stream-cipher nonce. CBC encryption is inherently sequential (each block depends on the last), though decryption can actually be parallelized, since every ciphertext block is already available up front.
CTR — Counter Mode
Counter mode takes a completely different approach: rather than encrypting the plaintext directly, it encrypts a counter (a nonce combined with an incrementing number) to generate a keystream, then XORs that keystream with the plaintext — turning a block cipher into a stream cipher, in the same spirit as Chapter 5's ChaCha20.
Because each block's keystream depends only on the nonce and counter — not on any other block — CTR mode is fully parallelizable in both directions, unlike CBC, and needs no padding at all, since it's really a stream cipher underneath.
The Missing Piece — None of These Provide Integrity
ECB, CBC, and CTR all provide confidentiality only — none of them protect integrity or authenticity, Chapter 1's other two goals. An attacker who intercepts CBC or CTR ciphertext can flip specific bits without ever needing the key, causing controlled, predictable changes in the decrypted plaintext — with no built-in mechanism to detect that tampering occurred at all. This is the exact scenario Chapter 1's very first exercise asked you to reason about in the abstract; here it is made concrete.
GCM — Galois/Counter Mode (Authenticated Encryption)
GCM solves the missing piece directly. It's built on CTR mode's own encryption approach, but adds a built-in authentication tag, computed over the ciphertext using a technique called GMAC — bundling confidentiality, integrity, and authenticity into a single primitive, a category called AEAD (Authenticated Encryption with Associated Data). "Associated data" lets an application authenticate extra context — like a message header — without needing to encrypt it at all.
Chapter 8 covers message authentication and AEAD ciphers in full depth; this chapter's job is just to establish GCM as the mode-of-operation-level answer to the gap the previous section identified. GCM (or an equivalent AEAD mode) is the default in TLS 1.3 today, precisely because it closes the confidentiality-only gap that ECB, plain CBC, and plain CTR all share.
Choosing a Mode Today
| Mode | Verdict |
|---|---|
| ECB | Never use for more than a single block — leaks structural patterns directly |
| CBC | Legacy but workable if IVs are handled correctly and padding errors are never exposed to an attacker |
| CTR | A solid building block, but confidentiality-only — needs a separate integrity mechanism (Ch.8) if used alone |
| GCM (AEAD) | The modern recommended default for nearly everything — confidentiality, integrity, and authenticity together |
This is the mode-choice version of Chapter 5's "never roll your own cipher" warning: the cipher can be perfectly strong AES, and the system can still be broken by choosing the wrong mode around it. Reach for a vetted AEAD mode by default rather than assembling confidentiality and integrity by hand.
Hands-On Exercises
Explain why encrypting a bitmap image with ECB mode still reveals the image's overall shape, connecting your answer back to the specific weakness of monoalphabetic substitution from Chapter 2.
📄 View solutionTwo different messages are encrypted with CBC mode using the same key AND the same IV. If the first block of plaintext happens to be identical in both messages, what will an attacker observe by comparing the two ciphertexts, and what does that leak?
📄 View solutionAn application uses plain CTR mode (no authentication) to encrypt a bank transfer's amount field, embedded within a larger ciphertext at a known byte position. Describe how an attacker who cannot decrypt the ciphertext could still tamper with the transferred amount, and explain how switching to GCM would prevent this specific attack.
📄 View solutionChapter 6 Quick Reference
- ECB — encrypts each block independently; identical plaintext blocks → identical ciphertext blocks; never use beyond one block
- CBC — XORs each block with the previous ciphertext; needs a random, non-reused IV; sequential encryption, parallel decryption
- CTR — encrypts a nonce+counter to build a keystream, turning a block cipher into a stream cipher; fully parallelizable; nonce+counter must never repeat
- ECB/CBC/CTR are all confidentiality-only — none detect tampering; bit-flipping attacks are possible against all three without the key
- GCM (AEAD) — CTR-based encryption plus a built-in authentication tag (GMAC); the modern recommended default
- Next chapter: Hash Functions — properties, SHA-2/SHA-3, and why MD5/SHA-1 were retired