Modes of Operation

Cryptography Fundamentals

Chapter 6 · Modes of Operation — ECB, CBC, CTR/GCM & Why Mode Choice Matters

Chapter 5 covered AES as a cipher that transforms exactly one 128-bit block at a time. Real messages are almost never exactly 128 bits — so every real use of a block cipher needs a mode of operation: a defined way of chaining repeated block-cipher operations together to handle messages of any length. This turns out to matter as much as the underlying cipher itself — a message encrypted with rock-solid AES, in the wrong mode, can still be catastrophically insecure.

ECB — Electronic Codebook

The most obvious approach: split the message into blocks, and encrypt each block independently with the same key.

Block 1 --AES(key)--> Ciphertext 1 Block 2 --AES(key)--> Ciphertext 2 Block 3 --AES(key)--> Ciphertext 3

This has one devastating property: identical plaintext blocks always produce identical ciphertext blocks. Any structure or repetition in the original data — rows of a spreadsheet, repeated fields in a record, or the flat colored regions of an image — survives directly into the ciphertext, just relabeled.

The "ECB penguin"
The canonical illustration is a bitmap image of a penguin, encrypted block-by-block with ECB mode. The output is still visibly, unmistakably a penguin — every flat-colored region of the original image, being made of many identical or near-identical blocks, maps to identical or near-identical ciphertext blocks in exactly the same layout. The image is technically "encrypted" and yet its shape is completely legible.

This is structurally the exact same weakness Chapter 2 spent an entire chapter exploiting in monoalphabetic substitution: a fixed mapping — there, letter-to-letter; here, block-to-block — always leaks the structure of whatever it's applied to, no matter how strong the underlying transformation is.

A real, widely reported consequence
Adobe's 2013 breach is widely cited as a real-world example of exactly this failure: rather than hashing passwords (Chapter 7), reports indicate Adobe encrypted them with a block cipher in ECB mode. Because identical plaintexts produce identical ciphertexts, security researchers examining the leaked data were able to identify large clusters of users who shared the exact same password, without ever needing to actually decrypt anything.

CBC — Cipher Block Chaining

CBC breaks ECB's fixed-mapping problem directly: before encrypting each block, XOR it with the previous block's ciphertext first. This makes every block's encryption depend on everything that came before it, so identical plaintext blocks no longer produce identical ciphertext.

Ciphertext 1 = AES( Plaintext 1 XOR IV ) Ciphertext 2 = AES( Plaintext 2 XOR Ciphertext 1 ) Ciphertext 3 = AES( Plaintext 3 XOR Ciphertext 2 )

The very first block has no "previous ciphertext" to XOR against, so CBC needs an initialization vector (IV) — a random, unpredictable value used only once, playing a role reminiscent of Chapter 5's stream-cipher nonce. CBC encryption is inherently sequential (each block depends on the last), though decryption can actually be parallelized, since every ciphertext block is already available up front.

CBC has its own real pitfalls
A reused or predictable IV reintroduces exactly the kind of pattern leakage ECB has, at least for the first block of a message. CBC's padding handling has also historically enabled "padding oracle" attacks, where an application's error-handling behavior around invalid padding leaks information an attacker can exploit to decrypt data without the key — a reminder that a mode's mathematical design and its real-world implementation are two separate things to get right.

CTR — Counter Mode

Counter mode takes a completely different approach: rather than encrypting the plaintext directly, it encrypts a counter (a nonce combined with an incrementing number) to generate a keystream, then XORs that keystream with the plaintext — turning a block cipher into a stream cipher, in the same spirit as Chapter 5's ChaCha20.

Keystream 1 = AES( Nonce || Counter=1 ) Keystream 2 = AES( Nonce || Counter=2 ) Keystream 3 = AES( Nonce || Counter=3 ) Ciphertext N = Plaintext N XOR Keystream N

Because each block's keystream depends only on the nonce and counter — not on any other block — CTR mode is fully parallelizable in both directions, unlike CBC, and needs no padding at all, since it's really a stream cipher underneath.

The exact danger from Chapter 5, again
If the same nonce+counter combination is ever reused with the same key, CTR mode regenerates the identical keystream — reintroducing precisely the two-time-pad vulnerability Chapter 5's closing exercise walked through in full. Nonce management is CTR mode's single most important operational discipline.

The Missing Piece — None of These Provide Integrity

ECB, CBC, and CTR all provide confidentiality only — none of them protect integrity or authenticity, Chapter 1's other two goals. An attacker who intercepts CBC or CTR ciphertext can flip specific bits without ever needing the key, causing controlled, predictable changes in the decrypted plaintext — with no built-in mechanism to detect that tampering occurred at all. This is the exact scenario Chapter 1's very first exercise asked you to reason about in the abstract; here it is made concrete.

GCM — Galois/Counter Mode (Authenticated Encryption)

GCM solves the missing piece directly. It's built on CTR mode's own encryption approach, but adds a built-in authentication tag, computed over the ciphertext using a technique called GMAC — bundling confidentiality, integrity, and authenticity into a single primitive, a category called AEAD (Authenticated Encryption with Associated Data). "Associated data" lets an application authenticate extra context — like a message header — without needing to encrypt it at all.

Chapter 8 covers message authentication and AEAD ciphers in full depth; this chapter's job is just to establish GCM as the mode-of-operation-level answer to the gap the previous section identified. GCM (or an equivalent AEAD mode) is the default in TLS 1.3 today, precisely because it closes the confidentiality-only gap that ECB, plain CBC, and plain CTR all share.

Choosing a Mode Today

ModeVerdict
ECBNever use for more than a single block — leaks structural patterns directly
CBCLegacy but workable if IVs are handled correctly and padding errors are never exposed to an attacker
CTRA solid building block, but confidentiality-only — needs a separate integrity mechanism (Ch.8) if used alone
GCM (AEAD)The modern recommended default for nearly everything — confidentiality, integrity, and authenticity together

This is the mode-choice version of Chapter 5's "never roll your own cipher" warning: the cipher can be perfectly strong AES, and the system can still be broken by choosing the wrong mode around it. Reach for a vetted AEAD mode by default rather than assembling confidentiality and integrity by hand.

Hands-On Exercises

Exercise 1

Explain why encrypting a bitmap image with ECB mode still reveals the image's overall shape, connecting your answer back to the specific weakness of monoalphabetic substitution from Chapter 2.

📄 View solution
Exercise 2

Two different messages are encrypted with CBC mode using the same key AND the same IV. If the first block of plaintext happens to be identical in both messages, what will an attacker observe by comparing the two ciphertexts, and what does that leak?

📄 View solution
Exercise 3

An application uses plain CTR mode (no authentication) to encrypt a bank transfer's amount field, embedded within a larger ciphertext at a known byte position. Describe how an attacker who cannot decrypt the ciphertext could still tamper with the transferred amount, and explain how switching to GCM would prevent this specific attack.

📄 View solution

Chapter 6 Quick Reference

  • ECB — encrypts each block independently; identical plaintext blocks → identical ciphertext blocks; never use beyond one block
  • CBC — XORs each block with the previous ciphertext; needs a random, non-reused IV; sequential encryption, parallel decryption
  • CTR — encrypts a nonce+counter to build a keystream, turning a block cipher into a stream cipher; fully parallelizable; nonce+counter must never repeat
  • ECB/CBC/CTR are all confidentiality-only — none detect tampering; bit-flipping attacks are possible against all three without the key
  • GCM (AEAD) — CTR-based encryption plus a built-in authentication tag (GMAC); the modern recommended default
  • Next chapter: Hash Functions — properties, SHA-2/SHA-3, and why MD5/SHA-1 were retired