#### 2. Cipher Modes

Most symmetric
encryption algorithms operate in different cipher modes, which
specify variations in the way that data is prepared before being
processed by the cipher function. The following sections explain the
most commonly used modes, but you should bear in mind that there are
a large number of variations and not all algorithms can support all
cipher modes.

##### 2.1. Electronic Codebook mode

The Electronic Codebook (ECB) mode is the simplest cipher mode and
builds ciphertext by concatenating the output of the cipher function,
as shown in Figure 4. We can summarize the
process as follows:

Break the plaintext into blocks that are the same size as the input
of the cipher function.

Use the secret key to encrypt each plaintext data block in turn with
the cipher function.

Append the output of the cipher function to the ciphertext.

Although this seems like the obvious way to encrypt data, the
deterministic nature of the cipher function exposes the ciphertext to
a special kind of attack whenever there is repetition in the
confidential message.

The cipher
function is consistent, and using a secret key to encrypt two
identical blocks of data results in identical blocks of ciphertext.
If there are any repeated blocks of data in the plaintext, you will
end up with repeated blocks of data in the ciphertext, which presents
a weakness that Eve can exploit.

There is a natural structure to many types of messages; for example,
Alice's letters often begin with
"Dear Bob" and emails will often
start with "From,"
"To," or
"Received." Imagine that Alice
sends a company memo to Bob, and that Eve knows (or can guess at) the
structure of such messages.

Figure 5 shows a simplified representation of the
effect of building the ciphertext from the output of the cipher
function directly—simplified because we have assumed that each
word is encrypted as a plaintext block in a case-insensitive manner.
Real encryption algorithms work on binary data, but our example is
useful for understanding the issue at hand. Eve knows that all of
Alice's memos begin with
"From," and therefore knows that
the first block of ciphertext represents that word. Eve knows that
every time she finds that particular ciphertext block in the
encrypted data she has located another instance of the word
"From." By applying her knowledge
of the message structure, Eve deduces several words in the
confidential message, including the words
"To,"
"Bob,"
"Subject," and
"Alice."

Eve finds repeated ciphertext blocks for which she
can't deduce the meaning, because the word that the
block represents is not included in the standard structure of
Alice's memo; AAA and BBBB indicate these blocks.
Regardless, Eve keeps a record of these blocks, because she may
intercept another message that reveals their meaning later and shed
more light on this message—a process of building a codebook
that will help her recognize the meaning of known ciphertext blocks
as she intercepts them. Eve's
"codebook" is useful only while
Alice and Bob use the same secret key. If they agree on a new key,
the ciphertext blocks for known words will be different, and Eve will
have to start from scratch.

The ECB mode is the simplest way to create ciphertext, although the
risks associated with encrypting duplicate plaintext blocks mean that
you should use it with caution. The following sections describe
alternate cipher modes that address the problem of block repetition,
and we recommend that you use these instead of ECB.

##### 2.2. Cipher block chaining

The most common way to overcome the block
repetition weakness of ECB is to add
"feedback" into the
cipher function. Adding feedback
produces a ciphertext in which the result of encrypting a data block
affects the results of encrypting all subsequent blocks. Figure 6 illustrates the most widely used way of doing
this, called Cipher Block Chaining (CBC), which works as follows:

Break the plaintext into blocks that are the same size as the input
for the cipher function.

Process the first message block:

XOR the message block with the
"seed" data to create a combined
data block.

Encrypt the result to produce the first block of ciphertext.

Process remaining message blocks in turn:

XOR the plaintext block with most recently created ciphertext block
to create a combined data block.

Encrypt the combined data block and append the result to the
ciphertext.

For example, to encrypt the 10^{th} plaintext
block you XOR it with the 9^{th} ciphertext
block and encrypt the result, producing the
10^{th} ciphertext block, which you XOR with
the 11^{th} plaintext block, and so on.

The seed data for
symmetric encryption is called the
initialization vector (IV) and is used
to ensure that the first block of ciphertext is not open to ECB-style
attacks. The IV is a block of random data that is the same size as
the cipher function input block.

Using CBC means that Bob has to use the same IV to decrypt the data
as Alice used to encrypt the message; fortunately, the value of the
IV is not a secret, and there is no danger in allowing it to fall
into Eve's hands. Alice should select a new IV for
each message that she encrypts, and she will normally send the IV to
the recipient along with the encrypted data.

##### 2.3. Cipher feedback mode

Processing plaintext data block by block is
not suitable for all projects, especially those where the data to
encrypt becomes available over time (for example, received via a
network stream). In such cases, the confidential data has to be held
in memory until a complete block is received and encrypted, which can
present a security risk.

Cipher Feedback (CFB) mode is a technique for using a block
cipher function to encrypt plaintext
in fragments smaller than the function block size, allowing data to
be encrypted as it arrives. Like CBC, CFB uses an IV, but in this
mode, it represents the initial value for a queue, which is a data
block the same size as the cipher function input. If you are using a
cipher that operates on 64-bit data blocks but the data becomes
available in 8-bit chunks, then the CFB protocol is as follows:

Create a 64-bit queue, and fill it with a 64-bit IV.

As each 8-bit chunk of plaintext becomes available:

XOR the leftmost eight bits of the encrypted queue with the eight
bits of plaintext to create the cipher data chunk.

Append the cipher data chunk to the ciphertext output.

Shift the queue eight bits to the left and discard the leftmost eight
bits.

Set the rightmost eight bits of the queue to be the eight bits of
ciphertext.

This seems a lot more complicated than it actually is. Start with a
64-bit queue that contains the IV, and as you progress, the queue
gradually fills up with 8-bit chunks of ciphertext. Figure 7 illustrates the way in which CFB works.

CFB encrypts data one bit at a time if required, although that would
use a lot of CPU (because the cipher function encrypts a complete
block of data for each message bit). In the queue, the gradual
shifting of the data protects against ECB attacks.