ECB Mode

Electronic Code Book Mode. This is the simplest operating mode of algorithm. In ECB mode each plaintext block sent to the algorithm’s input is converted with the same key into a ciphertext block. Therefore the conversion of two identical plaintext blocks will give identical ciphertext blocks.

If the size of data block exceeds minimum block size (16 bytes for AES и 8 bytes for GSII64), it should be divided into blocks that equal to minimum block size. If necessary, the missing bytes should be added to the last block. It is strongly recommended to have variable filler bytes. You can use random numbers as filler bytes. In this case the last encrypted 8-byte block should be stored entirely together with encrypted filler bytes (without removing such bytes). Otherwise, bytes of data from this block will be impossible to decrypt. 

ECB mode is suitable for encrypting very small volumes of data, for example, initialization vectors used in other algorithm modes or dongles for encrypting other algorithms.

CBC Mode

Cipher Block Chaining Mode. In CBC mode, just like in ECB mode, each plaintext block is converted into a ciphertext block. Conversion in CBC mode for all blocks is performed with same key. CBC mode is used more frequently and better suits for converting blocks of data exceeding minimum block size. 

However, unlike ECB, converting two identical plaintext blocks located in different parts of the source data block will not gain identical ciphertext blocks. This happens due to the fact that during each next step it is not the block that is being converted but its XOR with the previous encrypted block. To receive the first encrypted block XOR of the first block and some initialization vector (IV) is used. The value of IV must be stored for correct reverse conversion, but preferably in encoded form (e.g. encrypted in ECB mode).

Conversion is made position-dependant, since the result of encryption depends not only on the block itself but also on the previous block.

Reverse conversion is also done by blocks.

The total size of the source set of data must be a multiple of minimum block size. Otherwise, you will need to add filler bytes just like in ECB mode.

CBC mode can be used for calculating reliable checksums and data authentication. The last encrypted 8-byte block can be used as the checksum. This block depends on all previous encrypted blocks as well as on the initialization vector and is calculated based on the algorithm key. It does not give information on the source data but virtually unambiguously identifies it. It will be as hard to counterfeit this block as to fit the right algorithm key.

 CFB Mode

Cipher Feedback Mode. CFB mode allows converting blocks of random size, not necessarily multiple of minimum block size. This eliminates the necessity to complete the source data to a multiple of 8-byte blocks. In this mode the size of ciphertext equals the size of the plaintext.

In CFB mode, just like in CBC, the blocks are chained together; therefore each encrypted block will depend on all previous blocks of source data, since previous block is used for encrypting each next block of source data.

The initialization vector (IV) is used in this mode of conversion (see CBC mode).

For unidirectional algorithms performing only encryption or only decryption this mode is unavailable, since direct or reverse conversion in this mode are mathematically equivalent.

Important information

If a wrong initialization vector is given during the decryption, all data except for the first block will still be decrypted correctly. If it is critical for the application, it is preferable to use OFB mode.

OFB Mode

Output Feedback Mode. This mode has a lot in common with CFB mode. The main difference lies in the fact that the result of initialization vector (IV) conversion is used for encrypting the next block rather than the previously encrypted block.

The advantage of this mode is that it lowers the dependency on distortions of the previous blocks while sending the encrypted data. I.e. if any of the blocks are damaged, the remaining blocks will not suffer from decryption.

This method has its advantages but on the other hand OFB mode provides less protection against intended alteration of data, since changing one bit on encrypted data changes the same bit in decrypted data. You will need to use a reliable check sum in this case for verifying the authenticity of data.

The initialization vector (IV) is used for conversion in this mode as well as in the two previous modes (see CBC and CFB modes).

For unidirectional algorithms performing only encryption or only decryption this mode is unavailable, since direct or reverse conversion in this mode are mathematically equivalent.

Recommendations for operating with initialization vector IV

You need to pay special attention to the following factors for proper conversion of data by GSII64 or AES algorithm:

  • Initialization vector (IV) should have the same value for encryption and decryption
  • You are required to save the value of the initialization vector (IV) before calling GrdCrypt (GrdCryptEx) or GrdTransform while encrypting/ decrypting large blocks of data (more than 248 bytes for ECB and CBC and 255 bytes for CFB and OFB)
  • Initialize the IV by the respective number of record/sector to ensure that each record (e.g. database records, disk sectors, etc.) is always encrypted same way and different records with the same values are encrypted differently.
  • No labels