Cipher Modes

When a block cipher is used, any one of the following cipher modes can be specified via the CryptSetKeyParam function. If the application does not explicitly specify one of these modes, then the cipher block chaining (CBC) cipher mode is used.

Electronic Codebook (ECB) Mode

When this cipher mode is used, each block is encrypted individually. No feedback is used. This means any blocks of plaintext that are identical and are either in the same message, or in a different message that is encrypted with the same key, will be transformed into identical ciphertext blocks.

If the plaintext to be encrypted contains substantial repetition, then it is feasible for the ciphertext to be broken one block at a time. Furthermore, it is possible for an unscrupulous person to substitute and exchange individual blocks without detection.

Initialization vectors cannot be used with this cipher mode.

If a single bit of the ciphertext block is garbled, then the entire corresponding plaintext block will also be garbled.

Cipher Block Chaining (CBC) Mode

This cipher mode introduces feedback. Before each plaintext block is encrypted, it is combined with the ciphertext of the previous block by a bitwise XOR. This ensures that even if the plaintext contains many identical blocks, they will each encrypt to a different ciphertext block.

The initialization vector is combined with the first plaintext block by a bitwise XOR before the block is encrypted.

As with the electronic codebook cipher mode, if a single bit of the ciphertext block is garbled, then the corresponding plaintext block will also be garbled. In addition, a bit in the subsequent plaintext block (in the same position as the original garbled bit) will be garbled. Synchronization errors are fatal. If there are extra or missing bytes in the ciphertext, the plaintext will be garbled from that point on.

When the Microsoft Base Cryptographic Provider is used, this is the default cipher mode.

Cipher Feedback (CFB) Mode

The cipher feedback mode lets you process small increments of plaintext into ciphertext, instead of processing an entire block at a time. This is useful, for example, when encrypting a stream of data that originates at a keyboard. Each keystroke can be encrypted and transmitted without the need to wait for an entire block to be typed.

This mode uses a shift register that is one block size in length and divided up into sections. For example, if the block size is 64 bits with eight bits processed at a time, then the shift register would be divided up into eight sections.

    To use the cipher feedback mode
  1. Encrypt the block in the shift register by using typical procedures.
  2. Use a bitwise XOR operator to combine the left-most 8 bits in the encrypted shift register with the next eight bits of plaintext and send them as eight bits of ciphertext.
  3. Shift the shift register 8 bits to the left.
  4. Place the 8 bits of ciphertext generated in step 2 in the right-most 8 bits of the shift register.

In the CryptoAPI, the number of bits processed at one time is specified by using the CryptSetKeyParam function to set the encryption key's KP_MODE_BITS parameter. This parameter typically defaults to eight bits.

Depending on the value of the KP_MODE_BITS parameter, this cipher mode is substantially slower than the cipher block chaining mode. For example, if the block size is 64 bits and 8 bits are processed at a time, this cipher mode is 64/8 or eight times slower.

Before the encryption process begins, the shift register is filled with the initialization vector.

If a bit in the cipher text is garbled, one plaintext bit is garbled and the shift register is corrupted. This results in the next several plaintext increments being garbled until the bad bit is shifted out of the shift register. In the preceding example, nine bytes of plaintext would be garbled. This is the same amount of error propagation as with the cipher block chaining mode. Synchronization errors are not fatal, provided that the slip is a multiple of KP_MODE_BITS. Thus, if KP_MODE_BITS is eight and there are extra or missing bytes from the ciphertext, then 9 bytes of plaintext are garbled and the plaintext will have the same number of extra or missing bytes.

Output Feedback (OFB) Mode

This mode is similar to the cipher feedback mode. The only difference between the two modes is how the shift register is filled.

The output feedback (OFB) cipher mode uses the following procedure for each encryption cycle.

    To use the Output Feedback Mode
  1. Encrypt the block in the shift register by using typical procedures.
  2. Use a bitwise XOR operator to combine the leftmost 8 bits in the encrypted shift register with the next 8 bits of plaintext and send them as 8 bits of ciphertext.
  3. Shift the shift register 8 bits to the left.
  4. Place the 8 bits of ciphertext generated in step 2 in the rightmost 8 bits of the shift register.

As with the cipher feedback mode, the shift register is filled with the initialization vector before the encryption process starts.

If a bit in the cipher text is garbled, the corresponding bit of plaintext will also be garbled. This is much better than the cipher feedback mode. However, synchronization errors are fatal. If there are extra or missing bits from the ciphertext, then the plaintext will be garbled from that point on.

Note  According to Gait (see reference below), the OFB block cipher mode has a weakness when the number of bits fed back is different than the block size. It is thus recommended that the KP_MODE_BITS parameter be set to the block size when this cipher mode is used.

*Gait, J. "A New Nonlinear Pseudorandom Number Generator." IEEE Transactions on Software Engineering. v. SE-3, n. 5, September 1977,  359-363.