17

I've been testing out the various modes available in PHP's mcrypt function. ECB is the mode used in most tutorials, but isn't recommended by both the just linked page and some users, so I reckon that either CBC or CFB should do the trick.

The PHP documentation isn't too fat in it's comparision of the different modes available to mcrypt and instead refers to the book of 'Applied Cryptography by Schneier', which I am not too keen to buy for the moment.

So which of the mcrypt-modes do I want to use and why?

Community
  • 1
  • 1
Industrial
  • 41,400
  • 69
  • 194
  • 289
  • 1
    not duplicate but helpful post http://stackoverflow.com/questions/2809855/which-php-mcrypt-cipher-is-safest hi kevin ;) – KJYe.Name Feb 24 '11 at 17:45
  • Yeah I know that post, it's my own, but I still miss out any pros/cons of the different modes that available to `mcrypt`. Why choose _CBC_ over _CFC_? – Industrial Feb 24 '11 at 17:46

1 Answers1

23

mcrypt actually implements more modes than listed, you can use the string names to access them:

  • cbcCBC mode
  • cfb – 8-bit CFB mode;
  • ncfb – block-size CFB mode;
  • nofbOFB mode (not ofb);
  • ctrCTR mode.

The modes differ in implementation details, so their suitability depends on your data and environment.

Padding:

  • CBC mode only encrypts complete blocks, so mcrypt pads your plaintext with zero bytes unless you implement your own padding.

  • CFB, OFB and CTR modes encrypt messages of any length.

Initialization vector:

  • CBC and CFB modes require a random IV (don't use MCRYPT_RAND).

  • OFB mode merely requires a unique IV (e.g. a global counter, maybe the database primary key if rows are never modified or deleted).

  • CTR requires that each counter block is unique (not just the IV of the message, which is the first counter block, but the rest, formed by incrementing the counter block by 1 for each block of the message).

More information in the NIST recommendations.

There are differences in performance which should be unimportant in PHP, such as whether encryption or decryption can be parallelized and how many cipher iterations are used per block (usually one, but 16 in 8-bit CFB mode).

There are differences in malleability which should be unimportant because you will apply a MAC.

And there may be differences in their security, but for that you should consult a cryptographer.

aaz
  • 5,136
  • 22
  • 18
  • Thanks for the extensive reply @aaz! – Industrial Feb 26 '11 at 13:29
  • 1
    @aaz - you say "(don't use MCRYPT_RAND)" can I ask why? – buggedcom Oct 06 '11 at 19:57
  • 2
    @buggedcom – The security of these modes depends on the IV being unpredictable. `MCRYPT_RAND` uses the PHP random number generator, which may or may not satisfy this requirement. It might be connected to a hardware RNG, or it might return the digits of π. But you can check [`man 4 random`](http://linux.die.net/man/4/random) on your system to see that `/dev/random` is intended for generating cryptographic material, and the default `MCRYPT_DEV_RANDOM` uses that. – aaz Oct 08 '11 at 22:56
  • 1
    I know this is an old question/answer, but what about padding with ecb? How does it work? – greggles Apr 01 '13 at 22:56
  • @greggles You do not need to worry about it, in ECB mode. – The Onin Mar 12 '15 at 02:31