3

Judging from this Wikipedia article on cipher modes and other things I've heard about ECB, it's a big no-no and can leak information about your encrypted data. However, there are still plenty of examples out there on the 'net that utilize ECB:

Is it ever acceptable or advantageous to use ECB?

If the data is very small (one block) and you're using both a salt and an IV, is it OK? If so, where is the threshold when you stop using it?

Community
  • 1
  • 1
John B
  • 20,062
  • 35
  • 120
  • 170
  • 1
    My question would be: why use it when there are superior cipher modes available that don't require much/any additional effort? – Tim M. Jan 27 '12 at 20:34
  • Good point. One thought I had was the ECB might be significantly faster than the other cipher modes because of it's simplicity. But the cases when you need that type of speed, and are using data less than or equal to the size of one block are probably rare. – John B Jan 27 '12 at 20:56
  • 1
    Performance is a valid question. My response would be that security is worth spending extra CPU cycles on and modern CPUs are usually one of the strongest components in an environment, capable of dealing with expensive calculations like this. +1 for your question, since there ARE still code samples out there using ECB. – Tim M. Jan 27 '12 at 21:00
  • 1
    most examples of ECB encoding are simply not secure at all. The performance of ECB is identical to CBC so that's not a valid argument. Hardware AES is only twice as fast as software AES on current chips, performance is only an issue on huge amounts of data or latency. – Maarten Bodewes Jan 28 '12 at 00:33
  • By the way, ECB has no parameter other than the key. It does not have an IV, nor a salt. – Maarten Bodewes Jan 28 '12 at 00:40
  • If performance is an issue, you should choose AES over DESede (also known as Triple DES). AES is not just more secure, it is also much *faster* than DESede. You might want to use it as a stream cipher (CTR mode) if performance is an issue (as the key stream can be pre-calculated), or - if it is really important - a somewhat less secure stream cipher such as RC4 (which may be easily broken when used incorrectly, you have been warned). – Maarten Bodewes Jan 28 '12 at 16:28

2 Answers2

9

This is better asked on crypto, but I'll answer anyway.

The ECB block cipher mode of operation is best used on randomized data, where there is no link between any of the plain text blocks. In practice, only randomized secret keys (without any additional / meta data) and random challenges (in challenge response protocols) fit that bill. The data should be a precise multiple of the block size, or collisions may still leak information. Secret keys are better protected using specific wrapping modes or modes that provide a syntactic IV (SIV modes).

Single block ECB is the same as single block CBC, with a fixed IV. It's fine for messages as long as you don't reuse the key for other data or messages. It is of course questionable if it is useful to encrypt just one message block with a key.

Most of the time it pays to simply go for CBC or, even better, GCM authenticated encryption. ECB is usually present as it may be used in legacy applications, is very easy to provide and can be used as a building block for more secure modes or MAC constructions.

Maarten Bodewes
  • 90,524
  • 13
  • 150
  • 263
  • OT: Wow this answer takes me back. Now I'm top 5 user and mod on [crypto.se]. And of course the top user on [tag:encryption] and [tag:cryptography]. A lot has changed (and compared to others, I still know nothing squared, which is creepy)! – Maarten Bodewes Apr 07 '21 at 14:04
7

If the data is very small (one block) and you're using both a salt and an IV, is it OK?

Yes

If so, where is the threshold when you stop using it?

Two blocks. There isn't any practical reason to use ECB, the only reason it exists is because it's a simple example of how to use a block cipher.

Jarred
  • 391
  • 1
  • 3
  • 4
    Multiple blocks are fine as long as the data isn't related in any way, e.g. randomized data such as secret keys. ECB should never be used on strings. – Maarten Bodewes Jan 28 '12 at 00:28
  • 1
    This answer is incorrect. ECB is not safe for use even on single-block messages if you encrypt more than one message with the same key: the cipher texts reveals which pairs of messages were the same, which is an undesirable leakage avoided by other schemes. ECB doesn't accept a salt or IV, so I have no idea what the answer "Yes" is talking about here -- it is answering an impossibility. The simple answer is: don't use ECB. Use a suitable authenticated encryption mode – D.W. Feb 22 '16 at 04:46