Security of AES after key expansion 4-MB with ECB and CBC












3














My question is,





  • how does the security depend or change if I encrypt with AES-128 in total 4-MB of Data?




    1. With Electronic Code Book Mode and

    2. Cipher Block Chaining Mode ?

    3. Does an adversary still need $2^{126}$ tries (like Wikipedia suggests) to guess the key or is it less (which in my opinion it should)?




The encrypted data would be a videostream.






encryption aes symmetric cbc ecb







share|improve this question
























  • Related: crypto.stackexchange.com/questions/30251/…
    – Ilmari Karonen
    Nov 27 '18 at 14:36


















3














My question is,





  • how does the security depend or change if I encrypt with AES-128 in total 4-MB of Data?




    1. With Electronic Code Book Mode and

    2. Cipher Block Chaining Mode ?

    3. Does an adversary still need $2^{126}$ tries (like Wikipedia suggests) to guess the key or is it less (which in my opinion it should)?




The encrypted data would be a videostream.






encryption aes symmetric cbc ecb







share|improve this question
























  • Related: crypto.stackexchange.com/questions/30251/…
    – Ilmari Karonen
    Nov 27 '18 at 14:36
















3












3








3







My question is,





  • how does the security depend or change if I encrypt with AES-128 in total 4-MB of Data?




    1. With Electronic Code Book Mode and

    2. Cipher Block Chaining Mode ?

    3. Does an adversary still need $2^{126}$ tries (like Wikipedia suggests) to guess the key or is it less (which in my opinion it should)?




The encrypted data would be a videostream.






encryption aes symmetric cbc ecb







share|improve this question















My question is,





  • how does the security depend or change if I encrypt with AES-128 in total 4-MB of Data?




    1. With Electronic Code Book Mode and

    2. Cipher Block Chaining Mode ?

    3. Does an adversary still need $2^{126}$ tries (like Wikipedia suggests) to guess the key or is it less (which in my opinion it should)?




The encrypted data would be a videostream.






encryption aes symmetric cbc ecb




encryption aes symmetric cbc ecb






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 27 '18 at 13:19









kelalaka

5,57722040




5,57722040










asked Nov 27 '18 at 13:07









barium borat

161




161












  • Related: crypto.stackexchange.com/questions/30251/…
    – Ilmari Karonen
    Nov 27 '18 at 14:36




















  • Related: crypto.stackexchange.com/questions/30251/…
    – Ilmari Karonen
    Nov 27 '18 at 14:36


















Related: crypto.stackexchange.com/questions/30251/…
– Ilmari Karonen
Nov 27 '18 at 14:36






Related: crypto.stackexchange.com/questions/30251/…
– Ilmari Karonen
Nov 27 '18 at 14:36












1 Answer
1






active

oldest

votes


















3














A videostream should probably not be encrypted with either ECB or CBC.



ECB is insecure for almost anything and it should not / can not be used to turn a block cipher in a secure cipher. This is clearly shown even in the Wikipedia description of the mode: find the penguin.



CBC is secure to keep data confidential. It is, however, susceptible to padding oracle attacks when not used correctly - especially in real time communication. It also doesn't allow e.g. caching of the key stream or parallel encryption, so the performance may be subpar as well. And although it does support seeking, it does require the user to retrieve the ciphertext block before the one that needs decryption.



This is why commonly CTR mode is used instead. Sometimes CTR mode is used in combination with a MAC to offer fast authentication and integrity of the ciphertext. , e.g. GCM mode. GCM mode, however, does undo some of the benefits of CTR mode.




However, probably the most common methods of wrapping a stream is to perform TLS. It does have some overhead, but at least well reviewed implementations exists. It depends if it fits your need.




The amount of tries to get to the key will always be in the neighborhood of $2^{127}$ tries for a (largely) unbroken cipher such as AES. The key is protected by the block cipher itself, rather than the mode of operation.



However, the security of the key only is only part of the security of the cipher. It is perfectly possible for a mode of operation to leak information on the plaintext even if the key is kept perfectly secure. The ECB penguin is a prime example of that. Another is CTR mode with a repeated IV, which turns the cipher into a "many-time pad".






share|improve this answer























  • If a new key generated for every video stream (file), does ECB still problematic?
    – kelalaka
    Nov 27 '18 at 14:13






  • 4




    @kelalaka Yes. Unless you have one key per 16 byte block ECB is always problematic. (Of course if you have one key per 16 byte block you just doubled your data size.)
    – DRF
    Nov 27 '18 at 14:25










  • @kelalaka Have you looked at the penguin? That Maarten linked to?
    – Martin Bonner
    Nov 27 '18 at 15:05






  • 1




    @MartinBonner I know the problem years ago. My point, in a video almost all of the data will be different. It will not reveal a pattern. Then, the passive attacker can perform, if knows the video file, only a known-plaintext attack. Since we know that AES secure against KPA, and if I change the AES key for every file, what is the problem?
    – kelalaka
    Nov 27 '18 at 15:17






  • 4




    @kelaka: "My point, in a video almost all of the data will be different. It will not reveal a pattern" I'm not in the slightest bit convinced that is true. I would suggest that using CBC, CTR, or GCM is no more complicated than using ECB, and it saves having to have a long discussion with your reviewer about why it is safe it this case.
    – Martin Bonner
    Nov 27 '18 at 15:22











Your Answer





StackExchange.ifUsing("editor", function () {
return StackExchange.using("mathjaxEditing", function () {
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix) {
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
});
});
}, "mathjax-editing");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "281"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f64351%2fsecurity-of-aes-after-key-expansion-4-mb-with-ecb-and-cbc%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









3














A videostream should probably not be encrypted with either ECB or CBC.



ECB is insecure for almost anything and it should not / can not be used to turn a block cipher in a secure cipher. This is clearly shown even in the Wikipedia description of the mode: find the penguin.



CBC is secure to keep data confidential. It is, however, susceptible to padding oracle attacks when not used correctly - especially in real time communication. It also doesn't allow e.g. caching of the key stream or parallel encryption, so the performance may be subpar as well. And although it does support seeking, it does require the user to retrieve the ciphertext block before the one that needs decryption.



This is why commonly CTR mode is used instead. Sometimes CTR mode is used in combination with a MAC to offer fast authentication and integrity of the ciphertext. , e.g. GCM mode. GCM mode, however, does undo some of the benefits of CTR mode.




However, probably the most common methods of wrapping a stream is to perform TLS. It does have some overhead, but at least well reviewed implementations exists. It depends if it fits your need.




The amount of tries to get to the key will always be in the neighborhood of $2^{127}$ tries for a (largely) unbroken cipher such as AES. The key is protected by the block cipher itself, rather than the mode of operation.



However, the security of the key only is only part of the security of the cipher. It is perfectly possible for a mode of operation to leak information on the plaintext even if the key is kept perfectly secure. The ECB penguin is a prime example of that. Another is CTR mode with a repeated IV, which turns the cipher into a "many-time pad".






share|improve this answer























  • If a new key generated for every video stream (file), does ECB still problematic?
    – kelalaka
    Nov 27 '18 at 14:13






  • 4




    @kelalaka Yes. Unless you have one key per 16 byte block ECB is always problematic. (Of course if you have one key per 16 byte block you just doubled your data size.)
    – DRF
    Nov 27 '18 at 14:25










  • @kelalaka Have you looked at the penguin? That Maarten linked to?
    – Martin Bonner
    Nov 27 '18 at 15:05






  • 1




    @MartinBonner I know the problem years ago. My point, in a video almost all of the data will be different. It will not reveal a pattern. Then, the passive attacker can perform, if knows the video file, only a known-plaintext attack. Since we know that AES secure against KPA, and if I change the AES key for every file, what is the problem?
    – kelalaka
    Nov 27 '18 at 15:17






  • 4




    @kelaka: "My point, in a video almost all of the data will be different. It will not reveal a pattern" I'm not in the slightest bit convinced that is true. I would suggest that using CBC, CTR, or GCM is no more complicated than using ECB, and it saves having to have a long discussion with your reviewer about why it is safe it this case.
    – Martin Bonner
    Nov 27 '18 at 15:22
















3














A videostream should probably not be encrypted with either ECB or CBC.



ECB is insecure for almost anything and it should not / can not be used to turn a block cipher in a secure cipher. This is clearly shown even in the Wikipedia description of the mode: find the penguin.



CBC is secure to keep data confidential. It is, however, susceptible to padding oracle attacks when not used correctly - especially in real time communication. It also doesn't allow e.g. caching of the key stream or parallel encryption, so the performance may be subpar as well. And although it does support seeking, it does require the user to retrieve the ciphertext block before the one that needs decryption.



This is why commonly CTR mode is used instead. Sometimes CTR mode is used in combination with a MAC to offer fast authentication and integrity of the ciphertext. , e.g. GCM mode. GCM mode, however, does undo some of the benefits of CTR mode.




However, probably the most common methods of wrapping a stream is to perform TLS. It does have some overhead, but at least well reviewed implementations exists. It depends if it fits your need.




The amount of tries to get to the key will always be in the neighborhood of $2^{127}$ tries for a (largely) unbroken cipher such as AES. The key is protected by the block cipher itself, rather than the mode of operation.



However, the security of the key only is only part of the security of the cipher. It is perfectly possible for a mode of operation to leak information on the plaintext even if the key is kept perfectly secure. The ECB penguin is a prime example of that. Another is CTR mode with a repeated IV, which turns the cipher into a "many-time pad".






share|improve this answer























  • If a new key generated for every video stream (file), does ECB still problematic?
    – kelalaka
    Nov 27 '18 at 14:13






  • 4




    @kelalaka Yes. Unless you have one key per 16 byte block ECB is always problematic. (Of course if you have one key per 16 byte block you just doubled your data size.)
    – DRF
    Nov 27 '18 at 14:25










  • @kelalaka Have you looked at the penguin? That Maarten linked to?
    – Martin Bonner
    Nov 27 '18 at 15:05






  • 1




    @MartinBonner I know the problem years ago. My point, in a video almost all of the data will be different. It will not reveal a pattern. Then, the passive attacker can perform, if knows the video file, only a known-plaintext attack. Since we know that AES secure against KPA, and if I change the AES key for every file, what is the problem?
    – kelalaka
    Nov 27 '18 at 15:17






  • 4




    @kelaka: "My point, in a video almost all of the data will be different. It will not reveal a pattern" I'm not in the slightest bit convinced that is true. I would suggest that using CBC, CTR, or GCM is no more complicated than using ECB, and it saves having to have a long discussion with your reviewer about why it is safe it this case.
    – Martin Bonner
    Nov 27 '18 at 15:22














3












3








3






A videostream should probably not be encrypted with either ECB or CBC.



ECB is insecure for almost anything and it should not / can not be used to turn a block cipher in a secure cipher. This is clearly shown even in the Wikipedia description of the mode: find the penguin.



CBC is secure to keep data confidential. It is, however, susceptible to padding oracle attacks when not used correctly - especially in real time communication. It also doesn't allow e.g. caching of the key stream or parallel encryption, so the performance may be subpar as well. And although it does support seeking, it does require the user to retrieve the ciphertext block before the one that needs decryption.



This is why commonly CTR mode is used instead. Sometimes CTR mode is used in combination with a MAC to offer fast authentication and integrity of the ciphertext. , e.g. GCM mode. GCM mode, however, does undo some of the benefits of CTR mode.




However, probably the most common methods of wrapping a stream is to perform TLS. It does have some overhead, but at least well reviewed implementations exists. It depends if it fits your need.




The amount of tries to get to the key will always be in the neighborhood of $2^{127}$ tries for a (largely) unbroken cipher such as AES. The key is protected by the block cipher itself, rather than the mode of operation.



However, the security of the key only is only part of the security of the cipher. It is perfectly possible for a mode of operation to leak information on the plaintext even if the key is kept perfectly secure. The ECB penguin is a prime example of that. Another is CTR mode with a repeated IV, which turns the cipher into a "many-time pad".






share|improve this answer














A videostream should probably not be encrypted with either ECB or CBC.



ECB is insecure for almost anything and it should not / can not be used to turn a block cipher in a secure cipher. This is clearly shown even in the Wikipedia description of the mode: find the penguin.



CBC is secure to keep data confidential. It is, however, susceptible to padding oracle attacks when not used correctly - especially in real time communication. It also doesn't allow e.g. caching of the key stream or parallel encryption, so the performance may be subpar as well. And although it does support seeking, it does require the user to retrieve the ciphertext block before the one that needs decryption.



This is why commonly CTR mode is used instead. Sometimes CTR mode is used in combination with a MAC to offer fast authentication and integrity of the ciphertext. , e.g. GCM mode. GCM mode, however, does undo some of the benefits of CTR mode.




However, probably the most common methods of wrapping a stream is to perform TLS. It does have some overhead, but at least well reviewed implementations exists. It depends if it fits your need.




The amount of tries to get to the key will always be in the neighborhood of $2^{127}$ tries for a (largely) unbroken cipher such as AES. The key is protected by the block cipher itself, rather than the mode of operation.



However, the security of the key only is only part of the security of the cipher. It is perfectly possible for a mode of operation to leak information on the plaintext even if the key is kept perfectly secure. The ECB penguin is a prime example of that. Another is CTR mode with a repeated IV, which turns the cipher into a "many-time pad".







share|improve this answer














share|improve this answer



share|improve this answer








edited Nov 27 '18 at 13:40

























answered Nov 27 '18 at 13:20









Maarten Bodewes

53k677191




53k677191












  • If a new key generated for every video stream (file), does ECB still problematic?
    – kelalaka
    Nov 27 '18 at 14:13






  • 4




    @kelalaka Yes. Unless you have one key per 16 byte block ECB is always problematic. (Of course if you have one key per 16 byte block you just doubled your data size.)
    – DRF
    Nov 27 '18 at 14:25










  • @kelalaka Have you looked at the penguin? That Maarten linked to?
    – Martin Bonner
    Nov 27 '18 at 15:05






  • 1




    @MartinBonner I know the problem years ago. My point, in a video almost all of the data will be different. It will not reveal a pattern. Then, the passive attacker can perform, if knows the video file, only a known-plaintext attack. Since we know that AES secure against KPA, and if I change the AES key for every file, what is the problem?
    – kelalaka
    Nov 27 '18 at 15:17






  • 4




    @kelaka: "My point, in a video almost all of the data will be different. It will not reveal a pattern" I'm not in the slightest bit convinced that is true. I would suggest that using CBC, CTR, or GCM is no more complicated than using ECB, and it saves having to have a long discussion with your reviewer about why it is safe it this case.
    – Martin Bonner
    Nov 27 '18 at 15:22


















  • If a new key generated for every video stream (file), does ECB still problematic?
    – kelalaka
    Nov 27 '18 at 14:13






  • 4




    @kelalaka Yes. Unless you have one key per 16 byte block ECB is always problematic. (Of course if you have one key per 16 byte block you just doubled your data size.)
    – DRF
    Nov 27 '18 at 14:25










  • @kelalaka Have you looked at the penguin? That Maarten linked to?
    – Martin Bonner
    Nov 27 '18 at 15:05






  • 1




    @MartinBonner I know the problem years ago. My point, in a video almost all of the data will be different. It will not reveal a pattern. Then, the passive attacker can perform, if knows the video file, only a known-plaintext attack. Since we know that AES secure against KPA, and if I change the AES key for every file, what is the problem?
    – kelalaka
    Nov 27 '18 at 15:17






  • 4




    @kelaka: "My point, in a video almost all of the data will be different. It will not reveal a pattern" I'm not in the slightest bit convinced that is true. I would suggest that using CBC, CTR, or GCM is no more complicated than using ECB, and it saves having to have a long discussion with your reviewer about why it is safe it this case.
    – Martin Bonner
    Nov 27 '18 at 15:22
















If a new key generated for every video stream (file), does ECB still problematic?
– kelalaka
Nov 27 '18 at 14:13




If a new key generated for every video stream (file), does ECB still problematic?
– kelalaka
Nov 27 '18 at 14:13




4




4




@kelalaka Yes. Unless you have one key per 16 byte block ECB is always problematic. (Of course if you have one key per 16 byte block you just doubled your data size.)
– DRF
Nov 27 '18 at 14:25




@kelalaka Yes. Unless you have one key per 16 byte block ECB is always problematic. (Of course if you have one key per 16 byte block you just doubled your data size.)
– DRF
Nov 27 '18 at 14:25












@kelalaka Have you looked at the penguin? That Maarten linked to?
– Martin Bonner
Nov 27 '18 at 15:05




@kelalaka Have you looked at the penguin? That Maarten linked to?
– Martin Bonner
Nov 27 '18 at 15:05




1




1




@MartinBonner I know the problem years ago. My point, in a video almost all of the data will be different. It will not reveal a pattern. Then, the passive attacker can perform, if knows the video file, only a known-plaintext attack. Since we know that AES secure against KPA, and if I change the AES key for every file, what is the problem?
– kelalaka
Nov 27 '18 at 15:17




@MartinBonner I know the problem years ago. My point, in a video almost all of the data will be different. It will not reveal a pattern. Then, the passive attacker can perform, if knows the video file, only a known-plaintext attack. Since we know that AES secure against KPA, and if I change the AES key for every file, what is the problem?
– kelalaka
Nov 27 '18 at 15:17




4




4




@kelaka: "My point, in a video almost all of the data will be different. It will not reveal a pattern" I'm not in the slightest bit convinced that is true. I would suggest that using CBC, CTR, or GCM is no more complicated than using ECB, and it saves having to have a long discussion with your reviewer about why it is safe it this case.
– Martin Bonner
Nov 27 '18 at 15:22




@kelaka: "My point, in a video almost all of the data will be different. It will not reveal a pattern" I'm not in the slightest bit convinced that is true. I would suggest that using CBC, CTR, or GCM is no more complicated than using ECB, and it saves having to have a long discussion with your reviewer about why it is safe it this case.
– Martin Bonner
Nov 27 '18 at 15:22


















draft saved

draft discarded




















































Thanks for contributing an answer to Cryptography Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


Use MathJax to format equations. MathJax reference.


To learn more, see our tips on writing great answers.





Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


Please pay close attention to the following guidance:


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f64351%2fsecurity-of-aes-after-key-expansion-4-mb-with-ecb-and-cbc%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Quarter-circle Tiles

Image
up vote 0 down vote favorite I have $99$ identical square tiles, each with a quarter-circle drawn on it like this: [asy] size(1.5cm); draw(Arc((2,0),1,90,180),red+1); draw((0,0)--(2,0)--(2,2)--(0,2)--(0,0)); [/asy] When I arrange the tiles in a $9times 11$ rectangular grid, each with a random orientation, what is the expected value of the number of full circles I form? I think this problem has to do with finding the chance any given 2x2 square has a circle, but I can't find it. expected-value share | cite | improve this question asked Nov 20 at 15:03 6minecraftninja 1 2
Read more

build a pushdown automaton that recognizes the reverse language of a given pushdown automaton?

Image
0 I think it's similiar to NFAs. I replace the finite states of the given automaton for start-states for my new automaton. I do it with $epsilon$ -transition from the start state to the actual finite states of the given automaton. The start state of the given automaton will be my accepting(finite) state of my new one. All transitions will be reversed of course to recognize the reversed word. But how do I have to change the stack of the pushdown automaton? That's tricky. formal-languages automata context-free-grammar share | cite | improve this question edited Nov 29 '18 at 14:20 joee
Read more

Mont Emei

Image
Mont Emei.mw-parser-output .entete.map{background-image:url("//upload.wikimedia.org/wikipedia/commons/7/7a/Picto_infobox_map.png")} Vue du sommet Wanfo du mont Emei Géographie Altitude 3 099  m , Wanfo Coordonnées 29° 31′ 11″ nord, 103° 19′ 57″ est Administration Pays   Chine Province Sichuan Ville-préfecture Leshan Géolocalisation sur la carte : Sichuan Mont Emei Géolocalisation sur la carte : Chine Mont Emei modifier   Paysage panoramique du mont Emei, incluant le paysage panoramique du grand Bouddha de Leshan *   Patrimoine mondial de l'UNESCO Passerelle en bois sur le versant ouest Pays   Chine Subdivision Sichuan Type Mixte Critères (iv) (vi) (x) Superficie 15 400 ha Numéro d’identification 779 Zone géographique Asie et Pacifique  ** Année d’inscription 1996 (20 e session) * Descriptif officiel UNESCO ** Classification géog
Read more