Classic modes of operation for symmetric block ciphers¶
Block ciphers are often only used together with a mode of operation.
When you create a block cipher object with the new()
function,
the second argument (after the cryptographic key) is a constant
that sets the desired mode of operation. For instance:
>>> from Crypto.Cipher import AES
>>>
>>> cipher = AES.new(key, AES.MODE_CBC)
Constants are defined at the module level for each cipher algorithm,
and their names start with MODE_
(for instance Crypto.Cipher.AES.MODE_CBC
).
This is the list of all classic modes (more modern modes are described in another section). Mind the not all modes are available for all block ciphers.
ECB mode¶
Constant: Crypto.Cipher.<cipher>.MODE_ECB
.
Electronic CodeBook. A weak mode of operation whereby the cipher is applied in isolation to each of the blocks that compose the overall message.
This mode should not be used because it is not semantically secure and it exposes correlation between blocks.
encrypt()
and decrypt()
methods only accept data
having length multiple of the block size.
CBC mode¶
Constant: Crypto.Cipher.<cipher>.MODE_CBC
.
Ciphertext Block Chaining, defined in NIST SP 800-38A, section 6.2. It is a mode of operation where each plaintext block is XOR-ed with the last produced ciphertext block prior to encryption.
The new()
function expects the following extra parameters:
iv
(byte string): an unpredictable Initialization Vector- of length equal to the block size
(e.g. 16 bytes for
Crypto.Cipher.AES
). If not present, a random IV will be created.
encrypt()
and decrypt()
methods only accept data
with length multiple of the block size. You might need to
use Crypto.Util.Padding
.
The cipher object has a read-only attribute iv
.
CFB mode¶
Constant: Crypto.Cipher.<cipher>.MODE_CFB
.
Cipher FeedBack, defined in NIST SP 800-38A, section 6.3. It is a mode of operation which turns the block cipher into a stream cipher, with the plaintext getting XOR-ed with a keystream to obtain the ciphertext. The keystream is the last produced cipertext encrypted with the block cipher.
The new()
function expects the following extra parameters:
iv
(byte string): an non-repeatable Initialization Vectorof length equal to the block size (e.g. 16 bytes for
Crypto.Cipher.AES
). If not present, a random IV will be created.
segment_size
(integer): the number of bits the plaintext and theciphertext are segmented in (default if not specified: 8).
The cipher object has a read-only attribute
iv
.
OFB mode¶
Constant: Crypto.Cipher.<cipher>.MODE_OFB
.
Output FeedBack, defined in NIST SP 800-38A, section 6.4. It is another mode that leads to a stream cipher. The keystream is obtained by recursively encrypting the IV.
The new()
function expects the following extra parameters:
iv
(byte string): an non-repeatable Initialization Vector- of length equal to the block size
(e.g. 16 bytes for
Crypto.Cipher.AES
). If not present, a random IV will be created.
The cipher object has a read-only attribute iv
.
CTR mode¶
Constant: Crypto.Cipher.<cipher>.MODE_CTR
.
CounTeR mode, defined in NIST SP 800-38A, section 6.5 and Appendix B. It is another mode that leads to a stream cipher. The keystream is obtained by encrypting a block counter, which is the concatenation of a nonce (fixed during the computation) to a counter field (ever increasing).
The new()
function expects the following extra parameters:
nonce
(byte string): a mandatory non-repeatable value,- of length between 0 and block length minus 1.
initial_value
(integer): the initial value for the counter field- (default if not specified: 0).
The cipher object has a read-only attribute nonce
.
OpenPGP mode¶
Constant: Crypto.Cipher.<cipher>.MODE_OPENPGP
.
OpenPGP (defined in RFC4880). A variant of CFB, with two differences:
- The first invokation to the
encrypt()
method returns the encrypted IV concatenated to the first chunk on ciphertext (as opposed to the ciphertext only). The encrypted IV is as long as the block size plus 2 more bytes. - When the cipher object is intended for decryption,
the parameter
iv
tonew()
is the encrypted IV (and not the IV, which is still the case for encryption).
Like for CTR, any cipher object has a read-only attribute iv
.