17

I've been testing out the various modes available in PHP's mcrypt function. ECB is the mode used in most tutorials, but isn't recommended by both the just linked page and some users, so I reckon that either CBC or CFB should do the trick.

The PHP documentation isn't too fat in it's comparision of the different modes available to mcrypt and instead refers to the book of 'Applied Cryptography by Schneier', which I am not too keen to buy for the moment.

So which of the mcrypt-modes do I want to use and why?

Improve this question
2
  • 1
    not duplicate but helpful post stackoverflow.com/questions/2809855/… hi kevin ;) Commented Feb 24, 2011 at 17:45
  • Yeah I know that post, it's my own, but I still miss out any pros/cons of the different modes that available to mcrypt. Why choose CBC over CFC? Commented Feb 24, 2011 at 17:46

1 Answer 1

Reset to default
23

mcrypt actually implements more modes than listed, you can use the string names to access them:

  • cbcCBC mode
  • cfb – 8-bit CFB mode;
  • ncfb – block-size CFB mode;
  • nofbOFB mode (not ofb);
  • ctrCTR mode.

The modes differ in implementation details, so their suitability depends on your data and environment.

Padding:

  • CBC mode only encrypts complete blocks, so mcrypt pads your plaintext with zero bytes unless you implement your own padding.

  • CFB, OFB and CTR modes encrypt messages of any length.

Initialization vector:

  • CBC and CFB modes require a random IV (don't use MCRYPT_RAND).

  • OFB mode merely requires a unique IV (e.g. a global counter, maybe the database primary key if rows are never modified or deleted).

  • CTR requires that each counter block is unique (not just the IV of the message, which is the first counter block, but the rest, formed by incrementing the counter block by 1 for each block of the message).

More information in the NIST recommendations.

There are differences in performance which should be unimportant in PHP, such as whether encryption or decryption can be parallelized and how many cipher iterations are used per block (usually one, but 16 in 8-bit CFB mode).

There are differences in malleability which should be unimportant because you will apply a MAC.

And there may be differences in their security, but for that you should consult a cryptographer.

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

Thanks for the extensive reply @aaz!
@aaz - you say "(don't use MCRYPT_RAND)" can I ask why?
@buggedcom – The security of these modes depends on the IV being unpredictable. MCRYPT_RAND uses the PHP random number generator, which may or may not satisfy this requirement. It might be connected to a hardware RNG, or it might return the digits of π. But you can check man 4 random on your system to see that /dev/random is intended for generating cryptographic material, and the default MCRYPT_DEV_RANDOM uses that.
I know this is an old question/answer, but what about padding with ecb? How does it work?
@greggles You do not need to worry about it, in ECB mode.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.