------------------------------------------------------------------------------- OpenSSL AES-256-CBC | | `--- Mode or how multiple 'blocks' hare handled | `------- The size of the block encryption `----------- The cypher used ------------------------------------------------------------------------------- Cyphers... AES Advance Encryption Standard, Adopted by NIS after a major competition) It was called "Rindel" during the competition before it became standard. ------------------------------------------------------------------------------- Modes... ECB - Electronic code book Just apply the block cypher to each block without change. You can parallelize, the encryption as each block is encrypted and encrypted separately to every other block. This can show up patterns in the crypto text, for repeated blocks of the same plaintext, like all zeros, or the same message repeated over and over. Classic failure example: applied to an image, the image is vaguely visible as a shadow of the original image, due to repeated text blocks. Example: https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation The other modes were created to randomise later blocks, to prevent this. CBC - Cipher Block Chaining The result of a previous code block is XOR'd with the next block of clear text, before being encrypted. A random IV (initialization vector) is used to XOR against the first block to start the process. Slow to encrypt as that cannot be parallelized, as all blocks depend on last. BUT... You can decrypt from the middle, by reading the previous block as well. This allows you to parallelizing it, working on different sections simultaneously, which is a big advantage for large files. If a error or change (in plaintext or ciphertext) occurs two blocks will be lost, not one. Similarly if the wrong IV is used the first block will be corrupt. OFB - Output Feedback The random IV is encrypted as xor pad of first block that pad is then encrypted to make the pad of next block Essentially the IV is repeatedly encrypted to make one LARGE pad. The pad are xor'ed against the plain text. This essentially converting a IV into a very long unique pad. No parallelization is possible in encrypting or decrypting, turning a block cipher into a stream cipher. CTR - Counter (also known as ICM and SIC) A large unique 'nounce' (IV) is used for first block nounce+1 for the second and so on. These nonce counters are then encrypted, and then used to XOR against the incoming clear text block. You can independently encrypt/decrypt any block, which also allows you to parallelize encryption and decryption processes. With full random access. A 'MAC' is recommended to ensure integrity of data. --- Variations CFB - Cipher Feedback IV or previous ciphertext is encrypted and xors against the plaintext. Decryption is almost identical to normal CBC. If change in plaintext changes everything that follows. While a change in ciphertext only effects the next two blocks. This makes it much stronger that CBC PCBC - Propagating CBC Both plaintext and cyphertext are xor'ed against the next plaintext block. In this way any error propagates all the way though to the end of the decrypted message. No parallelization is possible at all. -------------------------------------------------------------------------------