Why ECB is not a good mode of operation

n33ds0n · March 31, 2021, 4:51pm

I have read lot of pdf and online content on symmetry cryptography, 90% of the sources I learned from says that ECB mode is a bad mode of operation due to known-plaintext attack.

My question is, how can an attacker be able to know the plaintext of a cipher text that are the same without the key, although when the same plaintext is encrypted in ECB mode, the cipher text is the same, but how can an attacker be able to know the plaintext of the same cipher text without knowing the key.

it is through guessing or what?

Just wanna know.

vict0ni · April 2, 2021, 7:34am

The attacker cannot find out the plaintext just by observing the ciphertext. ECB mode it is not directly insecure. Due to the fact that the same plaintexts are getting encrypted to the same ciphertexts, it gives the attacker the advantage of knowing that two plaintexts are identical by observing the encrypted data. A very simple example would be this:

Say an attacker is in the middle of your communication with the internet. If you use the same password for 2 services, say facebook and twitter, the attacker can see this because the password ciphertexts are the same. And this should not happen, the attacker shouldn’t get any information out of the interception.

Using ECB mode would also allow an attacker to locate patterns inside a ciphertext due to a possible repetition of a plaintext. Also, ECB is deterministic, meaning that the same plaintext encrypted with the same key will always produce the same output.

n33ds0n · April 2, 2021, 8:56am

Thanks, yeah it just give the attacker the advantage of knowing that two plaintext are identical, which means that having same cipher text doesn’t mean it would be easier to decrypt, because it still still require the key,
but if the attacker is able to guess the plaintext of a cipher text, that means he automatically know the plaintext of the other same ciphertext.

crimsonRain · April 20, 2021, 8:39am

To build on top of what @vict0ni said, one of the popular attacks on ECB is “Byte at a Time Decryption” (Probably what you’re looking for). Assuming you have access to some function AES-ECB(text, key) that works in ECB mode and you can repeatedly call it. It is possible to decrypt the ciphertext, a byte at a time without knowing the key by simply manipulating the text argument to the AES-ECB function. I’d suggest playing around with cryptopals to have more hands-on experience with this technique.

The following may not be related, but more knowledge shouldn’t hurt. Note that modes of operation have a specific use case and pretty much ECB is if you require high performance in a system but barely any security. However, GCM mode is also highly performant but entails good security which is why you see its frequent use… We can also differentiate between ECB and GCM by the fact that GCM lacks the determinism of ECB as there is an IV which is a source of randomness and as mentioned, “Like all counter modes, this is essentially a stream cipher, and so it is essential that a different IV is used for each stream that is encrypted”. In the end, if you use crypto code and need a symmetric cipher, AES is good enough in all three modes, it’s just that you have to be careful which mode of operation to use.