What is a mode of operation for a block cipher, and why must one always be specified?
A mode of operation defines how multiple blocks are chained together. A block cipher only encrypts one block (e.g. 128 bits); the mode says how to handle longer messages.
A bare block cipher answers "encrypt 16 bytes with this key" — but real messages are gigabytes. The mode chooses:
- How to split the message into blocks.
- How to handle the last (possibly partial) block (padding).
- How blocks are linked so identical plaintext blocks don't always produce identical ciphertext blocks.
- Whether you need an Initialisation Vector (IV) and what role it plays.
The same block cipher (AES, Twofish, Camellia) becomes a completely different security profile depending on the mode.
Common modes and their personalities:
| Mode | Confidentiality | Integrity | Parallelisable | Notes |
|---|---|---|---|---|
| ECB (Electronic Code Book) | ❌ (leaks patterns) | ❌ | ✅ | Avoid — textbook bad |
| CBC (Cipher Block Chaining) | ✅ | ❌ | ❌ encrypt / ✅ decrypt | Padding-oracle attacks possible |
| CTR (Counter) | ✅ | ❌ | ✅ | Turns block cipher into stream cipher |
| GCM (Galois/Counter Mode) | ✅ | ✅ (AEAD) | ✅ | Modern default for TLS, SSH |
| CCM | ✅ | ✅ (AEAD) | Limited | Used by WPA2, ZigBee |
Tip: Authenticated Encryption with Associated Data (AEAD) modes like AES-GCM and ChaCha20-Poly1305 are today's defaults — they bundle confidentiality and integrity in one primitive, eliminating an entire class of bugs (padding oracles, MAC-then-encrypt errors).