Why is ECB (Electronic Codebook) mode insecure?
ECB encrypts each block independently with the same key, so identical plaintext blocks produce identical ciphertext blocks — this leaks patterns in the data.
* ECB encrypts each block independently, so identical plaintext blocks leak as identical ciphertext blocks. *
The flaw is conceptual rather than a bug: by being a deterministic, stateless codebook, ECB faithfully preserves every repetition that was in the plaintext, so it fails the most basic requirement that ciphertext should look random. Everything below is a consequence of that one property.
How ECB works:
C_i = E(K, M_i) (each block encrypted independently)
The famous penguin problem:
- Encrypt a bitmap image with ECB → the image is still recognizable because areas of identical color produce identical ciphertext blocks
- This is the most dramatic demonstration of why ECB fails
Problems:
- Patterns in plaintext are preserved in ciphertext
- Block reordering attacks: an attacker can rearrange ciphertext blocks
- Block substitution attacks: replace one block with another from a different message
The one advantage: Parallelizable — all blocks can be encrypted simultaneously
When ECB is acceptable: Only for encrypting a single block (e.g., encrypting a single AES key). Never for multi-block data.
Tip: If someone suggests ECB for anything more than a single block, it's almost certainly wrong. The "ECB penguin" is a classic crypto meme for a reason.
Go deeper:
Block cipher mode of operation (Wikipedia) — the ECB penguin and why deterministic modes fail.
NIST SP 800-38A — modes of operation — the authoritative definitions of ECB, CBC, OFB, CTR.