Bob ‘n Alice On Security

Helping to Avoid a False Sense of Security

Archive for the ‘Uncategorized’ Category

Friends Don’t Let Friends Use ECB-Mode Encryption

leave a comment »

A number of companies create a false sense of security by using weak encryption modes in their products or services. Customers think they are covered because they’re using cutting edge AES encryption, when in reality the mode of that encryption leaves them vulnerable.

In particular, Electronic Codebook or ECB mode encryption is poor at hiding data patterns, as identical blocks of plaintext are coded into identical blocks of ciphertext. This makes it ineffective at encrypting certain types of data, especially that stored in images or BLOBs.

Here is a well known example of ECB mode encryption at work:

Original

Original

Original

ECB Mode Encrypted

Securely Encrypted

Securely Encrypted

As you can see, in ECB mode the outline of Tux the penguin can still be easily made out despite the encryption. There are a number of alternative encryption modes that avoid this weakness, but the one perhaps most frequently found is Cipher-Block Chaining or CBC mode encryption. It is generally agreed within the cryptographic community that CBC is superior to ECB, and that the latter should be avoided in most cases.

Despite this, many companies – especially those for whom security is an add-on to insecure offerings – sell security products or services that use ECB mode encryption because it is cheaper and easier to implement. Often they hide this fact deep in technical specs or avoid mentioning their encryption mode at all. Here are three such companies in the secure flash drive space and their guilty offerings:

As always, stay safe and avoid a false sense of security.

Written by Alice

January 28, 2009 at 20:54

Posted in Uncategorized