Changing block cipher mode

PHP makes several block cipher modes available to you to use as well as the MCRYPT_MODE_CFB we used in the example. Because your plaintext is likely to be longer than your block size, the encryption algorithm splits your plaintext into blocks equal to the size of your block size, encrypting each of them individually. The block cipher mode lets you choose how your algorithm should modulate the encryption of these blocks, if at all. The options are:

  • MCRYPT_MODE_ECB. ECB stands for Electronic Codebook, and is the most basic of all cipher modes - it simply splits your plaintext into blocks the size of your block size, and encrypts them separately, with no further processing. The problem with this is that if any of your plaintext blocks are the same, the encrypted version will be the same, which makes hacking your encryption much easier. ECB is therefore quite insecure, and not recommended - stay well clear of it.

  • MCRYPT_MODE_CBC. CBC stands for Cipher Block Chaining, and is the most popular block cipher mode. It works by XORing each plaintext block of text against the plaintext block preceding it, then encrypting it - this makes duplicate plaintext blocks different when encrypted.

  • MCRYPT_MODE_CFB. CFB stands for Cipher Feedback, and works by XORing each block of plaintext with the ciphertext from the preceding block

  • MCRYPT_MODE_OFB. OFB stands for Output Feedback, and works by creating a pseudo-random stream that is XORed against the plaintext to get the ciphertext. OFB is often used to reduce the chance of error in transmission of encrypted data, because an error in one OFB block will not affect following blocks.

Most programmers will not need to worry too much about which block cipher to use, as they are only as secure as the encryption algorithm underlying them. CBC is the most popular and is secure enough for most purposes, so stick with it unless you have specific reason to change.


If this was helpful, please take a moment to tell others about Hacking with PHP by tweeting about it!

Next chapter: Hardened PHP: Suhosin >>

Previous chapter: Changing encryption algorithm

Jump to:


Home: Table of Contents

Copyright ©2015 Paul Hudson. Follow me: @twostraws.