PHP: Mcrypt - which mode?

Industrial picture Industrial · Feb 24, 2011 · Viewed 12.1k times · Source

I've been testing out the various modes available in PHP's mcrypt function. ECB is the mode used in most tutorials, but isn't recommended by both the just linked page and some users, so I reckon that either CBC or CFB should do the trick.

The PHP documentation isn't too fat in it's comparision of the different modes available to mcrypt and instead refers to the book of 'Applied Cryptography by Schneier', which I am not too keen to buy for the moment.

So which of the mcrypt-modes do I want to use and why?

Answer

aaz picture aaz · Feb 24, 2011

mcrypt actually implements more modes than listed, you can use the string names to access them:

  • cbcCBC mode
  • cfb – 8-bit CFB mode;
  • ncfb – block-size CFB mode;
  • nofbOFB mode (not ofb);
  • ctrCTR mode.

The modes differ in implementation details, so their suitability depends on your data and environment.

Padding:

  • CBC mode only encrypts complete blocks, so mcrypt pads your plaintext with zero bytes unless you implement your own padding.

  • CFB, OFB and CTR modes encrypt messages of any length.

Initialization vector:

  • CBC and CFB modes require a random IV (don't use MCRYPT_RAND).

  • OFB mode merely requires a unique IV (e.g. a global counter, maybe the database primary key if rows are never modified or deleted).

  • CTR requires that each counter block is unique (not just the IV of the message, which is the first counter block, but the rest, formed by incrementing the counter block by 1 for each block of the message).

More information in the NIST recommendations.

There are differences in performance which should be unimportant in PHP, such as whether encryption or decryption can be parallelized and how many cipher iterations are used per block (usually one, but 16 in 8-bit CFB mode).

There are differences in malleability which should be unimportant because you will apply a MAC.

And there may be differences in their security, but for that you should consult a cryptographer.