PHP: Mcrypt - which mode?
mcrypt
actually implements more modes than listed, you can use the string names to access them:
-
cbc
– CBC mode -
cfb
– 8-bit CFB mode; -
ncfb
– block-size CFB mode; -
nofb
– OFB mode (notofb
); -
ctr
– CTR mode.
The modes differ in implementation details, so their suitability depends on your data and environment.
Padding:
CBC mode only encrypts complete blocks, so
mcrypt
pads your plaintext with zero bytes unless you implement your own padding.CFB, OFB and CTR modes encrypt messages of any length.
Initialization vector:
CBC and CFB modes require a random IV (don't use
MCRYPT_RAND
).OFB mode merely requires a unique IV (e.g. a global counter, maybe the database primary key if rows are never modified or deleted).
CTR requires that each counter block is unique (not just the IV of the message, which is the first counter block, but the rest, formed by incrementing the counter block by 1 for each block of the message).
More information in the NIST recommendations.
There are differences in performance which should be unimportant in PHP, such as whether encryption or decryption can be parallelized and how many cipher iterations are used per block (usually one, but 16 in 8-bit CFB mode).
There are differences in malleability which should be unimportant because you will apply a MAC.
And there may be differences in their security, but for that you should consult a cryptographer.
Related videos on Youtube
Industrial
I just want to lie on the beach and eat hot dogs. That’s all I’ve ever wanted. Really.
Updated on February 25, 2020Comments
-
Industrial about 4 years
I've been testing out the various modes available in PHP's
mcrypt
function. ECB is the mode used in most tutorials, but isn't recommended by both the just linked page and some users, so I reckon that either CBC or CFB should do the trick.The PHP documentation isn't too fat in it's comparision of the different modes available to
mcrypt
and instead refers to the book of 'Applied Cryptography by Schneier', which I am not too keen to buy for the moment.So which of the
mcrypt
-modes do I want to use and why?-
KJYe.Name about 13 yearsnot duplicate but helpful post stackoverflow.com/questions/2809855/… hi kevin ;)
-
Industrial about 13 yearsYeah I know that post, it's my own, but I still miss out any pros/cons of the different modes that available to
mcrypt
. Why choose CBC over CFC?
-
-
Industrial about 13 yearsThanks for the extensive reply @aaz!
-
buggedcom over 12 years@aaz - you say "(don't use MCRYPT_RAND)" can I ask why?
-
aaz over 12 years@buggedcom – The security of these modes depends on the IV being unpredictable.
MCRYPT_RAND
uses the PHP random number generator, which may or may not satisfy this requirement. It might be connected to a hardware RNG, or it might return the digits of π. But you can checkman 4 random
on your system to see that/dev/random
is intended for generating cryptographic material, and the defaultMCRYPT_DEV_RANDOM
uses that. -
greggles about 11 yearsI know this is an old question/answer, but what about padding with ecb? How does it work?
-
The Onin about 9 years@greggles You do not need to worry about it, in ECB mode.