AES-CBC Mode Encryption
Understand AES-CBC (Cipher Block Chaining) mode encryption, its chaining mechanism, padding requirements, and why it needs a separate MAC for integrity. Browser-based demo included.
Detailed Explanation
AES-CBC: Block Chaining Encryption
AES-CBC (Cipher Block Chaining) is one of the oldest and most widely deployed AES modes. Each plaintext block is XORed with the previous ciphertext block before encryption, creating a chain where every ciphertext block depends on all preceding blocks.
The Chaining Mechanism
Block 1: Ciphertext₁ = AES_Encrypt(Plaintext₁ XOR IV)
Block 2: Ciphertext₂ = AES_Encrypt(Plaintext₂ XOR Ciphertext₁)
Block 3: Ciphertext₃ = AES_Encrypt(Plaintext₃ XOR Ciphertext₂)
The IV (Initialization Vector) serves as the "previous ciphertext block" for the first block. It must be random and unpredictable for each encryption operation — unlike GCM where the IV just needs to be unique, CBC's IV must be unpredictable to prevent certain attacks.
Padding Requirement
AES operates on fixed 16-byte blocks. If the plaintext is not a multiple of 16 bytes, it must be padded. The most common padding scheme is PKCS#7:
Plaintext: "Hello" (5 bytes)
After padding: "Hello\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" (16 bytes)
Each padding byte contains the number of padding bytes added. During decryption, the padding is verified and stripped.
Padding Oracle Attacks
CBC's most significant vulnerability is the padding oracle attack. If an attacker can determine whether decryption produced valid padding (e.g., through different error messages), they can decrypt the entire ciphertext without knowing the key. This is why:
- CBC should always be used with a MAC (e.g., HMAC-SHA256)
- The MAC should be computed over the ciphertext (encrypt-then-MAC)
- Timing differences in padding validation must be eliminated
CBC vs GCM
| Feature | CBC | GCM |
|---|---|---|
| Authentication | Requires separate MAC | Built-in |
| Parallelism | Sequential encryption | Parallel |
| Padding | Required (PKCS#7) | Not required |
| Vulnerability | Padding oracle | IV reuse |
| Performance | Slower | Faster |
When to Use CBC
CBC remains relevant in legacy systems, hardware that lacks GCM support, and protocols like older TLS versions. For new applications, AES-GCM or AES-GCM-SIV is preferred because it provides built-in authentication, eliminating the need to correctly implement encrypt-then-MAC.
Use Case
AES-CBC is encountered in legacy enterprise systems, older TLS configurations (TLS 1.0/1.1), disk encryption (LUKS with AES-CBC-ESSIV), database field encryption in existing applications, and file formats like PKCS#12 and older PDF encryption. Understanding CBC is essential for security audits, migration planning from CBC to GCM, and working with systems that predate authenticated encryption modes.