Introduction
In the realm of cryptography, encryption and decryption often take the center stage, mostly achieved by symmetrical encryption algorithms like AES, DES and Blowfish. These algorithms mathematically protect your data with various lengths of keys, with 128 and 256-bit keys being common choices. While it is true that longer key lengths provide better security, choosing “how” to repeatedly apply these algorithms repeatedly on your data is in fact far more important.
This is where block cipher mode of operation
comes into play. They define different modes of operations
to repeatedly apply a cryptographic algorithm on a block of data, each having different strengths, advantages and disadvantages. This is also the reason that we normally see symmetrical algorithms written together with block cipher mode of operation. For example:
- AES-128-CBC
- AES-256-CTR
- AES-128-ECB
In this blog, I will explain the 5 popular block cipher modes, their advantages, disadvantages and summarize with how to choose the ideal modes for your application.
ECB – Electronic Code Book
The simplest and least secured block cipher mode. Each block is encrypted and decrypted with the encryption key without additional sources of randomness. It is generally not recommended by many software applications today. The following diagram illustrates ECB block cipher mode:

Advantages:
- Simple implementation
- Faster execution
- Parallel encryption is possible
Disadvantage:
- Not enough randomness. Recognizable pattern.
- Requires padding if plaintext data is not a multiple of block size
- The same plaintext data produces the same ciphertext data. This lack of variability allows an attacker to capture the encrypted data from one session and replay it in another.
CBC – Cipher Block Chaining
CBC block cipher mode uses an additional parameter called IV
(initialization vector) to increase the randomness. The size of IV is the same as the block size, which is normally 128 bit, or 16 bytes. The value of IV is normally generated randomly for each encryption operation to maximize the security. This IV is XORed with the plaintext of the first block. For subsequent blocks, the previous ciphertext is XORed with the plaintext data. Due to this chaining
nature, the same plaintext blocks will produce different ciphertext blocks. The following diagram illustrates CBC block cipher mode:

Advantages:
- Somewhat simple implementation
- Duplicate plaintext produces different ciphertext
- More secured. Provide protection to known-plaintext attacks
- Parallel Decryption
Disadvantage:
- Sequential processing. Parallel encryption is not possible. Processing may be slower
- IV management. To ensure security, each encryption operation shall use an unique IV. How to securely protect and synchronize IV between all nodes is a challenge
- Requires padding if plaintext data is not a multiple of block size
- One wrong block affects all subsequent blocks
- Does not protect against replay attacks.
- Slower than ECB.
- Vulnerable to padding oracle attach
CFB – Cipher Feedback
CFB block cipher mode encrypts plaintext of arbitrary lengths in a stream cipher rather than a block cipher. This means that no padding byte is not necessary if data length is not multiple of block size. It also uses an IV
value, which is first encrypted by the cryptographic algorithm and then XORed with plaintext data to produce the final ciphertext data. The following diagram illustrates CFB block cipher mode:

Advantages:
- Bit-level operation. CFB cipher mode can encrypt or decrypt at bit level because it uses XOR (bit-wise operation) to produce the output.
- No padding required.
- Parallel Decryption
Disadvantage:
- Sequential processing. Parallel encryption is not possible. Processing may be slower
- IV management. To ensure security, each encryption operation shall use an unique IV . How to securely protect and synchronize IV between all nodes is a challenge
- Slower than ECB.
- Somewhat complex implementation
- One wrong block will affect subsequent blocks
- Cannot resist replay attack
OFB – Output Feedback
OFB block cipher mode also allows plaintext of arbitrary lengths to be encrypted in a stream cipher rather than a block cipher. This means that no padding byte is required if data length is not multiple of block size. It also uses an IV
value, which is first encrypted by the cryptographic algorithm and then XORed with plaintext data to produce the final ciphertext data. The encrypted IV
value is also encrypted again in subsequent blocks. The following diagram illustrates OFB block cipher mode:

Advantages:
- Bit-level operation. OFB cipher mode can encrypt or decrypt at bit level because it uses XOR (bit-wise operation) to produce the output.
- One wrong block will not affect subsequent blocks
- No padding required.
Disadvantage:
- Sequential processing. Parallel encryption is not possible. Processing may be slower
- IV management. To ensure security, each encryption operation shall use an unique IV. How to securely protect and synchronize IV between all nodes is a challenge
- Slower than ECB.
- Somewhat complex implementation
CTR – Counter Block Cipher Mode
CTR block cipher mode also allows plaintext of arbitrary lengths to be encrypted in a stream cipher rather than a block cipher. This means that no padding byte is required if data length is not multiple of block size. It uses a counter
value rather than IV
, which may be any function that can produce a sequence that will not repeat for a long time. This counter
value is first encrypted by the cryptographic algorithm and then XORed with plaintext data to produce ciphertext data similar to OFB.

Advantages:
- Bit-level operation. OFB cipher mode can encrypt or decrypt at bit level because it uses XOR (bit-wise operation) to produce the output.
- No padding required.
- Parallel Decryption and encryption
- One wrong block will not affect subsequent blocks
- More secure than ECB
- Allows random access – encrypt or decrypt a portion of data without having to process the entire data
Disadvantage:
- Counter management. How to securely protect and synchronize counter values between all nodes could be a challenge
- May have deterministic output if the same
counter
is used to encrypt the same plaintext multiple times
Summary
Now that we have explained the 5 popular block cipher modes. What does it mean to software developers like us? More specifically, what are the use cases for each mode?
- ECB – Not recommended for most use cases. Use it when you have no security requirement
- CBC – Suitable for general purpose encryption. Ensure that IV and encryption keys are well protected and synchronized. If your data does not have a sequence number naturally, this block cipher mode may be suitable for your use case.
- CFB, OFB – Rarely used today
- CTR – Suitable for most security use cases due to its support of
random access
,parallelism
, andsecurity strength
. If your data had naturally a sequence number, such as packets (frame number), disks ( segment numbers), database files (data block numbers), CTR is a very suitable mode to go with your cryptographic algorithms. For example, AES-256-CTR.
In terms of PostgreSQL database system, these modes may be ideal for different parts of the system:
- Heap and Index data: CTR (they have block numbers which can naturally be used as counters)
- WAL: CTR (LSN, or segment number can naturally be used as counters)
- Temp files: CTR (PostgreSQL’s temp files also have block numbers associated)
- Catalog files: CTR, CBC
- A column in a table: CBC
- A row in a table: CTR, CBC
Reference
- Block Cipher Mode of Operation – Wikipedia
- The Difference in Five Modes in the AES encryption algorithm

Hi, this is Cary, your friendly tech enthusiast, educator and author. Currently working as a software architect at Highgo Software Canada. I enjoy simplifying complex concepts, diving into coding challenges, unraveling the mysteries of software. Most importantly, I like sharing and teaching others about all things tech. Find more blogs from me at highgo.ca