3

If I have 48 random bytes, is it safe to encrypt them using ECB mode? Or is there still a good reason to use another mode like CTR, CBC, etc.?

Context is this: I am creating something like a TLS session ticket where the master secret is encrypted using a server side key and sent down to the client.

I will still use HMAC. Basically, I use ECB of these 48 bytes followed by HMAC-SHA256 of the ciphertext. I have nothing against CBC, CTR, etc. But a colleague mentioned that for completely random values you can use plain ECB too and I fail to see how he's wrong.

Gilles 'SO- stop being evil'
  • 20,442
  • 4
  • 54
  • 97
Chaitanya Gupta
  • 135
  • 7

1 Answers1

11

ECB leaks if blocks are identical. For uniformly random data identical blocks become likely when you encrypt about $2^{n/2}$ blocks with an $n$ bit block cipher. CBC and CTR mode develop similar weaknesses when they encrypt that much data.

=> As long as you encrypt reasonable amounts (up to a petabyte or so) of random data with a 128 bit block cipher, like AES, a passive attacker doesn't learn anything useful from observing your ECB encrypted messages.

Still I see little reason to use ECB when you could use something stronger. You're coupling the security of your encryption to assumptions about the data you're encrypting. If a future version of your software changes the properties of the data, you need to remember that you need to replace the encryption.

Against active attackers you need to add some kind of MAC, either via a generic encrypt-then-mac combination or by using an authenticated mode of operation, like GCM.

CodesInChaos
  • 25,121
  • 2
  • 90
  • 129