1. CBC Patterns and ECB Pattern

CBC Full name of mode ：Cipher Block Chaining Pattern （ Ciphertext group link mode ）, It's called , Because ciphertext groups are linked together like chains .

ECB Full name of mode ：Electronic Codebook （ Codebook ）.

stay CBC In the pattern , First, group plaintext and a ciphertext XOR （ Different into one ） operation , And then we can move on encryption .

CBC The encryption and decryption process of the mode is as follows ：

Compare the ECB Patterns and CBC The difference between patterns ：

ECB The mode is only encrypted , and CBC The mode is encrypted once before XOR.

2. Initialization vector

When encrypting the first plaintext packet , Because there is no “ The previous ciphertext group ”, Therefore, it is necessary to prepare a bit sequence with the length of one packet in advance to replace “ The previous ciphertext group ”, This bit sequence is called Initialization vector （Initialization Vector）, Commonly abbreviated as  IV.

Generally speaking , Each time the encryption vector is initialized as a random sequence of bits .

3. CBC Characteristics of the pattern

Plaintext packets must be encrypted with “ The previous ciphertext group ” Conduct XOR operation , So even if plaintext is grouped 1 And plaintext grouping 2 The value of is equal , Ciphertext group 1 and 2 The values of are not necessarily equal . thus ,ECB The flaw in the pattern is CBC It doesn't exist in the pattern .

The encryption process ： stay CBC In the pattern , It is impossible to encrypt an intermediate plaintext packet alone . for example , If you want to generate ciphertext groups 3 , At least the plaintext grouping needs to be gathered 1、2、3 Talent .

The decryption process ： hypothesis CBC One of the ciphertext packets encrypted by the mode is damaged . under these circumstances , As long as the length of the ciphertext group does not change , At most, there is only 2 Packets are affected by data corruption . See the picture below ：

hypothesis CBC Some bits in the ciphertext packet of the pattern are missing , At this time, even if only missing 1 The bit , It will also cause the length of ciphertext packet to change , After that, the grouping is misplaced , thus , The ciphertext group after the missing bit position cannot be decrypted . See the picture below ： 

4. Yes CBC Pattern attack

Suppose that the purpose of the active attacker is to manipulate the decrypted plaintext by modifying the ciphertext . If an attacker can reverse any bit in the initialization vector （ take 1 become 0, take 0 become 1 ）, Then the corresponding bits in the plaintext packet will also be reversed . This is because in the CBC During the decryption of the pattern , The first plaintext grouping will be compared with the initialization vector XOR operation . See the picture below .

But it is very difficult to do the same attack on ciphertext grouping .

for example , If the attacker groups the ciphertext 1 Invert a bit in , Then plaintext grouping 2 The corresponding bits in will also be reversed , However, this bit change affects the decrypted plaintext packet 1 Multiple bits in have an impact , in other words , Only let plaintext divide 1 It is difficult to change the specific bits expected in .

5. Fill prompt attack

Filling prompt attack is a method to attack by using the filling part of block cipher .

In block cipher , When the plaintext length is not an integer multiple of the packet length , You need to fill the last packet with some data to make it fill up a packet length .

In the fill prompt attack , The attacker will repeatedly send a ciphertext , Make a few changes to the filling data every time you send . Because the recipient （ The server ） An error message will be returned when it cannot be decrypted correctly , Through this error message, the attacker can obtain some information related to plaintext . This attack is not limited to CBC Pattern , Instead, it applies to all the patterns that need to be populated by groups .

2014 Years of SSL3.0 Caused a significant impact POODLE An attack is actually a filling attack .

6. For initialization vectors （IV） The attack

Initialization vector （IV） You have to use unpredictable random numbers . However, in SSL / TLS Of TLS1.0 In the version agreement ,IV No unpredictable random numbers are used , Instead, use the last time CBC The last group in mode encryption . In order to defend the attacker against this attack ,TLS1.1 In the above version, it is changed to show transmission IV .

7. CBC Mode application

One of the communication protocols to ensure Internet security  SSL / TLS, Is the use of  CBC Pattern To ensure the confidentiality of communications , If you use CBC Mode triplet DES Of 3DES_EDE_CBC as well as CBC Pattern 256 The bit AES Of AES_256_CBC etc. .

Reprint ：CBC Patterns and ECB Mode interpretation _ The blog of the great demon king of Sajia meat mountain -CSDN Blog _ecb Pattern

（SAW：Game Over！）