Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

When AES Encryption Isn't Very Good

DZone's Guide to

When AES Encryption Isn't Very Good

· DevOps Zone ·
Free Resource

Easily enforce open source policies in real time and reduce MTTRs from six weeks to six seconds with the Sonatype Nexus Platform. See for yourself - Free Vulnerability Scanner. 

We all know that encryption is complicated but most people think that because they are using AES, Blowfish, IDEA, or some other advanced encryption then the data is secure. Well it’s more complicated than that. Not only do you have to look at the key size like 128 bit, 256 bit, etc., but another really important piece is the mode that the encryption uses. ECB mode has some serious problems because it is poor at hiding data patterns. There are a lot of software packages that offer strong AES encryption but use EBC mode and therefore aren’t that strong.

A standard example of the problem with EBC mode is shown below:

Original Original Securely Encrypted
Original ECB Mode Encrypted Securely Encrypted

It is very obvious above that when the original photo is encrypted with ECB mode you have changed the data but the pattern is still there. This is a very obvious example with a picture but the problem exists for text also.

Make sure to check your software because many applications that you think securely scramble your data with AES strong encryption use EBC mode. So when looking at your tools that use encryption, make sure they use Cipher-Block Chaining mode (CBC mode) or some other proven mode. You can find more on the encryption modes here:
http://en.wikipedia.org/wiki/Block_cipher_mode_of_operation

Automate open source governance at scale across the entire software supply chain with the Nexus Platform. Learn more.

Topics:

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}