I'm using AES-256 CBC mode in C# to encrypt various amounts of texts. The key and IV are always generated properly randomly. However, would GCM mode provide any noticeable security gains over CBC?
Asked
Active
Viewed 8,009 times
1
-
GCM provides [authenticity](https://security.stackexchange.com/q/33569/151903). CBC is [malleable](https://en.wikipedia.org/wiki/Malleability_(cryptography)). – AndrolGenhald Jun 22 '18 at 14:16
-
What do you mean by "huge factor"? – AndrolGenhald Jun 22 '18 at 14:24
-
1But what do you consider to be a huge factor? Malleability could be devastating in some cases, in others confidentiality is all that's required and authenticity is unneeded. – AndrolGenhald Jun 22 '18 at 14:41
1 Answers
1
It's a little hard to say without knowing your exact set-up, but CBC may well be fine, especially as it is available in .NET as is.
The main risk of CBC is the padding oracle attack here are some good links:
https://blog.cloudflare.com/padding-oracles-and-the-decline-of-cbc-mode-ciphersuites/
https://docs.microsoft.com/en-us/dotnet/standard/security/vulnerabilities-cbc-mode
If you can be confident that an attacker cannot modify the cipher text then you should be alright. You could also go down the route of encrypt-then-MAC to ensure that the actual ciphertext was unaltered.
ste-fu
- 1,092
- 6
- 9
-
Padding is a requirement of a block cipher unless your plaintext size is fixed and equal to the cipher block size. You may not realize your are even using it if your implementation chooses a default value – ste-fu Jun 22 '18 at 19:51
-
I believe encrypt then MAC is considered generally safe, but it's hard to speak in absolutes – ste-fu Jun 23 '18 at 18:29
-
-
Good point for you to use random IV. It is important also to ensure the use of random padding – lalebarde Feb 08 '19 at 16:27