Block Ciphers & Modes
- AES structure and key schedule
- GF(2^8) math for MixColumns
- ECB vs CBC vs CTR
- Padding and padding oracles
- Malleability and integrity
1 / 11
Block cipher model
- Keyed permutation on fixed-size blocks
- Deterministic for a fixed key
- Needs a mode for real data
2 / 11
AES round
- SubBytes (S-box)
- ShiftRows (permute)
- MixColumns (diffuse)
- AddRoundKey (XOR)
AES-128 = 10 rounds
3 / 11
MixColumns intuition
- Linear mixing in GF(2^8)
- Spreads one-byte changes across a column
- Invertible for decryption
4 / 11
Key schedule
- RotWord + SubWord + Rcon
- 11 round keys for AES-128
- Byte order mistakes are common bugs
5 / 11
ECB
- Encrypt each block independently
- Leaks structure
- Never use for structured data
6 / 11
CBC
- Ci = Enc(Pi XOR C(i-1))
- Requires unpredictable IV
- Malleable: flip bits in C(i-1) to flip Pi
7 / 11
CTR
- Keystream = Enc(nonce || counter)
- Ciphertext = plaintext XOR keystream
- Nonce reuse breaks confidentiality
8 / 11
Padding and oracles
- PKCS#7 always adds padding
- Bad error handling -> padding oracle
9 / 11
Integrity
- CBC and CTR do NOT provide integrity
- Use Encrypt-then-MAC or AEAD
10 / 11
What you will build
- AES-128 block cipher
- CBC + PKCS#7
- CTR mode
- CBC bitflipping attack
11 / 11
Use arrow keys or click edges to navigate. Press H to toggle help, F for fullscreen.