AES Block Size in OpenSSL CTR, CFB & OFB Modes

TL;DR

AES operates on 128-bit blocks regardless of the mode (CTR, CFB, OFB). However, the amount of data processed at a time can vary depending on how you configure OpenSSL. This guide explains how to control this.

Understanding AES Block Size

AES (Advanced Encryption Standard) is a block cipher. This means it encrypts and decrypts data in fixed-size blocks, which are always 128 bits (16 bytes). The mode of operation determines how these blocks are used to process larger amounts of data.

CTR Mode

1. How it works: CTR (Counter) mode turns AES into a stream cipher. It encrypts a counter value and XORs the result with the plaintext to produce ciphertext.
2. Block size impact: While AES still operates on 128-bit blocks internally, you can process data in any size increments when using CTR mode. OpenSSL will handle the block boundaries for you.
3. Example (OpenSSL command line):

   openssl enc -aes-256-ctr -in input.txt -out output.enc -k password

   This encrypts input.txt using AES-256 in CTR mode with the password ‘password’. The amount of data processed at a time is not explicitly controlled here; OpenSSL manages it efficiently.

CFB Mode

1. How it works: CFB (Cipher Feedback) mode encrypts blocks sequentially, feeding the previous ciphertext block back into the encryption process.
2. Block size impact: In CFB mode, you specify a ‘block size’ which determines how many bytes are processed at a time. Common values are 128 bits (16 bytes), but smaller sizes like 64 bits (8 bytes) or even 32 bits (4 bytes) can be used.
3. Example (OpenSSL command line):

   openssl enc -aes-256-cfb -in input.txt -out output.enc -k password -bs 128

   The `-bs 128` option sets the block size to 128 bits (the default). To use a smaller block size:

   openssl enc -aes-256-cfb -in input.txt -out output.enc -k password -bs 64

   This uses a 64-bit block size.

OFB Mode

1. How it works: OFB (Output Feedback) mode is similar to CTR, but instead of encrypting a counter, it encrypts the previous ciphertext output.
2. Block size impact: Like CFB, you specify a block size for OFB mode using the `-bs` option. This determines how many bytes are processed in each iteration.
3. Example (OpenSSL command line):

   openssl enc -aes-256-ofb -in input.txt -out output.enc -k password -bs 128

   The `-bs` option controls the block size, with common values being 128 bits (default), 64 bits or 32 bits. For example:

   openssl enc -aes-256-ofb -in input.txt -out output.enc -k password -bs 32

   This uses a 32-bit block size.

Important Considerations

• Performance: Smaller block sizes in CFB and OFB modes generally lead to slower encryption/decryption speeds because more blocks need to be processed for the same amount of data.
• Security: While smaller block sizes are possible, using the default 128-bit block size is usually recommended for optimal security and performance.