AES Block Size in OpenSSL CTR, CFB & OFB Modes

G5 Cyber Security

2 weeks ago

TL;DR

AES operates on 128-bit blocks regardless of the mode (CTR, CFB, OFB). However, the amount of data processed at a time can vary depending on how you configure OpenSSL. This guide explains how to control this.

Understanding AES Block Size

AES (Advanced Encryption Standard) is a block cipher. This means it encrypts and decrypts data in fixed-size blocks, which are always 128 bits (16 bytes). The mode of operation determines how these blocks are used to process larger amounts of data.

CTR Mode

How it works: CTR (Counter) mode turns AES into a stream cipher. It encrypts a counter value and XORs the result with the plaintext to produce ciphertext.
Block size impact: While AES still operates on 128-bit blocks internally, you can process data in any size increments when using CTR mode. OpenSSL will handle the block boundaries for you.
Example (OpenSSL command line):
```
openssl enc -aes-256-ctr -in input.txt -out output.enc -k password
```
This encrypts input.txt using AES-256 in CTR mode with the password ‘password’. The amount of data processed at a time is not explicitly controlled here; OpenSSL manages it efficiently.

CFB Mode

How it works: CFB (Cipher Feedback) mode encrypts blocks sequentially, feeding the previous ciphertext block back into the encryption process.
Block size impact: In CFB mode, you specify a ‘block size’ which determines how many bytes are processed at a time. Common values are 128 bits (16 bytes), but smaller sizes like 64 bits (8 bytes) or even 32 bits (4 bytes) can be used.
Example (OpenSSL command line):
```
openssl enc -aes-256-cfb -in input.txt -out output.enc -k password -bs 128
```
The `-bs 128` option sets the block size to 128 bits (the default). To use a smaller block size:
```
openssl enc -aes-256-cfb -in input.txt -out output.enc -k password -bs 64
```
This uses a 64-bit block size.

OFB Mode

How it works: OFB (Output Feedback) mode is similar to CTR, but instead of encrypting a counter, it encrypts the previous ciphertext output.
Block size impact: Like CFB, you specify a block size for OFB mode using the `-bs` option. This determines how many bytes are processed in each iteration.
Example (OpenSSL command line):
```
openssl enc -aes-256-ofb -in input.txt -out output.enc -k password -bs 128
```
The `-bs` option controls the block size, with common values being 128 bits (default), 64 bits or 32 bits. For example:
```
openssl enc -aes-256-ofb -in input.txt -out output.enc -k password -bs 32
```
This uses a 32-bit block size.

Important Considerations

Performance: Smaller block sizes in CFB and OFB modes generally lead to slower encryption/decryption speeds because more blocks need to be processed for the same amount of data.
Security: While smaller block sizes are possible, using the default 128-bit block size is usually recommended for optimal security and performance.