AES Encryption Modes

Discussions critique insecure uses of AES in modes like CBC without authentication, compare to GCM or CTR, and highlight vulnerabilities like nonce reuse, known-plaintext attacks, and padding oracles.

📉 Falling 0.4x Security

5,135

Comments

Years Active

Top Authors

#9632

Topic ID

Activity Over Time

2007

2008

2009

2010

101

2011

149

2012

213

2013

496

2014

303

2015

431

2016

324

2017

446

2018

221

2019

330

2020

476

2021

255

2022

380

2023

347

2024

299

2025

258

2026

Top Contributors

tptacek (580) pbsd (44) dchest (38) CiPHPerCoder (38) cperciva (32)

Keywords

e.g GCM MAC US CPU LLM AEAD encrypt.c FDE OK aes encryption key mode attacks pad encrypt secure plaintext construction

Sample Comments

wkornewald • Jun 25, 2013 • View on HN

Doesn't this make your key susceptible to known-plaintext attacks?

CiPHPerCoder • May 23, 2017 • View on HN

CBC mode isn't exactly a saving grace here, since it's unauthenticated.

1718627440 • Sep 23, 2025 • View on HN

That's just encryption with a one-time pad, nothing new...

Osmium • Sep 23, 2015 • View on HN

Doesn't this depend on the mode of operation/block chaining? Or is it an issue regardless?

SAI_Peregrinus • Jul 25, 2021 • View on HN

It doesn't use CBC mode or dynamically pick key sizes, so it can't be.

tptacek • Jul 4, 2025 • View on HN

The AES block cipher core: also grievously insecure if used naively, without understanding what a block cipher can and can't do, by itself. Thus also an LLM call.

tptacek • Feb 14, 2017 • View on HN

Why did you use CBC? It's actually harder than crypto/cipher.AEAD, and what you're doing now seems insecure.

andrewpe • Jan 2, 2017 • View on HN

Might need to read up on modern ciphers. They are protected against this kind of attack.

tptacek • Apr 11, 2014 • View on HN

Yes, look at Rogaway's license for OCB mode.

RA2lover • Jun 13, 2024 • View on HN

If the attacker never gets a hold of a plaintext-ciphertext pair, how well does AES-GCM with nonce reuse hold up?