AES-CBC
What is AES-CBC?
AES-CBCAn unauthenticated block-cipher mode that chains AES encryption with the previous ciphertext block; vulnerable to padding-oracle attacks when used without a MAC.
AES-CBC (Cipher Block Chaining) is a legacy mode defined in NIST SP 800-38A where each 128-bit plaintext block is XORed with the previous ciphertext block before AES encryption, using a random IV for the first block. CBC provides confidentiality but no integrity, so it must be wrapped with a separate MAC in an encrypt-then-MAC construction. PKCS#7-padded CBC is notoriously vulnerable to padding-oracle attacks (BEAST, Lucky 13, POODLE), which have been weaponised against TLS, IPsec, and disk encryption. Modern standards favour AEAD modes such as AES-GCM or ChaCha20-Poly1305 over plain CBC, though CBC remains common in TLS 1.0/1.1 legacy stacks.
● Examples
- 01
AES-256-CBC with HMAC-SHA256 in older TLS 1.0/1.1 cipher suites.
- 02
BitLocker XTS-AES replaced AES-CBC for full-disk encryption due to malleability.
● Frequently asked questions
What is AES-CBC?
An unauthenticated block-cipher mode that chains AES encryption with the previous ciphertext block; vulnerable to padding-oracle attacks when used without a MAC. It belongs to the Cryptography category of cybersecurity.
What does AES-CBC mean?
An unauthenticated block-cipher mode that chains AES encryption with the previous ciphertext block; vulnerable to padding-oracle attacks when used without a MAC.
How does AES-CBC work?
AES-CBC (Cipher Block Chaining) is a legacy mode defined in NIST SP 800-38A where each 128-bit plaintext block is XORed with the previous ciphertext block before AES encryption, using a random IV for the first block. CBC provides confidentiality but no integrity, so it must be wrapped with a separate MAC in an encrypt-then-MAC construction. PKCS#7-padded CBC is notoriously vulnerable to padding-oracle attacks (BEAST, Lucky 13, POODLE), which have been weaponised against TLS, IPsec, and disk encryption. Modern standards favour AEAD modes such as AES-GCM or ChaCha20-Poly1305 over plain CBC, though CBC remains common in TLS 1.0/1.1 legacy stacks.
How do you defend against AES-CBC?
Defences for AES-CBC typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for AES-CBC?
Common alternative names include: Cipher Block Chaining, AES-128-CBC, AES-256-CBC.
● Related terms
- cryptography№ 020
AES (Advanced Encryption Standard)
A NIST-standardized 128-bit block cipher with 128-, 192- or 256-bit keys, designed by Daemen and Rijmen and used as the dominant symmetric cipher worldwide.
- cryptography№ 023
AES-GCM
An authenticated encryption mode that combines AES in counter mode with a GHASH-based authentication tag for confidentiality and integrity in a single pass.
- cryptography№ 105
Block Cipher
A symmetric cipher that encrypts fixed-size blocks of plaintext with a secret key, usually combined with a mode of operation to handle data of arbitrary length.
- cryptography№ 537
Initialization Vector (IV)
A randomized starting value for a block-cipher mode of operation that ensures identical plaintexts encrypted under the same key yield different ciphertexts.