Skip to content

Why This Matters

Mode choice is the most commonly misunderstood AES decision. ECB mode is still found in production systems in 2026. Choosing the wrong mode can render AES encryption completely ineffective — leaking plaintext structure, enabling bit-flip attacks, or allowing full plaintext recovery through padding oracles.

Which mode should I use?

  1. General-purpose / HTTPS / app data? AES-GCM AEAD, fast, hardware-accelerated
  2. Constrained device / IoT / 802.15.4 / BLE? AES-CCM AEAD, small code footprint
  3. Legacy interop only, and you can add a MAC? AES-CBC + HMAC (Encrypt-then-MAC) never CBC alone
  4. Multi-block data with ECB? NEVER leaks structure (see the penguin)

ECB: The Dangerous Default

AVOID

Electronic Codebook mode encrypts each block independently with the same key. Identical plaintext blocks produce identical ciphertext blocks, leaking the structure of the message. As defined in NIST SP 800-38A, ECB should never be used for multi-block data.

Try repeating a 16-character block, e.g. "YELLOW SUBMARINE" twice.
Upload a BMP or small PNG to see the ECB penguin effect.
Predict: If you encrypt "YELLOW SUBMARINEYELLOW SUBMARINE", will ciphertext blocks 0 and 1 be identical? Yes — and that's exactly why ECB is broken. ECB has no chaining, no IV, no randomization. Identical input blocks always produce identical ciphertext blocks under the same key.

Key (hex)

Ciphertext (hex)

Block Comparison

Same color = identical ciphertext block (structure leaked) Different color = different ciphertext block

An attacker who sees the ciphertext CAN

  • See which plaintext blocks repeat (block-equality leak)
  • Recognize known images, templates, or protocol structure
  • Splice or reorder ciphertext blocks without detection

An attacker CANNOT

  • Decrypt a single random block without the key (still AES)
  • Recover the AES key from ciphertext alone

Why ECB Is Never Appropriate

ECB encrypts each 16-byte block independently. This means repeated plaintext blocks always produce repeated ciphertext blocks. An attacker learns where repetition occurs — destroying confidentiality for structured data like images, database fields, or protocol messages.

Real-world incidents: the famous ECB penguin illustrates the leak; early WEP and several enterprise SSO cookies have shipped ECB and been broken in production.

Implementation note: WebCrypto does not support ECB natively. This demo implements ECB by encrypting each 16-byte block individually using AES-CBC with a zero IV, which for a single block is equivalent to ECB encryption. This approach is documented honestly — ECB is shown only to demonstrate why it must be avoided.

Self-check

Which property of ECB lets the penguin silhouette survive encryption?