https://stackoverflow.com/questions/19264412
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianNo, ECB should never be used in practice with anything of consequence.
It's probably possible to find contrived examples, but things like real-time applications should not be one of them.
Electronic Code Book is the base operation other secure operating modes (CBC, CTR, etc..) are built from; however, because it is deterministic, it is not semantically secure from attackers. What do I mean semantic security? Basically, it's the idea that an adversary cannot gain more information about your plaintext (other than its length) given your cipher text.
However, it is possible to gain some information about your plaintext given some ciphertext encrypted using ECB -- namely, you can tell when a block is repeated. Symmetric key encryption forms a one-to-one mapping from plaintext to ciphertext and back. Given a key, an algorithm, and a block of data, the end result will always be the same.
What does this mean for your encrypted data? Well, imagine you had data that fits in two blocks. An attacker could reorder the two blocks and you would be none the wiser. Because both blocks were correctly encrypted, they will be correctly decrypted despite the fact that the attacker has some kind of control over what your resulting data is. This also means that if an attacker knows a valid block, he could substitute that back and replay the same message over again.
Additionally, there are modes of operation which are nearly as good as ECB for performance. For example, counter mode (CTR) works by encrypting an incrementing counter. Assuming the counter doesn't wrap and isn't reused with the same key (not too difficult when you have 128 bits), the blocks of data from the encrypted counters won't repeat. Now you have a pseudorandom stream of bytes with which you can XOR with your data. There's an overhead of 16 bytes for the initial counter and a xor for all of your data. If you can't afford to XOR your data, then I'm not sure how you can afford to encrypt in the first place.
What would be a contrived example?
Well, ECB seems like it could be alright if your data doesn't repeat or you don't care if someone can identify (essentially fingerprint) blocks of data. Additionally, you would want to MAC the data so it couldn't be tampered with, unless you actually don't mind seeing replayed or reordered messages. ECB does only needs to synchronize a key and no initialization vector, so perhaps it could be used to replace some data which is currently a plaintext message with a blob of the exact same length. However, even then you're only making it harder for someone to read the message.
