image of tux linux mascot from wikipedia image of tux linux mascot encrypted in ecb mode

Classic and visually powerful way to show that the ECB mode of operation is not secure. Courtesy of Tux (the Linux mascot).

Fun rite of passage for students of cryptography, so I encourage you to give it a try if you have not already done so 1.

Here’s how I did mine:

Download Tux image

The first google image search hit (Wikipedia) for “tux linux” might be a good place to start because the image data length turns out to be a multiple of cipher block size so padding is not needed.

One fewer distraction.

Convert PNG to RGBA

Make things easier by converting to a “data only” image file format 2.

$ convert -depth 32 1200px-Tux.svg.png out.rgba
$ file out.rgba 
out.rgba: data
$

Relied on ImageMagick to do the heavy lifting here.

Encrypt image data

Chose to use AES (though the cipher doesn’t matter) with ECB mode. Python code using PyCryptodome would look something like this.

from Crypto.Cipher import AES
from os import urandom

# Read image data.
data = None
with open("out.rgba", "rb") as f:
    data = f.read()

# Encrypt data in ECB mode.
KEY = urandom(16)
cipher = AES.new(KEY, AES.MODE_ECB)
ciphertext = cipher.encrypt(data)

# Write out image data.
with open("ecb_tux.rgba", "wb") as f:
    bytes = f.write(ciphertext)
    assert len(ciphertext) == bytes # Basic sanity check.

Nothing fancy.

Convert RGBA to PNG

ImageMagick to the rescue again.

$ identify -format '%wx%h' 1200px-Tux.svg.png 
1200x1422
$ convert -size 1200x1422 -depth 32 ecb_tux.rgba ecb_tux.png
$

Side by side

image of tux linux mascot from wikipedia image of tux linux mascot encrypted in ecb mode image of tux linux mascot encrypted in cbc mode

Encrypted image data should have looked like random noise (see rightmost image, encrypted in CBC mode), but clearly we can still see the penguin. :-D

–JW

Footnotes

  1. It took me a few years myself, after reading JP Aumasson’s Serious Cryptography book for the first time in 2022, coming across “ECB Tux” in chapter 4, and making a mental note to try reproducing figure 4-7 at some point. 

  2. See this Ben Zotto blog post, especially the comments. According to the anonymous commenter “the most popular tool anybody would use immediately to convert to rgba files, imagemagick, doesn’t put neither RGBA chars nor width and height headers into the .rgba files it create at all. It’s just plain pixel data it outputs”. I can confirm the lack of header when using ImageMagick, which is perfect because I only want image data.