Advantages and disadvantages of Stream versus Block Ciphers
While both are symmetric ciphers, stream ciphers are based on generating an "infinite" cryptograpic keystream, and using that to encrypt one bit or byte at a time (similar to the one-time pad), whereas block ciphers work on larger chunks of data (i.e. blocks) at a time, often combining blocks for additional security (e.g. AES in CBC mode).
- Stream ciphers are typically faster than block, but that has it's own price.
- Block ciphers typically require more memory, since they work on larger chunks of data and often have "carry over" from previous blocks, whereas since stream ciphers work on only a few bits at a time they have relatively low memory requirements (and therefore cheaper to implement in limited scenarios such as embedded devices, firmware, and esp. hardware).
- Stream ciphers are more difficult to implement correctly, and prone to weaknesses based on usage - since the principles are similar to one-time pad, the keystream has very strict requirements. On the other hand, that's usually the tricky part, and can be offloaded to e.g. an external box.
- Because block ciphers encrypt a whole block at a time (and furthermore have "feedback" modes which are most recommended), they are more susceptible to noise in transmission, that is if you mess up one part of the data, all the rest is probably unrecoverable. Whereas with stream ciphers bytes are individually encrypted with no connection to other chunks of data (in most ciphers/modes), and often have support for interruptions on the line.
- Also, stream ciphers do not provide integrity protection or authentication, whereas some block ciphers (depending on mode) can provide integrity protection, in addition to confidentiality.
- Because of all the above, stream ciphers are usually best for cases where the amount of data is either unknown, or continuous - such as network streams. Block ciphers, on the other hand, or more useful when the amount of data is pre-known - such as a file, data fields, or request/response protocols, such as HTTP where the length of the total message is known already at the beginning.
The 2nd bullet is not accurate. The difference in memory due to "carry over" from prior blocks is negligible and much smaller than the difference in memory from algorithm to algorithm (e.g., compare RC4, with its 256 bytes of internal state, to AES, with 0 bytes of internal state in some implmeentations). The last bullet draws false distinctions and is bad advice.
@D.W. 2nd bullet was "generally speaking", as that is typically the case (but I accept that it is not strictly accurate).
@D.W. do you have any basis for your comment on the last bullet? Where is the false distinction, and why do you say this is bad advice?
yes, I have a basis for my comment on the last bullet. It just seems confused across the board. Block ciphers are fine for streaming data; see, e.g., CBC mode, CTR mode, etc., for various modes of operation that work fine with streaming data. Block ciphers are not restricted to cases where the amount of data is known in advance. I'm not aware of any reason to consider stream ciphers better than block ciphers for streaming data (despite the name).
D.W. is correct: The word 'Stream' in Stream Cipher reflects that there is a keystream - a stream of bits that is combined with plaintext to produce the ciphertext. It does not not reflect the plaintext composition. Obviously this is a detail that often confuses developers and engineers with whom the latter is usually implied. Block ciphers can be used to manipulate streaming plaintext just fine. Also often confusing is that Block Ciphers can be used as a Stream Cipher with an appropriate mode of operation and when the block size is atomic (e.g. 1 byte).
@trusktr that is a context-less question in a vacuum :-). For both, it would depend on which algorithm, how it is used, what it is used for, etc... In short it depends on the situation, and there are good (i.e. "secure enough") solutions for both, it is a trade-off on other factors though. Thomas' answer covers those points well.
Sweet, thanks for the reply. :) Even if they are both evenly secure (depending on the average scenario), it's still a good point to tell.
you're talking about feedback mode, but if I understand correctly this is in stream ciphers not block ciphers
@David天宇Wong feedback mode is a feature of block ciphers, a way to "connect" the different blocks. See e.g. CBC, OFB... http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation