Why is AES-ECB dangerous? What makes AES-GCM the preferred mode, and what pitfall must you avoid with GCM?

AES-ECB (Electronic Codebook): encrypts each 16-byte block independently using the same key. This means identical plaintext blocks produce identical ciphertext blocks. The structure of the plaintext leaks through — famously, an image encrypted with ECB still shows recognizable outlines (the 'ECB penguin'). Patterns in data (e.g. repeated fields in records) are visible to an attacker. Never use ECB for anything except trivial single-block use cases.

AES-CBC (Cipher Block Chaining): each block is XOR'd with the previous ciphertext block before encryption, so identical plaintext blocks produce different ciphertext. Requires a random IV (Initialization Vector) per message — reusing an IV with the same key leaks XOR relationships. CBC also suffers from padding oracle attacks (POODLE, BEAST, Lucky13) when combined with PKCS#7 padding and when error messages distinguish padding errors from MAC errors.

AES-GCM (Galois/Counter Mode): provides both confidentiality (CTR mode encryption) and authenticity (a GHASH authentication tag). This means if the ciphertext or AAD (Additional Authenticated Data) is tampered with, decryption fails and the tampering is detected. This is Authenticated Encryption with Associated Data (AEAD) — the preferred choice for almost all symmetric encryption today.

Critical GCM pitfall — nonce/IV reuse: GCM uses a 96-bit nonce. If you encrypt two different messages with the same key and the same nonce, an attacker can XOR the two ciphertexts to cancel out the keystream, recovering both plaintexts and the authentication key. Nonce reuse in GCM is catastrophic. Use a random 96-bit nonce per message (with key rotation before 2³² messages to avoid birthday collision) or use AES-GCM-SIV which is nonce-misuse resistant.