A block cipher encrypts one fixed-size block deterministically. Modes of operation extend it to arbitrary-length messages while achieving semantic security (identical plaintexts produce different ciphertexts). ECB fails this by encrypting blocks independently. CBC chains blocks via XOR with the previous ciphertext (requiring a random IV). CTR turns the block cipher into a stream cipher by encrypting sequential counter values. GCM combines CTR encryption with a polynomial MAC for authenticated encryption. Each mode has distinct properties regarding parallelism, error propagation, and the consequences of nonce/IV misuse.
A block cipher like AES is a primitive — it securely encrypts exactly one 128-bit block. Real messages are longer than 128 bits, and encrypting each block independently (ECB mode) leaks catastrophic information: identical plaintext blocks produce identical ciphertext blocks, preserving patterns visible to any observer. Modes of operation solve this by introducing randomness or state that ensures identical plaintexts produce different ciphertexts, achieving semantic security (formally, IND-CPA: indistinguishability under chosen-plaintext attack).
CBC (Cipher Block Chaining) XORs each plaintext block with the previous ciphertext block before encryption: c_i = E_k(p_i XOR c_{i-1}), with c_0 being a random initialization vector (IV). This chaining means identical plaintext blocks in different positions (or under different IVs) produce different ciphertexts. CBC is sequential for encryption (each block depends on the previous ciphertext) but parallelizable for decryption. Its main vulnerability is sensitivity to IV handling — a predictable IV enables chosen-plaintext attacks (as exploited in the BEAST attack on TLS). CBC also provides no integrity protection: an attacker can flip specific bits in the decrypted plaintext by manipulating ciphertext blocks.
CTR (Counter) mode takes a different approach: it turns the block cipher into a stream cipher by encrypting a sequence of counter values (nonce || 0, nonce || 1, nonce || 2, ...) to produce a keystream, then XORs the keystream with the plaintext. Both encryption and decryption are fully parallelizable since each block's keystream segment is computed independently. Random access is possible — you can decrypt block i without processing blocks 0 through i-1. The critical requirement is nonce uniqueness: reusing a nonce with the same key generates the same keystream, reducing security to XOR of two plaintexts (identical to one-time pad reuse).
GCM (Galois/Counter Mode) combines CTR-mode encryption with a polynomial-based authentication tag computed over the ciphertext and any associated data (like packet headers that must be authenticated but not encrypted). GCM is an AEAD (Authenticated Encryption with Associated Data) scheme: it guarantees confidentiality, integrity, and authenticity in a single pass. The authentication uses multiplication in a Galois field (GF(2^128)), which is fast in hardware. GCM is the dominant mode in modern protocols (TLS 1.3, IPsec) because it provides the complete security package — encryption plus tamper detection — without requiring users to correctly compose separate encryption and MAC primitives, a task that has historically produced vulnerabilities when done incorrectly.