[117363] in cryptography@c2.net mail archive
Re: RNG for Padding
daemon@ATHENA.MIT.EDU (Leichter, Jerry)
Sat Mar 15 22:52:11 2008
Date: Sat, 15 Mar 2008 17:56:14 -0400 (EDT)
From: "Leichter, Jerry" <leichter_jerrold@emc.com>
To: COMINT <comint@gmail.com>
cc: cryptography@metzdowd.com
In-Reply-To: <afe51f3f0803070604p4ce192caub1a886903f61f9b@mail.gmail.com>
| Hi,
|
| This may be out of the remit of the list, if so a pointer to a more
| appropriate forum would be welcome.
|
| In Applied Crypto, the use of padding for CBC encryption is suggested
| to be met by ending the data block with a 1 and then all 0s to the end
| of the block size.
|
| Is this not introducing a risk as you are essentially introducing a
| large amount of guessable plaintext into the ciphertext.
|
| Is it not wiser to use RNG data as the padding, and using some kind of
| embedded packet size header to tell the system what is padding?
It's a requirement of all modern cryptosystems that they be secure
against known-plaintext attacks. This is for two reasons:
1. The state of the art being what it is, it's no
harder to create a system with decent security
guarantees (within the limits we have *any* such
guarantees, of course) with security against
known-plaintext attacks than without.
2. More important: History has shown that there's
*always* known plaintext available. There are
tons of situations where you know what is being
sent because you actually have access to the same
information from other channels (once *everything*
is encrypted, much of what's encrypted isn't in
and of itself secret!); other situations where you
can force the plaintext to some value because, for
example, you provided it; yet others where you
don't know for sure, but can make good guesses.
So the additional security is minor.
Note, BTW, the the "1 and then all 0's" padding lets
a legitimate receiver determine where the data
ends; random padding doesn't. So you'd have to
send the length elsewhere with random padding.
That length would have a limited number of
possible values - becoming easily guessable
plaintext.
-- Jerry
| Thanks for your suggestions,
|
| Mr Pink
|
| ---------------------------------------------------------------------
| The Cryptography Mailing List
| Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
|
|
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com