[117365] in cryptography@c2.net mail archive

home help back first fref pref prev next nref lref last post

Re: RNG for Padding

daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Sat Mar 15 22:54:21 2008

Date: Sat, 15 Mar 2008 22:30:18 +0000
From: "Steven M. Bellovin" <smb@cs.columbia.edu>
To: COMINT <comint@gmail.com>
Cc: cryptography@metzdowd.com
In-Reply-To: <afe51f3f0803070604p4ce192caub1a886903f61f9b@mail.gmail.com>

On Fri, 7 Mar 2008 15:04:49 +0100
COMINT <comint@gmail.com> wrote:

> Hi,
> 
> This may be out of the remit of the list, if so a pointer to a more
> appropriate forum would be welcome.
> 
> In Applied Crypto, the use of padding for CBC encryption is suggested
> to be met by ending the data block with a 1 and then all 0s to the end
> of the block size.
> 
> Is this not introducing a risk as you are essentially introducing a
> large amount of guessable plaintext into the ciphertext.
> 
> Is it not wiser to use RNG data as the padding, and using some kind of
> embedded packet size header to tell the system what is padding?
> 
Maybe -- but you probably have enough guessable plaintext elsewhere
that a bit more simply doesn't matter much.  See, for example, my 1997
paper "Probable Plaintext Cryptanalysis of the IP Security Protocols,"
http://www.cs.columbia.edu/~smb/papers/probtxt.pdf


		--Steve Bellovin, http://www.cs.columbia.edu/~smb

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com

home help back first fref pref prev next nref lref last post