[117365] in cryptography@c2.net mail archive
Re: RNG for Padding
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Sat Mar 15 22:54:21 2008
Date: Sat, 15 Mar 2008 22:30:18 +0000
From: "Steven M. Bellovin" <smb@cs.columbia.edu>
To: COMINT <comint@gmail.com>
Cc: cryptography@metzdowd.com
In-Reply-To: <afe51f3f0803070604p4ce192caub1a886903f61f9b@mail.gmail.com>
On Fri, 7 Mar 2008 15:04:49 +0100
COMINT <comint@gmail.com> wrote:
> Hi,
>
> This may be out of the remit of the list, if so a pointer to a more
> appropriate forum would be welcome.
>
> In Applied Crypto, the use of padding for CBC encryption is suggested
> to be met by ending the data block with a 1 and then all 0s to the end
> of the block size.
>
> Is this not introducing a risk as you are essentially introducing a
> large amount of guessable plaintext into the ciphertext.
>
> Is it not wiser to use RNG data as the padding, and using some kind of
> embedded packet size header to tell the system what is padding?
>
Maybe -- but you probably have enough guessable plaintext elsewhere
that a bit more simply doesn't matter much. See, for example, my 1997
paper "Probable Plaintext Cryptanalysis of the IP Security Protocols,"
http://www.cs.columbia.edu/~smb/papers/probtxt.pdf
--Steve Bellovin, http://www.cs.columbia.edu/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com