On Jun 16, 2014 6:49 PM, "Matthew Kerwin" <matthew@kerwin.net.au> wrote: > I am not a security person, and this is purely spit-balling, but how about a hybrid? First n bytes must be <sentinel value, maybe zeroes>, remainder is random/ignored. That way you get to detect bad packing, but also hopefully get to mess with known-plaintext stuff. However it's more words and more code, and I have no idea if it's worth it. The other thing to note I'd that if you actually have IND-CCA (look it up, you need it, it's foundational), then you are dealing with the possibility that plaintext is all x for any value of x. And I try not to be inventive when it comes to security mechanisms. Yes, it is the case that padding has been attacked, but I'm inclined to trust that TLS can handle this one.
Received on Tuesday, 17 June 2014 02:52:42 UTC