W3C home > Mailing lists > Public > xml-encryption@w3.org > November 2000

Re: Plaintext inference

From: Steve Wiley <steve@myProof.com>
Date: Wed, 15 Nov 2000 10:10:36 -0800
Message-Id: <4.3.2.7.2.20001115100442.00bb1cb0@myProof.com>
To: hal@finney.org
Cc: xml-encryption@w3.org
Hal,

Thanks for the information and explanations.  They are very helpful.

Could this be a problem as well?
Even if the plaintext is an entire element and the length would normally 
considered long enough to not pose a security risk, if the XML schema is 
know, then most of the plaintext content may be known. In the following 
example the plaintext is (including white space) 169 characters long.  But, 
an attacker that knew or inferred the element structure would know what all 
but 13 of the characters were.  I am not a crypto person but I would guess 
that this would pose the same risk as encrypting short length plaintext.

<employee>
    <first-name>Jane</first-name>
    <last-name>Doe</last-name>
    <emp-type>sal</emp-type>
    <job-type>SE</job-type>
    <job-level>3</job-level>
</employee>

Thanks,
Steve Wiley - <steve@myproof.com>

At 08:58 AM 11/13/2000 -0800, hal@finney.org wrote:
>Aaron J. Ferguson writes:
> > Wow! This is an interesting comment (see below). Until now, I was 
> unaware that
> > there were ways to infer the length of plaintext from the length of 
> ciphertext.
> > It is my understanding that the initialization and/or synchronization 
> vector
> > used in encryption would mitigate the potential for plaintext length 
> inference.
> > Can you
> > give me some examples of algorithms that do this because this has me really
> > curious.
>
>The most commonly used ciphers like DES, Blowfish, IDEA and the new
>AES all are block ciphers with a relatively small block size of 64 bits
>for the first three and 128 bits for AES.  This means that they encrypt
>data a block at a time.  Generally the plaintext will be padded up to
>be a multiple of the block size, then encrypted.  This will make the
>ciphertext be the size of the plaintext, rounded up to the next multiple
>of 64 or 128 bits.
>
>Other ciphers, like RC4, are stream ciphers, which don't do any padding
>at all.  The ciphertext size in bytes will be the same as the plaintext
>size.  The encryption program PGP uses block ciphers in a mode called
>cipher feedback (CFB) which makes them work something like stream ciphers
>in this regard.  In CFB mode the output will be the same number of bytes
>as the input.
>
>The initialize vector (IV) for block ciphers is the size of the encryption
>block (64 or 128 bits).  If this is stored with the ciphertext it adds a
>fixed, known size to that data which does not hide the plaintext size.
>For stream ciphers the IV or synchronization vector may be larger,
>but it is typically of known size in that case as well.
>
>Hope this helps -
>
>Hal Finney
>PGP Security
Received on Wednesday, 15 November 2000 13:10:59 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 October 2009 08:42:18 GMT