W3C home > Mailing lists > Public > xml-encryption@w3.org > November 2000

RE: Encryption padding

From: <hal@finney.org>
Date: Wed, 15 Nov 2000 12:11:27 -0800
Message-Id: <200011152011.MAA13134@finney.org>
To: hal@finney.org, steve@myProof.com, xml-encryption@w3.org
By "enumerated attributes" I meant an attribute that has an enumerated
type in the DTD, like:

<!ATTLIST person
     favoritecolor ( red | chartreuse | sortofbrownishgray ) #IMPLIED>

Then if you encrypted the attribute value, or the attribute-value pair,
you'd have an explicit list of the possible strings that might be encrypted.
This is an extreme case where the lengths of all the choices are different
enough that the ciphertext length alone may give away the plaintext.

Hal Finney
PGP Security

> From: Steve Wiley <steve@myProof.com>
> >
> >-----Original Message-----
> >From: hal@finney.org [mailto:hal@finney.org]
> >Most encryption algorithms roughly preserve the length of the plaintext.
> >They may pad it up to be a multiple of the the block size, usually 8 or
> >16 bytes.  Therefore the length of the plaintext can be inferred from
> >the length of the ciphertext, to within 8-16 bytes.
> >
> >This would be especially dangerous if you were encrypting enumerated
> >attributes.  If they happened to have very different lengths then the
> >leakage based on plaintext length could completely defeat the encryption.
> Hal,
> I am not sure I understand what you mean by "enumerated attributes".
> Could you elaborate or give an example.
> Thanks,
> Steve Wiley <steve@myproof.com>
Received on Wednesday, 15 November 2000 15:10:19 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:31:59 UTC