W3C home > Mailing lists > Public > xml-encryption@w3.org > April 2002

Re: block encryption algorithm padding

From: Aleksey Sanin <aleksey@aleksey.com>
Date: Thu, 11 Apr 2002 08:49:47 -0700
Message-ID: <3CB5B09B.2080306@aleksey.com>
To: Donald Eastlake 3rd <dee3@torque.pothole.com>
Cc: xml-encryption@w3.org
Hi, Donald,

I am not sure I have enough expertise in block ciphers attacks but I did 
heard
nothing about possible "padding  guess" attack and I have no reasons not
to trust smart guys from OpenSSL, BSAFE and NSS teams.
As far as I can understand, the propsed padding was taken from FIPS-81.
But it is described in FIPS-81 only as an example and it suggested that 
other
paddings may be used. On the other hand there is a well known RFC1423 and
all 3 encryption libraries I've tried (OpenSSL, BSAFE and NSS) follow 
this RFC.
If you assume that XML Encrytpion standard will be implemented on top
of any of these libraries (and probably some of other libraries) then 
implementator
will have serious problems.
I understand that it's very late in the game but proposed standard is 
not interoperable
with well known existing encryption libraries and an old well known RFC.


Aleksey Sanin.




Donald Eastlake 3rd wrote:

>Hi,
>
>I think it is too late to change things.
>
>While using fixed value padding bytes before the counter byte makes for
>better validity checking, it also makes some forms of attack easier due
>to grossly skewing the probability of various types of values for the
>last block. In particular, one out of B messages, on average, has a
>fixed value final block. From that point of view, you want to specify
>that all the padding bytes are to be random except for the bottom n
>of the last byte.
>
>Thanks,
>Donald
>
Received on Thursday, 11 April 2002 11:50:34 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 October 2009 08:42:20 GMT