Martin, Don't listen to me on cryptography, I don't follow it. I'm probably out of date. Nonetheless, I just skimmed the POODLE paper [Möller14]. From my reading, POODLE surely only applies to padding that is beyond the coverage of the MAC (i.e. which necessarily has to have been added while encrypting). I don't think these chosen ciphertext attacks (CCAs) apply to HTTP/2 padding, because the HTTP/2 padding is in the layer below the encryption process, so it will surely always be covered by the MAC. If, as in HTTP/2, the length of the padding field is given in the protocol header (which is then encrypted), I believe the padding can be arbitrary, and I assume it's best for the padding not to be structured (predictable). But please don't take my word for it - crypto is not my field. [Möller14] Möller, Bodo; Duong, Thai; Kotowicz, Krzysztof, "This POODLE Bites: Exploiting The SSL 3.0 Fallback" (September 2014). <https://www.openssl.org/~bodo/ssl-poodle.pdf> Bob At 19:23 06/03/2015, Martin Thomson wrote: >On 6 March 2015 at 11:05, Bob Briscoe <bob.briscoe@bt.com> wrote: > > Why does padding have to be filled with zeros? There are good cryptographic > > reasons for not requiring this. > >Remember POODLE, I think that the opposite is true. Also c.f. IND-CCA >(and IND-CCA2). ________________________________________________________________ Bob Briscoe, BTReceived on Saturday, 7 March 2015 15:16:15 UTC
This archive was generated by hypermail 2.4.0 : Thursday, 2 February 2023 18:43:49 UTC