Re: aes128gcm: why verify padding?

On 16 January 2017 at 14:06, Manger, James
<James.H.Manger@team.telstra.com> wrote:
> Improvement 2 is actually much better for this. The "internal" length (padding length) is calculated mod (external length - 2) so it can never be too large.

A better scheme would be to pad with an arbitrary number of zeroes,
then a terminal non-zero value.  That could be at the end, like in
TLS.  It also allows for lower overhead and arbitrary amounts of
padding.

But I'd like to hear whether other people think that this is worth fixing.

Received on Monday, 16 January 2017 07:09:59 UTC