Re: Using AES-CBC decrypt without padding from Ryan Sleevi on 2014-06-23 (public-webcrypto-comments@w3.org from June 2014)

From: Ryan Sleevi <sleevi@google.com>
Date: Mon, 23 Jun 2014 12:51:55 -0700
To: Stefan Ortner <Stefan.Ortner@sophos.com>
Cc: "public-webcrypto-comments@w3.org" <public-webcrypto-comments@w3.org>
Message-ID: <CACvaWvZyn1KqN5N=5TXfe0ZxH395D_+wViDKyzJC+4GFK8o7gA@mail.gmail.com>

On Fri, Jun 20, 2014 at 10:50 PM, Stefan Ortner <Stefan.Ortner@sophos.com>
wrote:

>  There should be an option in AES-CBC to allow decryption without
> enforcing the padding scheme used in encrypt().
>
> It is quite common when encrypting larger files to portion it into smaller
> chunks that are a multiple of AES block length, and saving all the padding
> blocks can produce quite some overhead and is therefore discarded.
>
 Since AES-CBC is quite popular, there is already a lot of encrypted data
> out there that can simply not be decrypted when using WebCrypto API,
> because of the missing padding, or “wrong” padding in the data. So by
> allowing decryption without enforcing the padding, programmers can manually
> handle the padding themselves, if it differs from the padding used
> WebCrypto AES-CBC encrypt().
>
>
>
> Regards,
>
> Stefan
>
> ------------------------------
>
> Sophos GmbH, Leonfeldnerstraẞe 2, 4040 Linz, Österreich
> Firmenbuchnummer: FN 387465 b, Ust.-ID Nr. ATU 65950312 Sitz: Wiesbaden,
> Deutschland
> Firmenbuchgericht: Wiesbaden, Deutschland
>
>
Stefan,

I'm not quite sure I follow your request, so I'd have to ask for more
information.

Can you provide an example of a system that actually implements what you've
described, so we can discuss whether or not it's actually possible today,
without any changes to the API, as I believe it is?

I strongly disagree that allowing 'programmers to manually handle the
padding themselves' is a good idea; one of the motivating concerns for the
development of Web Crypto is the subtlety involved with
timing-relevant/secret-dependent operations. This includes padding checks
(as we've seen with things like Lucky 13), and so the goal has been to
isolate, as much as possible of that, from being something in scope for
programmers using this API.

However, I think you can accomplish this today, and if you're able to
provide more details - including a bit more of description about why you
don't believe it's possible today - then we should be able to have a more
fruitful discussion.

Cheers!

Received on Monday, 23 June 2014 19:52:22 UTC