Encryption padding from hal@finney.org on 2000-11-10 (xml-encryption@w3.org from November 2000)

From: <hal@finney.org>
Date: Thu, 9 Nov 2000 18:38:37 -0800
To: xml-encryption@w3.org
Message-Id: <200011100238.SAA06533@finney.org>

Reading the minutes, I thought this comment was important:

    Mike Wray: the more granular you get in encryption, the more
    vulnerable the information becomes to attack. If you use a cipher over
    attribute names you could figure out the length of the attribute name.

Most encryption algorithms roughly preserve the length of the plaintext.
They may pad it up to be a multiple of the the block size, usually 8 or
16 bytes.  Therefore the length of the plaintext can be inferred from
the length of the ciphertext, to within 8-16 bytes.

This would be especially dangerous if you were encrypting enumerated
attributes.  If they happened to have very different lengths then the
leakage based on plaintext length could completely defeat the encryption.

The same thing could happen to a lesser extent with encrypting the PCDATA
but leaving the tags clear.  You might have a lot of short buffers to
encrypt, leaking information about the plaintext length.

Generally the solution needs to be some padding mechanism.  You pad
the plaintext up to some maximum length before encrypting, so that
all plausible plaintexts get encrypted to the same-length ciphertext.
Then the padding is stripped off upon decryption.

The problem is that the information needed to know how much to pad will
generally not be locally available.  It will depend on the application.
Maybe in some cases like the enumerated attributes it could be calculated
in principle if the input to the encryptor included them, but this will
not work in general.

Would we consider requiring (or at least allowing) the input to be
prepared by adding attributes to indicate field length?  Users who
anticipated using XML encryption would include attributes (in an xmlenc
namespace) that told how much the maximum length would be for following
character data.  These lengths would then guide the XML encryption
processor in adding necessary padding.

This is less of a concern if you are encrypting relatively large blocks,
such as entire elements with children, text, etc.  It is mostly an
issue if you want to leave tags in the clear but encrypt the character
data fields.

Hal Finney
PGP Security

Received on Thursday, 9 November 2000 21:37:20 UTC