- From: <hal@finney.org>
- Date: Mon, 13 Nov 2000 08:58:13 -0800
- To: aaron.j.ferguson@us.pwcglobal.com, hal@finney.org
- Cc: xml-encryption@w3.org
Aaron J. Ferguson writes: > Wow! This is an interesting comment (see below). Until now, I was unaware that > there were ways to infer the length of plaintext from the length of ciphertext. > It is my understanding that the initialization and/or synchronization vector > used in encryption would mitigate the potential for plaintext length inference. > Can you > give me some examples of algorithms that do this because this has me really > curious. The most commonly used ciphers like DES, Blowfish, IDEA and the new AES all are block ciphers with a relatively small block size of 64 bits for the first three and 128 bits for AES. This means that they encrypt data a block at a time. Generally the plaintext will be padded up to be a multiple of the block size, then encrypted. This will make the ciphertext be the size of the plaintext, rounded up to the next multiple of 64 or 128 bits. Other ciphers, like RC4, are stream ciphers, which don't do any padding at all. The ciphertext size in bytes will be the same as the plaintext size. The encryption program PGP uses block ciphers in a mode called cipher feedback (CFB) which makes them work something like stream ciphers in this regard. In CFB mode the output will be the same number of bytes as the input. The initialize vector (IV) for block ciphers is the size of the encryption block (64 or 128 bits). If this is stored with the ciphertext it adds a fixed, known size to that data which does not hide the plaintext size. For stream ciphers the IV or synchronization vector may be larger, but it is typically of known size in that case as well. Hope this helps - Hal Finney PGP Security
Received on Monday, 13 November 2000 11:57:11 UTC