W3C home > Mailing lists > Public > xml-encryption@w3.org > December 2001

Re: What padding do we use?

From: Christian Geuer-Pollmann <geuer-pollmann@nue.et-inf.uni-siegen.de>
Date: Tue, 18 Dec 2001 08:05:41 +0100
To: "Donald E. Eastlake 3rd" <dee3@torque.pothole.com>
Cc: XML Encryption WG <xml-encryption@w3.org>
Message-ID: <3640394136.1008662741@pinkpanther>
Hi Donald,

just for the records, under [1], I found the NISTs "Recommendation for 
Block Cipher Modes of Operation" [2]. There they mention on page 17:


Appendix A: Padding


If the data string to be encrypted does not initially satisfy this 
property, then the formatting of the plaintext must entail an increase in 
the number of bits. A common way to achieve the necessary increase is to 
append some extra bits, called padding, to the trailing end of the data 
string as the last step in the formatting of the plaintext. An example of a 
padding method is to append a single '1' bit to the data string and then to 
pad the resulting string by as few '0' bits, possibly none, as are 
necessary to complete the final block (segment). Other methods may be used; 
in general, the formatting of the plaintext is outside the scope of this 

For the above padding method, the padding bits can be removed 
unambiguously, provided the receiver can determine that the message is 
indeed padded. One way to ensure that the receiver does not mistakenly 
remove bits from an unpadded message is to require the sender to pad every 
message, including messages in which the final block (segment) is already 
complete. For such messages, an entire block (segment) of padding is 
appended. Alternatively, such messages can be sent without padding if, for 
every message, the existence of padding can be reliably inferred, e.g., 
from a message length indicator.


For me, this reads that there will be no fixed padding mechanism for AES 
and we can choose our own (like you already did).


[1] http://csrc.nist.gov/publications/nistpubs/index.html
[2] http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf

--On Freitag, 2. November 2001 09:09 -0500 "Donald E. Eastlake 3rd" 
<dee3@torque.pothole.com> wrote:

> Hi,
> True, this padding is not normative. But it is the only padding given
> for "byte data". The other method suggested is for "bit data", where
> the number of bits is not necessarily a multiple of 8, although it
> would also work for bytes... Since all our stuff and most modern
> cryptography is byte oriented and no one has objected, I plan to
> document the style of padding I describe below.
> It is more or less the same padding as in PKCS#5 which I think is
> quite old and was in PEM (see RFC 1423). The only difference is that
> most of these other descriptions unnecessarily require all the padding
> bytes to have the same value as the final padding count byte.
> Thanks,
> Donald
> From:  "Takeshi Imamura" <IMAMU@jp.ibm.com>
> To:  "Donald E. Eastlake 3rd" <dee3@torque.pothole.com>
> Cc:  Christian Geuer-Pollmann <geuer-pollmann@nue.et-inf.uni-siegen.de>,
>             XML Encryption WG <xml-encryption@w3.org>
> Message-ID:  <OF47AAE325.EF27ACBB-ON49256AF8.001EFDF9@LocalDomain>
> Date:  Fri, 2 Nov 2001 14:59:06 +0900
>> Donald,
>>> FIPS-81, DES Modes of operations, in Appendix C on CBC with byte data
>>> specified that it is to be padded by placing in the last byte of the
>>> last cblock of input data the number of padding bytes (including this
>>> count byte) and filling remaining pad bytes with anything.  I.E., if
>>> there were 5 bytes of data in the last block, these would be left
>>> justified, the bottom byte set to 0x03, and the two bytes between the
>>> data and this "3" byte set to any pad characters. If the data exactly
>>> fills the last block, an additional block is added with 0x08 in the
>>> bottom byte and its remaining 7 bytes filled with any pad character.
>>> Since this seems to be sort of part of the definition of CBC, would
>>> there be any objection to explicitly specifying this for XML ENC?
>> I studied FIPS-81 and found that the padding method you had pointed is
>> given just as an example.  Moreover another padding method is given,
>> which may lead to a misunderstanding.  So I believe that we should
>> specify the padding method explicitly or use standard padding methods
>> like the PKCS#5 padding.
>> Thanks,
>> Takeshi IMAMURA
Received on Tuesday, 18 December 2001 02:02:52 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 23:13:06 UTC