Re: What padding do we use? from Christian Geuer-Pollmann on 2001-10-30 (xml-encryption@w3.org from October 2001)

From: Christian Geuer-Pollmann <geuer-pollmann@nue.et-inf.uni-siegen.de>
Date: Tue, 30 Oct 2001 20:21:49 +0100
To: "Donald E. Eastlake 3rd" <dee3@torque.pothole.com>
Cc: XML Encryption WG <xml-encryption@w3.org>, Joseph Reagle <reagle@w3.org>
Message-id: <3745930018.1004473309@pinkpanther>

Hi Donald,

--On Dienstag, 30. Oktober 2001 12:16 -0500 "Donald E. Eastlake 3rd" 
<dee3@torque.pothole.com> wrote:

>> in [1], I did not find any information about what padding mechanism we
>> use?  PKCS7/PKCS5?
>
> This depends on which algorithm you are talking about.
>
> For TripleDES, and AES, I suppose we should continue to go with
> whatever S/MIME does / will do.

That exactly was my question. Especially, how do we pad "payload" inside an 
xenc:EncryptedData/xenc:CipherData element which is encrypted using 
#tripledes-cbc and #aesXXX-cbc.

In chapter 5.1 Algorithm IDs, we make a distinction between "Block 
encryption" and "Symmetric KeyWrap" algorithms. It's obvious (but not 
stated explicitly if I'm right) that "Block encryption" refers to 
encrypting xenc:EncryptedData and that "Symmetric KeyWrap" is used for 
encrypting xenc:EncryptedKey.

When we use EncryptedData to encrypt arbirary data which is in most cases 
not a multiple of 64 bit, we have to define a padding mechanism for block 
encryption.

But even if we're talking about symmetric key wrap, there is no assurance 
that the wrapped key inside an EncryptedKey is a multiple of 64 bit. If I 
only used algorithms explicitly mentioned in the spec, it's not a problem. 
But we define a syntax for using stream ciphers which do not necessarily 
have a 64x key length, and user-defined block algorithms could be scalable, 
too. So we need padding for KeyWrap, too.

> For key transport, the padding is explicitly given for RSA 1.5. It's
> complicated for RSA-OAEP but is given in the referenced RFC.

Yes, the padding for key transport is defined.

> For Symmetric Key Wrap, the normal case of a TripleDES wrap of a
> TripleDES key or any key that is a multile of 64 bit (i.e., all AES
> keys) needs no padding and one would assume that NSA will define
> appropriate padding for AES wrapping of AES keys. Since a TripleDES
> key is the same size (192 bits) as an allowed AES key, it will
> presumably be possible to AES wrap it like a 192 bit AES key. However,
> I suppose, that we should either restrict TripleDES wrapping to keys
> that are a multiple of 64 bits or say how to pad other lengths. For
> AES, I'd prefer not to change any text until we see the NSA
> recommendation.

See above.

Best regards,
Christian

Received on Tuesday, 30 October 2001 14:19:26 UTC