block encryption algorithm padding from Aleksey Sanin on 2002-04-11 (xml-encryption@w3.org from April 2002)

From: Aleksey Sanin <aleksey@aleksey.com>
Date: Thu, 11 Apr 2002 01:49:20 -0700
To: xml-encryption@w3.org
Message-ID: <3CB54E10.70406@aleksey.com>

In the section 5.2 "Block encryption algorithms" of XML Encryption [1]
the padding is described as follows:

   The padding algorithm is to calculate the smallest non-zero number of
   octets, say N, that must be suffixed to the plain text to bring it up 
to a
   multiple of the block size. We will assume the block size is B octets 
so N is
   in the range of 1 to B. Pad by suffixing the plain text with N-1 
arbitrary pad
   bytes and a final byte whose value is N. On decryption, just take the 
last
   byte and, after sanity checking it, strip that many bytes from the 
end of
   the decrypted cipher text.

   For example, assume an 8 byte block size and plain text of 0x616263 . 
The
   padded plain text would then be 0x616263????????05 where the "??" bytes
   can be any value. Similarly, plain text of 0x2122232425262728 would 
be padded
   to 0x2122232425262728??????????????08.

However, this is different from DES CBC padding described in RFC1423 
[2]:    
   
   The input to the DES CBC encryption process shall be padded to a 
multiple of
   8 octets, in the following manner. Let n be the length in octets of 
the input. Pad
   the input by appending 8-(n mod 8) octets to the end of the message, 
each having
   the value 8-(n mod 8), the number of octets being added. In 
hexadecimal, the
   possible paddings are: 01, 0202, 030303, 04040404, 0505050505, 
060606060606,
   07070707070707, and 0808080808080808. All input is padded with 1 to 8 
octets
   to produce a multiple of 8 octets in length. The padding can be 
removed unambiguously
   after decryption.

The difference is that RFC1423 defines the value of all bytes added to 
the cipher text.
This allows to do slightly better validation in most cases (especially, 
in the last 080808...08 case :) ).

I run into this problem when I've tried to decrypt Merlin's examples. It 
turns out that
the package I am using (OpenSSL) does check *all* padded bytes as it is 
described in RFC.
I thought that this is only OpenSSL specific but quick check showed that 
BSAFE library
does the same.

I suggest to change the XML Enc specification because the current 
padding causes
interoperability problems and it would be better to follow existing 
standards.


[1]  http://www.w3.org/TR/xmlenc-core/#sec-Alg-Block
[2]  http://www.ietf.org/rfc/rfc1423.txt


Aleksey Sanin

XML Security Library
http://www.aleksey.com/xmlsec

Received on Thursday, 11 April 2002 04:50:10 UTC