- From: Aleksey Sanin <aleksey@aleksey.com>
- Date: Thu, 11 Apr 2002 08:49:47 -0700
- To: Donald Eastlake 3rd <dee3@torque.pothole.com>
- Cc: xml-encryption@w3.org
Hi, Donald, I am not sure I have enough expertise in block ciphers attacks but I did heard nothing about possible "padding guess" attack and I have no reasons not to trust smart guys from OpenSSL, BSAFE and NSS teams. As far as I can understand, the propsed padding was taken from FIPS-81. But it is described in FIPS-81 only as an example and it suggested that other paddings may be used. On the other hand there is a well known RFC1423 and all 3 encryption libraries I've tried (OpenSSL, BSAFE and NSS) follow this RFC. If you assume that XML Encrytpion standard will be implemented on top of any of these libraries (and probably some of other libraries) then implementator will have serious problems. I understand that it's very late in the game but proposed standard is not interoperable with well known existing encryption libraries and an old well known RFC. Aleksey Sanin. Donald Eastlake 3rd wrote: >Hi, > >I think it is too late to change things. > >While using fixed value padding bytes before the counter byte makes for >better validity checking, it also makes some forms of attack easier due >to grossly skewing the probability of various types of values for the >last block. In particular, one out of B messages, on average, has a >fixed value final block. From that point of view, you want to specify >that all the padding bytes are to be random except for the bottom n >of the last byte. > >Thanks, >Donald >
Received on Thursday, 11 April 2002 11:50:34 UTC