W3C home > Mailing lists > Public > xml-encryption@w3.org > April 2002

Re: block encryption algorithm padding

From: Joseph Ashwood <ashwood@msn.com>
Date: Mon, 15 Apr 2002 21:19:11 -0700
Message-ID: <00fa01c1e4fd$e03f7b00$6401a8c0@josephas>
To: <xml-encryption@w3.org>

----- Original Message -----
From: "Tom Gindin" <tgindin@us.ibm.com>

>       Why is PKCS#5 padding in CBC mode more dangerous for XML encryption
> than for ordinary binary encryption?

I never said it was. PKCS#5 padding is in most circumstances a poor choice.
There are many compelling reasons to use different padding modes, but I
can't think of any good reason for PKCS padding, except for it's status as
the de facto standard. Since XML is clearly a very different standard from
the others, using a de facto standard without significant reason does not
seem like a concept in keeping with the idea of XML.

If we want to consider other padding/ending modes, there are modes where
that avoid padding completely (i.e. ciphertext-stealing). I don't think that
opening up this discussion again would be a good idea. Having just one
generally suitable padding/ending mode (like the random padding), is IMO the
better idea. To me it comes down to, if the implementer has enough
cryptographic knowledge to determine if a different padding/ending mode is
superior, the implementor also has the knowledge to properly adjust the spec
to meet the specific needs.

The arguments between the two may not be compelling to any one person, but
since the only thing keeping PKCS#5 in use is the inertia, that inertia is
pointless here. The inertia behind the random padding mode is that it's
already been established as viable for XML Encryption, and is already
written into the spec. This already written in inertia is useful, it means
that all the current implementations don't need to be changed, and the
investment in that is useful inertia.
Received on Tuesday, 16 April 2002 00:19:38 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 23:13:08 UTC