RNG for Padding

Leichter, Jerry leichter_jerrold at emc.com
Sat Mar 15 17:56:14 EDT 2008 

| Hi,
| 
| This may be out of the remit of the list, if so a pointer to a more
| appropriate forum would be welcome.
| 
| In Applied Crypto, the use of padding for CBC encryption is suggested
| to be met by ending the data block with a 1 and then all 0s to the end
| of the block size.
| 
| Is this not introducing a risk as you are essentially introducing a
| large amount of guessable plaintext into the ciphertext.
| 
| Is it not wiser to use RNG data as the padding, and using some kind of
| embedded packet size header to tell the system what is padding?
It's a requirement of all modern cryptosystems that they be secure
against known-plaintext attacks.  This is for two reasons:

	1.  The state of the art being what it is, it's no
		harder to create a system with decent security
		guarantees (within the limits we have *any* such
		guarantees, of course) with security against
		known-plaintext attacks than without.

	2.  More important:  History has shown that there's
		*always* known plaintext available.  There are
		tons of situations where you know what is being
		sent because you actually have access to the same
		information from other channels (once *everything*
		is encrypted, much of what's encrypted isn't in
		and of itself secret!); other situations where you
		can force the plaintext to some value because, for
		example, you provided it; yet others where you
		don't know for sure, but can make good guesses.
		So the additional security is minor.

	   Note, BTW, the the "1 and then all 0's" padding lets
		a legitimate receiver determine where the data
		ends; random padding doesn't.  So you'd have to
		send the length elsewhere with random padding.
		That length would have a limited number of
		possible values - becoming easily guessable
		plaintext.

							-- Jerry
 
| Thanks for your suggestions,
| 
| Mr Pink
| 
| ---------------------------------------------------------------------
| The Cryptography Mailing List
| Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
| 
| 

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list