RNG for Padding
Leichter, Jerry
leichter_jerrold at emc.com
Sat Mar 15 17:56:14 EDT 2008
| Hi,
|
| This may be out of the remit of the list, if so a pointer to a more
| appropriate forum would be welcome.
|
| In Applied Crypto, the use of padding for CBC encryption is suggested
| to be met by ending the data block with a 1 and then all 0s to the end
| of the block size.
|
| Is this not introducing a risk as you are essentially introducing a
| large amount of guessable plaintext into the ciphertext.
|
| Is it not wiser to use RNG data as the padding, and using some kind of
| embedded packet size header to tell the system what is padding?
It's a requirement of all modern cryptosystems that they be secure
against known-plaintext attacks. This is for two reasons:
1. The state of the art being what it is, it's no
harder to create a system with decent security
guarantees (within the limits we have *any* such
guarantees, of course) with security against
known-plaintext attacks than without.
2. More important: History has shown that there's
*always* known plaintext available. There are
tons of situations where you know what is being
sent because you actually have access to the same
information from other channels (once *everything*
is encrypted, much of what's encrypted isn't in
and of itself secret!); other situations where you
can force the plaintext to some value because, for
example, you provided it; yet others where you
don't know for sure, but can make good guesses.
So the additional security is minor.
Note, BTW, the the "1 and then all 0's" padding lets
a legitimate receiver determine where the data
ends; random padding doesn't. So you'd have to
send the length elsewhere with random padding.
That length would have a limited number of
possible values - becoming easily guessable
plaintext.
-- Jerry
| Thanks for your suggestions,
|
| Mr Pink
|
| ---------------------------------------------------------------------
| The Cryptography Mailing List
| Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
|
|
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list