Re: RNG for Padding

Sat, 15 Mar 2008 19:53:04 -0700 

| Hi,
| 
| This may be out of the remit of the list, if so a pointer to a more
| appropriate forum would be welcome.
| 
| In Applied Crypto, the use of padding for CBC encryption is suggested
| to be met by ending the data block with a 1 and then all 0s to the end
| of the block size.
| 
| Is this not introducing a risk as you are essentially introducing a
| large amount of guessable plaintext into the ciphertext.
| 
| Is it not wiser to use RNG data as the padding, and using some kind of
| embedded packet size header to tell the system what is padding?
It's a requirement of all modern cryptosystems that they be secure
against known-plaintext attacks.  This is for two reasons:

        1.  The state of the art being what it is, it's no
                harder to create a system with decent security
                guarantees (within the limits we have *any* such
                guarantees, of course) with security against
                known-plaintext attacks than without.

        2.  More important:  History has shown that there's
                *always* known plaintext available.  There are
                tons of situations where you know what is being
                sent because you actually have access to the same
                information from other channels (once *everything*
                is encrypted, much of what's encrypted isn't in
                and of itself secret!); other situations where you
                can force the plaintext to some value because, for
                example, you provided it; yet others where you
                don't know for sure, but can make good guesses.
                So the additional security is minor.

           Note, BTW, the the "1 and then all 0's" padding lets
                a legitimate receiver determine where the data
                ends; random padding doesn't.  So you'd have to
                send the length elsewhere with random padding.
                That length would have a limited number of
                possible values - becoming easily guessable
                plaintext.

                                                        -- Jerry
 
| Thanks for your suggestions,
| 
| Mr Pink
| 
| ---------------------------------------------------------------------
| The Cryptography Mailing List
| Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
| 
| 

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to