> From: owner-openssl-us...@openssl.org On Behalf Of Jakob Bohm > Sent: Monday, 19 March, 2012 13:25
> On 3/19/2012 5:26 PM, Nicle wrote: > > Hi all, > > > > I can understand if file-size%16 != 0, openssl will pad data. > > > > But it will also pad 16bytes for those file size exactly 16 times. > > > The following description says 16, when it should really > say "the block size of the algorithm <snip>" > > OpenSSL is using the same padding rule as specified for > SSL connections: > > Pad with bytes whose value is the number of padding bytes, > so decryption can see how many bytes to remove to get the > actual file data without padding. > Note TLS uses a slightly modified rule: the padding (N bytes) and length (1 byte) are defined as separate fields, so each padding byte AND the count byte contains the count of the padding bytes not including the count byte! And TLS allows 'extra' padding -- up to 255 bytes even when the cipher blocksize doesn't need it. OpenSSL doesn't choose that. And no padding is required or done for a stream cipher (pretty much only RC4) or a stream mode (only GCM). <snip why padding must always be nonempty> > So the rule is to pad with 1 to 16 bytes, each of which is > the number of bytes in the padding. > That is the rule for PKCS#5 padding, used by default by EVP and (thus) commandline enc which is apparently the OP's question. > Of cause if you are just using the "openssl enc" command > line command as a way to access the raw encryption with > your own padding and security around it, then you can > just feed it a multiple of 16 bytes, and then throw away > the 16 bytes of encrypted padding at the end of the result. > Or better just specify -nopad. Also on decrypt, where just adding a guess block wouldn't work well at all, unless you're implementing the padding oracle attack. Commandline enc also by default uses password-based with salt, which adds another 16 bytes (8 label and 8 salt, regardless of cipher blocksize) to the file. You can disable that with -nosalt (but then you have to be careful about passphrase reuse) or skip PB entirely with -K and -iv (then you must transmit the IV, either added to the file or along with it). ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
