Tagged Questions

Padding has two primary uses in cryptography, ensuring messages are the proper length necessary for certain ciphers (e.g., block ciphers) or to provide assurances not built into the core cipher (e.g., semantic security)

learn more… | top users | synonyms

4
votes
1answer
34 views

Strength of CBC with Ciphertext Stealing

Is CBC with Ciphertext Stealing (CTS) considerably weaker than CBC with padding such as PKCS7? I would imagine the most common situation where CTS is necessary would be due to some size constraint of ...
4
votes
2answers
84 views

Can padding length, and thus plaintext length, be considered public information when using aes-cbc?

Right now I'm using a simple padding system that takes the plaintext, hashes it with sha512, and appends x bytes of the hash as padding where x is the delta between the plaintext and nearest blocksize ...
0
votes
1answer
60 views

How is input message for SHA-2 padded?

I read about how is an input message prepared to be hashed by MD4,MD5 or SHA-1: Step1 Append padding bits The input message is "padded" (extended) so that its length (in bits) equals to 448 ...
1
vote
1answer
98 views

RSA padding: what is it and how does that work?

If I am not mistaken, plaintext RSA is not secure. So, I have read that padding and hashing is needed to make the RSA algorithm secure. However, I am confused on what does padding or armoring mean in ...
3
votes
1answer
219 views

What is the difference between PKCS#5 padding and PKCS#7 padding

One runtime platform provides an API that supplies PKCS#5 padding for block cipher modes such as ECB and CBC. These modes have been defined for the triple DES, AES and Blowfish block ciphers. The ...
2
votes
2answers
118 views

How to pad messages with large amount of padding

I'm playing around with an application for secure email-like communication and I want to perform length hiding padding on the plaintext messages so they always have a consistent size before encrypting ...
2
votes
1answer
130 views

How does OAEP improve the security of RSA?

The heart of OAEP algorithm used for RSA encryption are the cryptographic hash functions $H$ and $G$. Does everybody (so also an adversary) know these functions? If YES: How does it help the ...
1
vote
0answers
76 views

Is OAEP reversible?

Given nothing more than some integer $m =$ OAEP($M$), is it possible to recover the original plaintext $M$? In other words, without being given the hash functions or the random string used for ...
2
votes
2answers
139 views

Chain several RSA encryptions without increasing the message size

I would like to be able to encrypt the output of RSA with RSA again without having the output grow in size over time. In other words, I have some data $D_0$ which I want to encrypt with RSA: $D_1 = ...
0
votes
1answer
111 views

Is there an efficient way to hide the encrypted plaintext length with a block cipher?

In block cipher modes of operation for encryption on input of a plaintext of $N$ blocks (We assume that the input size is always a multiple of the blockcipher mode: $N·16$ bytes) the size of the ...
1
vote
1answer
90 views

Padding always the same, problem or not?

I need to transmit long encrypted messages to a smartcard over a limited capacity link so I need to fragment the messages somewhere before sending thzm. My problem is that I split the message into ...
2
votes
2answers
186 views

Is storing original file size in an encrypted file header a bad idea?

I'm encrypting a file using AES-256 in CBC mode. I'm padding to the 16-byte input multiple by using the PKCS#7 limit. The problem I'm currently having is that if I'm transferring or reading the ...
4
votes
2answers
145 views

Implementing PKCS#7 Padding on a Stream of Unknown Length?

I have a fairly simple Python program using PyCrypto to use AES+CBC to encrypt a stream of input. In order to adhere to the 16-byte input size multiple, I've implemented PKCS#7 by hand. (While I know ...
1
vote
2answers
120 views

Is semantic security important in a hybrid cryptosystem?

RSA doesn't provide semantic security when used unmodified, and neither does the commonly used PKCS#1 v.1.5 padding scheme for encryption. Is this a problem for hybrid cryptosystems at all? My ...
2
votes
1answer
51 views

Padding in PMAC

How does padding in PMAC work? I have been told two stories: Firstly, I have been told that it works similar to CMAC padding, and secondly, I have been told that it does not need padding. I find the ...
4
votes
2answers
249 views

RSA blind signatures in practice

Hi I have a problem with moving my blind signature implementation from educational (textbook RSA) to more practical (padded RSA) side. David Chaums paper gives a following figure: $r$ - blinding ...
0
votes
2answers
110 views

Is this how padding can work?

So for block ciphers you need a fixed size block. If the plaintext length is not a multiple of the block length then you need to pad it. One way you could do this is that for the last block you just ...
1
vote
2answers
273 views

AES key padding

Is the initial AES key (expanded to the key schedule) byte padded if less than e.g. 16 bytes? Is there a safe way of determining if decryption was successful (i.e. used the correct key)?
5
votes
2answers
167 views

Why does OAEP have 2 rounds with 2 random oracles?

I strive into understanding why OAEP has two rounds of computations and not just one. I.e: Wouldn't it be safe to hash the random number r and XOR it with the original message?What security risks if ...
0
votes
0answers
50 views

why these specific values used to initialize ipad & opad in HMAC [duplicate]

Possible Duplicate: What do the magic numbers 0x5c and 0x36 in the opad/ipad calc in HMAC do? I'm reading the book Network Security Essentials written by William Stallings. in this book,in ...
1
vote
0answers
74 views

Why do we always append padding bits in SHA-512? [duplicate]

Possible Duplicate: In the SHA hash algorithm, why is the message always padded? I'm reading the book Network Security Essentials written by William Stallings. To create a message digest ...
1
vote
1answer
138 views

How is block cipher padding verified for consistancy?

Under what circumstances is a decryption routine able to tell that the padding of a message is invalid? If a cipher text block where to be randomly modified, what is the probability that the padding ...
2
votes
4answers
1k views

Why is padding used for RSA encryption given that it is not a block cipher?

In AES we use some padded bytes at end of message to fit 128/256 byte blocks. But as RSA is not a block cipher why is padding used? Can the message size be any byte length (is the encrypting agent ...
2
votes
1answer
131 views

Why does .NET's ECB mode implementation append a constant block to my ciphertext?

Consider the following code and output: ...
4
votes
1answer
516 views

How to securely use Elgamal encryption in libgcrypt?

How secure is libgcrypt's Elgamal implementation of encryption (how different it is from textbook Elgamal), and how can I tweak padding and other preprocessing actions? For example, I know that usign ...
4
votes
1answer
654 views

Padding methods for block ciphers - PKCS7 vs ANSI X.923

I was looking through block cipher padding methods, and found two good candidates: ANSI X.923 - pad with zeros, then a final byte for the padding length, e.g. ...
2
votes
3answers
523 views

Hash function in PBKDF2

From this excellent answer I learned (correct me if I am wrong) that when writing a block cipher with say key size 128 bit, one has to pad the password given (variable size) so that it becomes exactly ...
0
votes
1answer
544 views

Removing Padded Value in Decrypted Message

How to remove padded value in Decrypted Message? I am using AES Algorithm.. ex: this is the decrypted message.. "abcdefghijklmn " there is a 2 space in that decrypted message which is equivalent ...
6
votes
3answers
1k views

In the SHA hash algorithm, why is the message always padded?

In the SHA hash algorithm the message is always padded, even if initially the correct length without padding; the padding is of the form "1" followed by the necessary number of 0s. Why is it ...
5
votes
3answers
501 views

Is RSA padding needed for single recipient, one-time, unique random message?

I want a way to encrypt files using this process: http://crypto.stackexchange.com/a/15 . That is: generate a random password, use that to AES-encrypt a file, and use an RSA public key to encrypt the ...
6
votes
1answer
415 views

RSA-OAEP Input Parameters

When creating padding for RSA using OAEP, a message is prepared as follows: Hash(Input Parameter) || Zeros || 1 || Message My question is, what should the Input ...
6
votes
1answer
471 views

Why was ISO10126 Padding Withdrawn?

Wikipedia mentions ISO10126 Padding has been withdrawn, but doesn't say why. Also there were no news reports about this, as far as I can see. Why was it withdrawn? Are there security flaws? Is there ...
6
votes
2answers
281 views

What is the key strength reduction encrypting only 160 bits of data using RSA1024 for signatures

I am attempting to determine the strength of an incorrectly implemented 1024 bit RSA signature scheme. The weakness in the implementation is that the padding data lacks random numbers. As a result, ...
4
votes
2answers
344 views

Does RSA padding have to be unpredictable if the payload is?

I'm trying to understand the precise requirements on padding when using RSA for encryption. Suppose Alice uses RSA to encrypt a payload $M$ that cannot be guessed (say, a random nonce): Alice send ...
2
votes
1answer
499 views

Is RSA of a random nonce with no padding safe?

Consider the following protocol: Bob has a private RSA key $B_{priv}$, and Alice knows the public key $B_{pub}$. Alice wants to send confidential messages to Bob (no integrity intended). To send a ...
10
votes
1answer
3k views

How to choose a padding mode with AES

Depending on the framework you are using, there are various padding modes that can be used with AES encryption. For example, with .NET we can choose PKCS7, ISO10126, ANSIX923, Zeros or None. I ...
10
votes
3answers
625 views

Why does the padding in MD5 contain the message length?

I understand the need for padding in MD5. But why do we append the message length to the padding? I heard it strengthens the hash but how? Please provide an example if possible and how it applies to ...