Cryptography Asked on October 24, 2021
Of course, padding is superfluous when AES with CBC is used if you know that the plaintext length is a multiple of the block size.
But does the padding precipitate a weakness in the encryption?
Because due to the padding at a block length of 16 bytes, you always have the last block containing just 0x10. So, to my understanding, this is "known-plaintext".
Can this be exploited in real life (today)? Or is this just a theoretical problem (today)?
This answer makes it sound like it’s no problem.
If the cipher can’t resist a known plaintext attack then the problem
is with the cipher, not the padding.
But is this true for AES-256?
But does the padding precipitate a weakness in the encryption?
If padding oracle exist then you can decrypt the entire ciphertext in 128 tries per byte (on average). However, similar plaintext oracle attacks may be about as strong, and plaintext oracles are not just about CBC mode either. You will need to use an authenticated cipher (such as AES-GCM) to avoid plaintext oracle attacks.
Otherwise the answer is right, it doesn't weaken the encryption. Good ciphers should be even IND-CPA secure, which means that they are secure even if the adversary controls the plaintext.
And yes, padding may hide some information about the plaintext size, but you should not overestimate the security that this provide. Attackers may for instance try and make you put the plaintext on a block boundary, getting back precision when it comes to plaintext size estimates.
But is this true for AES-256?
AES is a block cipher; padding only applies to the specific mode in which the cipher is used. And in such a sense, it is more an issue for the mode of operation than the cipher. AES-256 is certainly considered a secure block cipher, so the trick is to use it using the correct mode. Generally a cipher mode that doesn't require padding such as the aforementioned GCM mode (which in turn is based on CTR mode) should be preferred.
Actually, only a few modes such as CBC (and the barely mentioned PCBC) and ECB require padding. They are not used too much anymore for new systems by modern cryptographers.
Answered by Maarten Bodewes on October 24, 2021
Get help from others!
Recent Answers
Recent Questions
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP