开发者

Revealing the length of the plain-text?

开发者 https://www.devze.com 2022-12-15 01:18 出处:网络
If I have just encrypted some plain-text into cipher-text with CBC and Rijndael, is it insecure to tell the world开发者_如何学Python that the original plain-text had a length of x bytes? It seems that

If I have just encrypted some plain-text into cipher-text with CBC and Rijndael, is it insecure to tell the world开发者_如何学Python that the original plain-text had a length of x bytes? It seems that it's always the same as the length of the cipher-text, so, I think it does not matter, but are there some block modes or ciphers where it does matter?


You should use the PKCS5 padding scheme. This scheme always pads with extra information, including the number of extra bytes that have been added. Upon decryption, the last block is examined to see how many bytes should be discarded.

Information about the length of the original message is hard to suppress. Even with padding to block size, you can deduce that the original message is either n, n-1, n-2, ..., or n-blocksize+1 bytes in length. Most crypto protocols make little or no effort to hide the plaintext length.


The length of the output is not always the same. However, if the lengths of the plain-text are similar, the length of the cipher text can be the same due to padding (Rijndael/AES is a block cipher) http://en.wikipedia.org/wiki/Padding_(cryptography)

And it is weakens your security if you tell the world the length of the plaintext, so unless there is a very good reason, i would advice against it.

Also take a look at how CBC works:

http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Cipher-block_chaining_.28CBC.29


The plain text is not typically the same length as the cipher text. The plain text is padded before encryption. If you are sending one of two different messages 'Yes' or 'No' then sending the original length is probably not a good idea. If all your messages are of the same length then it's OK to publish that length.


Rijndael is a block cipher, so the plain-text will be padded to a complete block. (This might be hidden by your encryption layer).

So the encrypted message text length will be indicative of the plain text length.

If you are leaking information by the message length, then you will have to do your own padding. Indeed the sending of a message might leak information, so you'll need to send no-op messages when you don't have anything to send.

0

精彩评论

暂无评论...
验证码 换一张
取 消