I currently implement the AES(128,192,256)(ECB,CBC). Does the type of padding affect security?
I just want to fill the blocks with null bytes.
You cannot fill the remaining blocks with the null bytes unless
In the general, the padding must be unambiguous.
10..0 padding can be fine.
if data is
now the data is
if you use
10..0 then with the data
it will be clear that the data is
You can use PKCS#7 padding for ECB and CBC mode. PKCS#7 supports modes have block sizes larger than 64-bit block up to 255. The previous one, PKCS#5 padding had support up to 64-bit block size that was fine for DES.
In PKCS#7 padding, the remaining bytes count is padded as a byte value. For example;
123456789ABCDEF1 here consider the integers as bytes like 1 = 0x01 123456789ABCDE22 123456789ABCD333
Then the removal of padding bytes result in
123456789ABCDEF 123456789ABCDE 123456789ABCD
If the last block is full an additional block is filled with
0123456789ABCDEF next block is full of `1F`s
CBC padding Oracle attack
For CBC mode operation, if padding oracle is applicable then the server can act like a decryption oracle. This attack academically first published in 2002 by Serge Vaudenay. Although the servers are patched there are attacks based on the downgrade like Lucky13 and Poodle. Keep your servers on the secure level! TLS 1.3 has huge clean ups and it has no more CBC mode of operation. The TLS 1.3 encryption modes with their IDs;
One can see how the padding oracle attacks work in these answers and remember if applicable the attacker can decrypt all of the message not only the padded part.
Don't use ECB which is insecure leaks patterns, it is not a probabilistic encryption, not even secure against KPA attacks on multi-block messages. Some even don't call it as a mode of operation.
The all above modes are also called archaic mode of operation and they can have at most CPA. In modern Cryptography, we use and suggest to use Authenticated Encryption (AE) (AEAD: AE with associated data) modes like AES-GCM and ChaCha20-Poly1305 which can have IND-CCA2. These will provide you Confidentiality, Integrity, and Authentication, all in one. And remember, never use a key-IV pair again in these modes. If you want only leak about the same message is sent nothing more then use a misuse-resistant mode like SIV. AES-GCM-SIV will be the future.
There is a new mode
Daence: Salsa20 and ChaCha in Deterministic Authenticated Encryption with no noNCEnse as of 2020 by Taylor R Campbell
We present Daence, a deterministic authenticated cipher based on a pseudorandom function family and a universal hash family, similar to SIV. We recommend instances with Salsa20 or ChaCha, and Poly1305, for high performance, high security, and easy deployment.
This mode uses the Associated Data (AD) to eliminate the case that even the same message is sent under the same key-IV pair if the AD is different than the ciphertext messages will be different up to some probability.
Answered by kelalaka on December 31, 2020
Get help from others!