Currently my padding is adding a string of random characters
$ l(N)/3 - (l(M) + 1) $
Long and just adding it to the messages, is this sufficient?
$l(x)$ = length of a variable
Asked
Active
Viewed 1,654 times
1 Answers
3
As you are asking about the "best" way to pad, the answer is OAEP for Encryption and PSS for signatures. They are well understood, widely used, and considered secure. They also give you some neat additional properties that your system does not achieve, like preventing partial decryptions and making the message "look random" in the case of OAEP.
If you are actually planning to implement your padding scheme in a production system, the short version is: please don't. Instead, use a standard padding mode like OAEP and an implementation that is used by many people and well understood, and you will avoid a lot of pain and potential security holes.
If this is just a question from curiosity, my questions to you would be:
- As @Gilles asked, do you want to encrypt or sign?
- As @Maarten Bodewes asked, how did you arrive at this scheme? Where do the magic values come from?
- How do you detect where the message ends and the padding starts, so you can distinguish between the two after decryption / when verifying the signature?
- How do you make sure that the padding is valid after decryption? Padding should be predictable, as that can give you another indicator if the message has been tampered with.
For more information on padding schemes, see, for example, this question and answer. Also, this question has some additional pointers on how to go about designing and publishing a cipher, which in part apply to the case of designing a padding scheme.
malexmave
- 1,461
- 2
- 14
- 26