1

Is there any consensus (i.e. are there any research results) on the benefits and drawbacks of various padding schemes?

Generally there seem to be two kinds of them:

  • random paddings, like ISO10126 that pad with random data
  • fixed paddings, like PKCS5/7 and X.923 that pad with 0s or some fixed pattern

Is there any reason to prefer one over the other?

In another question of mine it was mentioned that random paddings may be susceptible to subliminal messages, but that answer doesn't cover paddings in general.

Community
  • 1
Dexter
  • 647
  • 1
  • 6
  • 10

2 Answers2

2

In general we nowadays use fixed paddings or a stream mode of operation such as CTR.

Authentication tags are usually used to validate integrity/authenticity. Examples of authentication tags are those created by calculating a MAC or HMAC over the ciphertext and additional data such as the IV. In general known plaintext - including the padding - should not be used to validate integrity/authenticity.

Authenticated ciphers combine a mode of operation and authentication scheme using the same key. Many of them apply CTR mode encryption instead of a mode that requires (internal) padding.

If padding is required, then PKCS#7 padding should be preferred as it seems to be the ad-hoc standard within the defined standards. Basically you should not tie any security claims on the padding though (except possibly the one that subliminal channels are not possible in your particular protocol).

Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323
0

Fixed paddings are vulnerble to known plaintext attacks. If the attacker know that certain plaintext values are always the same then they could perform such an attack.

Random paddings do not lead to such an attack.

Uwe Plonus
  • 404
  • 4
  • 16