Questions tagged [padding]

Padding has two primary uses in cryptography, ensuring messages are the proper length necessary for certain ciphers (e.g., block ciphers) or to provide assurances not built into the core cipher (e.g., semantic security)

Padding has two primary uses in cryptography, one for symmetric-key cryptography and one for public-key cryptography. In block ciphers, a kind of symmetric-key algorithm, messages must be the length of the block length (or a multiple of the block length if using a cryptographic mode of operation). Thus, padding is added to a message to ensure this property. In public-key cryptography, padding is used to enhance an algorithm's resistance to certain attacks. For example, padding used in RSA makes RSA semantically secure.

330 questions

101

votes

1 answer

What is the difference between PKCS#5 padding and PKCS#7 padding

One runtime platform provides an API that supplies PKCS#5 padding for block cipher modes such as ECB and CBC. These modes have been defined for the triple DES, AES and Blowfish block ciphers. The other platform API only provides PKCS#7 padding. Are…

asked Jul 04 '13 at 21:18

Maarten Bodewes

96,351
14
169
323

votes

2 answers

Understanding the length extension attack

I have been trying to understand exactly how a length extension attack works on SHA-1. I'll detail below what I've understood so far so that I can convey my understanding of the same and hopefully get advice on where I'm going wrong. Let's assume…

hash padding length-extension

asked Oct 07 '12 at 16:00

user114

votes

2 answers

What security authorities and standards reject $e=3$ in RSA, when, and with what rationale?

In RSA, some security authorities and/or standards allow the public exponent $e=3$, others require or recommend $e>2^{16}$ (or perhaps some other minimum). I gathered the following: PKCS#1 allows $e=3$ for both RSA digital signature and encryption…

rsa padding history pkcs1

asked May 25 '13 at 16:00

fgrieu

149,326
13
324
622

votes

5 answers

Why is padding used for RSA encryption given that it is not a block cipher?

In AES we use some padded bytes at end of message to fit 128/256 byte blocks. But as RSA is not a block cipher why is padding used? Can the message size be any byte length (is the encrypting agent free to choose) or must it be a certain byte…

rsa padding

asked Aug 23 '12 at 12:45

mario

votes

2 answers

Which attacks are possible against raw/textbook RSA?

The PKCS#1 standard defines multiple padding schemes for signature generation/verification (EMSA-PSS and EMSA-PKCS1-v1_5), and encryption/decryption (EME-OAEP and the less safe EME-PKCS1-v1_5). Which attacks are possible on signature…

rsa cryptanalysis padding

asked Nov 07 '14 at 15:59

Maarten Bodewes

96,351
14
169
323

votes

3 answers

Why does the padding in Merkle–Damgård hash functions like MD5 contain the message length?

I understand the need for padding in MD5 and other hash algorithms such as SHA-1, SHA-256, SHA-384 and SHA-512. But why do we append the message length to the padding? I heard it strengthens the hash but how? Please provide an example if possible…

hash padding md5 sha-2 merkle-damgaard

asked Dec 08 '11 at 21:09

Ibrahim Najjar

votes

1 answer

How to choose a padding mode with AES

Depending on the framework you are using, there are various padding modes that can be used with AES encryption. For example, with .NET we can choose PKCS7, ISO10126, ANSIX923, Zeros or None. I understand that the encryptor and decryptor need to use…

encryption block-cipher symmetric padding

asked Dec 16 '11 at 09:18

Cocowalla

votes

0 answers

Name of an archaic type of RSA padding (0BBBBBBB...)

In some legacy code, I encountered RSA signature padding in the following format (hexadecimal): 0B BB BB BB BB BB BB ... BB BB Is there a name for this simple type of RSA padding? I would think that the original developers got this design…

rsa padding

asked Jun 14 '16 at 22:53

Myria

2,635
15
26

votes

2 answers

Attacking RSA signature verification that ignores padding

I am looking at a RSA signature verification that is quite obviously flawed and am wondering if there's a way to exploit that flaw in practice. Signature is generated using RSA with PKCS 1.5 padding, i.e. $S = M^d \mod N$, where $M$ is a padded…

rsa signature padding forgery

asked Aug 08 '15 at 08:37

Andrey

votes

1 answer

Why was ISO10126 Padding Withdrawn?

Wikipedia mentions ISO10126 Padding has been withdrawn, but doesn't say why. Also there were no news reports about this, as far as I can see. Why was it withdrawn? Are there security flaws? Is there maybe a new version?

padding

asked Feb 24 '12 at 20:42

Dexter

votes

3 answers

In the SHA hash algorithm, why is the message always padded?

In the SHA hash algorithm the message is always padded, even if initially the correct length without padding; the padding is of the form "1" followed by the necessary number of 0s. Why is it necessary that the message always be padded?

hash sha-1 padding

asked May 31 '12 at 17:20

hihello4

votes

3 answers

Is RSA padding needed for single recipient, one-time, unique random message?

I want a way to encrypt files using this process: https://crypto.stackexchange.com/a/15 . That is: generate a random password, use that to AES-encrypt a file, and use an RSA public key to encrypt the random password. I can arrange for the password…

rsa padding

asked Mar 26 '12 at 18:13

jrgray

votes

1 answer

If RSA is only used to encrypt symmetric keys which are random, what's wrong with textbook RSA?

As far as I know, IND-CPA is used to protect against frequency analysis. But if RSA is only used to encrypt symmetric keys, what's wrong with using only textbook RSA because random keys are very unlikely to repeat?

rsa public-key padding chosen-plaintext-attack

asked Jul 07 '15 at 16:49

wlad

1,259
1
13
24

votes

2 answers

Random data CBC padding scheme?

When using AES in CBC mode, padding is required when the last plaintext block has not the length required by the cipher. Let's say $k$ mode bytes would be required to fill the block. My idea was to pad the last block with $k-1$ random bytes followed…

aes cbc padding

asked May 23 '21 at 13:00

HerpDerpington

votes

0 answers

Are there attacks against broken RSA signature pad checking with $e = 65537$?

Let's say that an RSA implementation of PKCS #1 signatures fails to validate that the 00 01 FF FF FF ... FF 00 portion of the decrypted signature is exactly as long as needed to fill up the signature block entirely when appended with the hash…

rsa padding pkcs1

asked Jan 30 '17 at 21:13

Myria

2,635
15
26

2 3

…

21 22 Next