0

Currently my padding is adding a string of random characters

$ l(N)/3 - (l(M) + 1) $

Long and just adding it to the messages, is this sufficient?

$l(x)$ = length of a variable

Maarten Bodewes
  • 92,551
  • 13
  • 161
  • 313
AppIns
  • 103
  • 1
  • 8
  • Are your messages fixed-length? ​ ​ –  Mar 20 '16 at 10:13
  • 1
    Are you signing or encrypting? Why aren't you using the standard methods (PSS or OAEP)? – Gilles 'SO- stop being evil' Mar 20 '16 at 10:38
  • Why the division by three? Why the addition with 1? How do you detect the message boundaries? Do you have knowledge of the message length outside of the RSA calculation itself? What is your minimal padding size? – Maarten Bodewes Mar 20 '16 at 11:11
  • IMO padding is a dubious approach in the first place. For encryption just use a random value uniformly distributed between 0 and n-1 and derive a key suitable for symmetric authenticated encryption from it via hashing (e.g. using HKDF) (known as RSA-KEM). For signing simply use a hash with an output as big as the modulus (Full-Domain-Hash FDH). – CodesInChaos Mar 21 '16 at 17:09

1 Answers1

3

As you are asking about the "best" way to pad, the answer is OAEP for Encryption and PSS for signatures. They are well understood, widely used, and considered secure. They also give you some neat additional properties that your system does not achieve, like preventing partial decryptions and making the message "look random" in the case of OAEP.

If you are actually planning to implement your padding scheme in a production system, the short version is: please don't. Instead, use a standard padding mode like OAEP and an implementation that is used by many people and well understood, and you will avoid a lot of pain and potential security holes.

If this is just a question from curiosity, my questions to you would be:

  • As @Gilles asked, do you want to encrypt or sign?
  • As @Maarten Bodewes asked, how did you arrive at this scheme? Where do the magic values come from?
  • How do you detect where the message ends and the padding starts, so you can distinguish between the two after decryption / when verifying the signature?
  • How do you make sure that the padding is valid after decryption? Padding should be predictable, as that can give you another indicator if the message has been tampered with.

For more information on padding schemes, see, for example, this question and answer. Also, this question has some additional pointers on how to go about designing and publishing a cipher, which in part apply to the case of designing a padding scheme.

malexmave
  • 1,430
  • 2
  • 14
  • 26