Is there a standardized padding scheme which is prefix instead of postfix and that uses random bytes except for the first byte which would be the length of the padding?
Asked
Active
Viewed 209 times
1
-
universal padding – fgrieu Oct 13 '15 at 09:42
-
can't you apply a generic standard padding just to the front (like PKCS#7)? – SEJPM Oct 13 '15 at 12:18
-
Why would you want to use such a padding? – CodesInChaos Oct 13 '15 at 12:48
-
@CodesInChaos to make it hard for people to guess what was used to pad the message. – daruma Oct 13 '15 at 13:32
-
@UnixJunkie And why is that useful? I don't see the point, assuming you're using semantically secure encryption. It sounds a bit like you're trying to shoehorn the padding into the role of an IV. – CodesInChaos Oct 13 '15 at 13:34
-
@CodesInChaos I don't assume anything. ;) – daruma Oct 13 '15 at 13:36
-
You could use ISO10126 in reverse. But I doubt anybody standardized such a padding, because I don't see any advantage of padding in-the-front instead of padding in-the-end. Even randomized padding in the end has fallen out of favour, since it doesn't achieve anything that an IV doesn't already achieve. – CodesInChaos Oct 13 '15 at 13:46
-
Could be somewhat useful for "stealing" IV bits for the message in CBC, but using it securely would be difficult. – otus Oct 14 '15 at 06:01
1 Answers
2
I know of no standard like that and also doubt it exists.
It would have similar disadvantages as random padding at the end, which is no longer in use: subliminal channel, consumption of randomness which may be expensive. Additionally, it would require knowing the message length in advance, which is a practical limitation.
-
Ok for the subliminal channel. For randomness, a CSPRNG can be used. Implemented properly, it would not require knowing the message length in advance but maybe prepend a full random block to messages which are composed of only full blocks. – daruma Oct 14 '15 at 08:11
-
@UnixJunkie, even a CSPRNG takes time to generate randomness, compared to deterministic padding which takes a few cycles to verify. Regarding message length, unless you know it (modulo block size) you do not know how the block boundaries will fall, so you can't start encrypting. – otus Oct 14 '15 at 09:27