isProperlyPadded
Locked
 
|
Chris, I ran into your padding methods which put the remainder size
in each empty space after the real data. I have a problem with ByteArray>>unpaddedSize "If I was padded by a BlockCipher, answer
the size of the original plaintext." self isProperlyPadded ifFalse: [
CryptographyError signal: 'Authentication failure (improperly padded!)' ]. ^ self size - self last Since isProperlyPadded assumes that that was some padding
the error seems unnecessary. Shouldn’t this say: ByteArray>>unpaddedSize "If I was padded by a BlockCipher, answer
the size of the original plaintext." self isProperlyPadded ifFalse: [^self size]. ^ self size - self last _______________________________________________ Cryptography mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography |
|
|
> Since isProperlyPadded assumes that that was some padding the error
> seems > unnecessary. > ... > To make it more clear if a byte array is not padded then the > unpaddedSize is > self size. Hi Ron, I believe the check in #unpaddedSize is proper, let me explain. Any application must know if it is dealing with a block or stream cipher, therefore it knows if padding is necessary. I think you agree with this because you said: > Since isProperlyPadded assumes that that was some padding.. In other words, isProperlyPadded knows nothing about whether a ByteArray *is* padded, you only call it if you KNOW it's supposed to be padded and then it will tell you if it is padded properly. If padding is not necessary (stream cipher), the program should not be asking for the #unpaddedSize at all. If padding is necessary then Nils and Bruce say any improper padding should be treated as an authentication error. If the program asks for the #unpaddedSize for a message that was not properly padded, simply returning "self size" would be erroneous and the program would then be making improper assumptions about the message. Regards, Chris _______________________________________________ Cryptography mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography |
|
|
Chris, I guess that makes sense if blocks were always padded. Here is the code that I'm trying to run. Rijndael new key: (ByteArray new: 16); decrypt: (ByteArray new: 16). This is an official test of AES CBC called the monteCarlo test. I'm trying to add the official tests to AES to see if it's working properly. (It doesn't appear to be correct on first glance but I'm still investigating it). The problem here is that the decrypted value is not padded but is hitting the code: BlockCipher >> decrypt: aByteArray "Answer a copy of aByteArray which is decrypted with my key." | decryptedBlock | decryptedBlock _ self decrypt: aByteArray copy from: 1 to: aByteArray size. ^ self isStreamCipher ifTrue: [ decryptedBlock ] ifFalse: [ decryptedBlock copyFrom: 1 to: decryptedBlock unpaddedSize ] Are AES blocks supposed to be padded and this one is not? Maybe it's missing your new padding code, I'll look into that.
Thanks, Ron Teitelbaum
> From: Chris Muller > Sent: Friday, July 07, 2006 11:16 AM > > > Since isProperlyPadded assumes that that was some padding the error > > seems > > unnecessary. > > ... > > To make it more clear if a byte array is not padded then the > > unpaddedSize is > > self size. > > Hi Ron, I believe the check in #unpaddedSize is proper, let me explain. > > Any application must know if it is dealing with a block or stream > cipher, therefore it knows if padding is necessary. I think you agree > with this because you said: > > > Since isProperlyPadded assumes that that was some padding.. > > In other words, isProperlyPadded knows nothing about whether a > ByteArray *is* padded, you only call it if you KNOW it's supposed to be > padded and then it will tell you if it is padded properly. > > If padding is not necessary (stream cipher), the program should not be > asking for the #unpaddedSize at all. > > If padding is necessary then Nils and Bruce say any improper padding > should be treated as an authentication error. If the program asks for > the #unpaddedSize for a message that was not properly padded, simply > returning "self size" would be erroneous and the program would then be > making improper assumptions about the message. > > Regards, > Chris > > _______________________________________________ > Cryptography mailing list > http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography _______________________________________________ Cryptography mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography |
|
|
Hi Ron, padding is required for any of the block ciphers when using the
convenience method #encrypt: aByteArray. This method encrypts an arbitrary-sized ByteArray and, as you can see, does a #padToMultipleOf: its blockSize. Therefore, #encrypt: and #decrypt: are compatible convenience methods for working with arbitrary-sized ByteArray's. If you want to only work with one block you need to use #encryptBlock: and #decryptBlock:. You mentioned CBC, to create AES (Rijndael) in CBC mode, you can do: CBC on: (Rijndael new: your256bitKey) I'm not sure we have a plain Rijndael test; because its always recommended to use one of the modes (BlockCipherMode). Recall that the key-size for Rijndael has been increased to 256 bits, so you need to pass in a 32-byte key, no longer a 16-byte key. I will be sure double-check that I've posted that change this weekend and post it if I haven't. This is complicated stuff, thanks for reviewing and the great questions! Regards, Chris --- Ron Teitelbaum <[hidden email]> wrote: > Chris, > > I guess that makes sense if blocks were always padded. Here is the > code > that I'm trying to run. > > Rijndael new key: (ByteArray new: 16); decrypt: (ByteArray new: 16). > > This is an official test of AES CBC called the monteCarlo test. I'm > trying > to add the official tests to AES to see if it's working properly. > (It > doesn't appear to be correct on first glance but I'm still > investigating > it). > > The problem here is that the decrypted value is not padded but is > hitting > the code: > > BlockCipher >> decrypt: aByteArray > "Answer a copy of aByteArray which is decrypted with my key." > | decryptedBlock | > decryptedBlock _ > self > decrypt: aByteArray copy > from: 1 > to: aByteArray size. > ^ self isStreamCipher > ifTrue: [ decryptedBlock ] > ifFalse: > [ decryptedBlock > copyFrom: 1 > to: decryptedBlock unpaddedSize ] > > Are AES blocks supposed to be padded and this one is not? Maybe it's > missing your new padding code, I'll look into that. > > Thanks, > Ron Teitelbaum > > > > From: Chris Muller > > Sent: Friday, July 07, 2006 11:16 AM > > > > > Since isProperlyPadded assumes that that was some padding the > error > > > seems > > > unnecessary. > > > ... > > > To make it more clear if a byte array is not padded then the > > > unpaddedSize is > > > self size. > > > > Hi Ron, I believe the check in #unpaddedSize is proper, let me > explain. > > > > Any application must know if it is dealing with a block or stream > > cipher, therefore it knows if padding is necessary. I think you > agree > > with this because you said: > > > > > Since isProperlyPadded assumes that that was some padding.. > > > > In other words, isProperlyPadded knows nothing about whether a > > ByteArray *is* padded, you only call it if you KNOW it's supposed > to be > > padded and then it will tell you if it is padded properly. > > > > If padding is not necessary (stream cipher), the program should not > be > > asking for the #unpaddedSize at all. > > > > If padding is necessary then Nils and Bruce say any improper > padding > > should be treated as an authentication error. If the program asks > for > > the #unpaddedSize for a message that was not properly padded, > simply > > returning "self size" would be erroneous and the program would then > be > > making improper assumptions about the message. > > > > Regards, > > Chris > > > > _______________________________________________ > > Cryptography mailing list > > [hidden email] > > > > _______________________________________________ Cryptography mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography |
| Free forum by Nabble | Edit this page |