isProperlyPadded

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

isProperlyPadded

Ron Teitelbaum

Chris,

 

I ran into your padding methods which put the remainder size in each empty space after the real data.

 

I have a problem with

 

ByteArray>>unpaddedSize

            "If I was padded by a BlockCipher, answer the size of the original plaintext."

            self isProperlyPadded ifFalse: [ CryptographyError signal: 'Authentication failure (improperly padded!)' ].

            ^ self size - self last

 

Since isProperlyPadded assumes that that was some padding the error seems unnecessary.

 

Shouldn’t this say:

 

ByteArray>>unpaddedSize

            "If I was padded by a BlockCipher, answer the size of the original plaintext."

            self isProperlyPadded ifFalse: [^self size].

            ^ self size - self last

 

 


_______________________________________________
Cryptography mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography
Reply | Threaded
Open this post in threaded view
|

Re: isProperlyPadded

Chris Muller
> Since isProperlyPadded assumes that that was some padding the error
> seems
> unnecessary.
> ...
> To make it more clear if a byte array is not padded then the
> unpaddedSize is
> self size.

Hi Ron, I believe the check in #unpaddedSize is proper, let me explain.

Any application must know if it is dealing with a block or stream
cipher, therefore it knows if padding is necessary.  I think you agree
with this because you said:

  > Since isProperlyPadded assumes that that was some padding..

In other words, isProperlyPadded knows nothing about whether a
ByteArray *is* padded, you only call it if you KNOW it's supposed to be
padded and then it will tell you if it is padded properly.

If padding is not necessary (stream cipher), the program should not be
asking for the #unpaddedSize at all.

If padding is necessary then Nils and Bruce say any improper padding
should be treated as an authentication error.  If the program asks for
the #unpaddedSize for a message that was not properly padded, simply
returning "self size" would be erroneous and the program would then be
making improper assumptions about the message.

Regards,
  Chris

_______________________________________________
Cryptography mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography
Reply | Threaded
Open this post in threaded view
|

RE: Re: isProperlyPadded

Ron Teitelbaum
RE: [Cryptography Team] Re: isProperlyPadded

Chris,

I guess that makes sense if blocks were always padded.  Here is the code that I'm trying to run. 

Rijndael new key: (ByteArray new: 16); decrypt: (ByteArray new: 16).

This is an official test of AES CBC called the monteCarlo test.  I'm trying to add the official tests to AES to see if it's working properly.  (It doesn't appear to be correct on first glance but I'm still investigating it).

The problem here is that the decrypted value is not padded but is hitting the code:

BlockCipher >> decrypt: aByteArray

        "Answer a copy of aByteArray which is decrypted with my key."

        | decryptedBlock |

        decryptedBlock _

                self

                        decrypt: aByteArray copy

                        from: 1

                        to: aByteArray size.

        ^ self isStreamCipher

                ifTrue: [ decryptedBlock ]

                ifFalse:

                        [ decryptedBlock

                                copyFrom: 1

                                to: decryptedBlock unpaddedSize ]

Are AES blocks supposed to be padded and this one is not?  Maybe it's missing your new padding code, I'll look into that.

Thanks,

Ron Teitelbaum

> From: Chris Muller

> Sent: Friday, July 07, 2006 11:16 AM

>

> > Since isProperlyPadded assumes that that was some padding the error

> > seems

> > unnecessary.

> > ...

> > To make it more clear if a byte array is not padded then the

> > unpaddedSize is

> > self size.

>

> Hi Ron, I believe the check in #unpaddedSize is proper, let me explain.

>

> Any application must know if it is dealing with a block or stream

> cipher, therefore it knows if padding is necessary.  I think you agree

> with this because you said:

>

>   > Since isProperlyPadded assumes that that was some padding..

>

> In other words, isProperlyPadded knows nothing about whether a

> ByteArray *is* padded, you only call it if you KNOW it's supposed to be

> padded and then it will tell you if it is padded properly.

>

> If padding is not necessary (stream cipher), the program should not be

> asking for the #unpaddedSize at all.

>

> If padding is necessary then Nils and Bruce say any improper padding

> should be treated as an authentication error.  If the program asks for

> the #unpaddedSize for a message that was not properly padded, simply

> returning "self size" would be erroneous and the program would then be

> making improper assumptions about the message.

>

> Regards,

>   Chris

>

> _______________________________________________

> Cryptography mailing list

> [hidden email]

> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography


_______________________________________________
Cryptography mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography
Reply | Threaded
Open this post in threaded view
|

RE: Re: isProperlyPadded

Chris Muller
Hi Ron, padding is required for any of the block ciphers when using the
convenience method #encrypt: aByteArray.  This method encrypts an
arbitrary-sized ByteArray and, as you can see, does a #padToMultipleOf:
its blockSize.  Therefore, #encrypt: and #decrypt: are compatible
convenience methods for working with arbitrary-sized ByteArray's.  If
you want to only work with one block you need to use #encryptBlock: and
#decryptBlock:.

You mentioned CBC, to create AES (Rijndael) in CBC mode, you can do:

  CBC on: (Rijndael new: your256bitKey)

I'm not sure we have a plain Rijndael test; because its always
recommended to use one of the modes (BlockCipherMode).

Recall that the key-size for Rijndael has been increased to 256 bits,
so you need to pass in a 32-byte key, no longer a 16-byte key.  I will
be sure double-check that I've posted that change this weekend and post
it if I haven't.

This is complicated stuff, thanks for reviewing and the great
questions!

Regards,
  Chris


--- Ron Teitelbaum <[hidden email]> wrote:

> Chris,
>
> I guess that makes sense if blocks were always padded.  Here is the
> code
> that I'm trying to run.
>
> Rijndael new key: (ByteArray new: 16); decrypt: (ByteArray new: 16).
>
> This is an official test of AES CBC called the monteCarlo test.  I'm
> trying
> to add the official tests to AES to see if it's working properly.
> (It
> doesn't appear to be correct on first glance but I'm still
> investigating
> it).
>
> The problem here is that the decrypted value is not padded but is
> hitting
> the code:
>
> BlockCipher >> decrypt: aByteArray
> "Answer a copy of aByteArray which is decrypted with my key."
> | decryptedBlock |
> decryptedBlock _
> self
> decrypt: aByteArray copy
> from: 1
> to: aByteArray size.
> ^ self isStreamCipher
> ifTrue: [ decryptedBlock ]
> ifFalse:
> [ decryptedBlock
> copyFrom: 1
> to: decryptedBlock unpaddedSize ]
>
> Are AES blocks supposed to be padded and this one is not?  Maybe it's
> missing your new padding code, I'll look into that.
>
> Thanks,
> Ron Teitelbaum
>
>
> > From: Chris Muller
> > Sent: Friday, July 07, 2006 11:16 AM
> >
> > > Since isProperlyPadded assumes that that was some padding the
> error
> > > seems
> > > unnecessary.
> > > ...
> > > To make it more clear if a byte array is not padded then the
> > > unpaddedSize is
> > > self size.
> >
> > Hi Ron, I believe the check in #unpaddedSize is proper, let me
> explain.
> >
> > Any application must know if it is dealing with a block or stream
> > cipher, therefore it knows if padding is necessary.  I think you
> agree
> > with this because you said:
> >
> >   > Since isProperlyPadded assumes that that was some padding..
> >
> > In other words, isProperlyPadded knows nothing about whether a
> > ByteArray *is* padded, you only call it if you KNOW it's supposed
> to be
> > padded and then it will tell you if it is padded properly.
> >
> > If padding is not necessary (stream cipher), the program should not
> be
> > asking for the #unpaddedSize at all.
> >
> > If padding is necessary then Nils and Bruce say any improper
> padding
> > should be treated as an authentication error.  If the program asks
> for
> > the #unpaddedSize for a message that was not properly padded,
> simply
> > returning "self size" would be erroneous and the program would then
> be
> > making improper assumptions about the message.
> >
> > Regards,
> >   Chris
> >
> > _______________________________________________
> > Cryptography mailing list
> > [hidden email]
> >
>
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography
>

_______________________________________________
Cryptography mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography