Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How does PKCS7 not lose data?

Tags:

cryptography

aes

pkcs#7

I'm developing a USB bootloader for an embedded system and one of my requirements is that data transmission over USB should be secure(bear with me, I'm new to encryption). I've decided to encrypt the data with AES, but the data isn't always in nice 16 bytes chunks so I need to pad it. It seems like PKCS7 is the standard method to use when padding data for AES (not to mention it's pretty simple), so I think I'd like to use it.

The problem I have is, I can't understand how PKCS7 doesn't lose data. Let me illustrate with an example:

Imagine a 16 byte buffer to be encrypted whose last character is 0x01. Now imagine a 15 byte buffer to be encrypted...this buffer will be padded with 0x01. After both buffers are encrypted, transmitted, received, and decrypted, how does the receiver tell the difference between the buffer with padding and the buffer whose actual last character is 0x01?

I feel like I'm missing something in the PKCS7 spec. Can anyone help me understand? Thanks in advance.

like image 437
Trey German Avatar asked Sep 16 '11 15:09

Trey German

2 Answers

Yes, you are missing a point. If the data length is a full multiple of the block length (i.e. a multiple of 16 bytes for AES), the padding will append an additional full block (of 0x10 or 16) instead of nothing.

So, we can always recover the length of the padding from the padding itself, since there is no "length 0 padding".

On the downside, the encrypted data is always bigger than the plain text, by at most a full block.

(Similar padding is done for most hash functions, like SHA-1, before the actual hashing processing, so the blocked input to the actual hashing is collision-free – in some cases even a bit more than a full block is appended, since the actually hashed data ends with the original data length).

like image 131
Paŭlo Ebermann Avatar answered Oct 01 '22 04:10

Paŭlo Ebermann

Assume that the block length is 4 instead of 16 for simplicity.

Here are some unpadded messages (hex):

01
01 02
01 02 03
01 02 03 04

The padded forms of these are:

01 03 03 03
01 02 02 02
01 02 03 01
01 02 03 04 04 04 04 04

Looking at the last byte of the padded form unambiguously tells you how many bytes to remove, and what the values of those bytes must be. If the last byte is 04, there must be 4 bytes to remove and they must all be 04 bytes; anything else indicates message corruption.

like image 41
Jonathan Leffler Avatar answered Oct 01 '22 05:10

Jonathan Leffler
Sign in to Comment

Related questions

What are some widely used cryptography / hash libraries in C?
What's the difference between collision resistance and preimage resistance? [closed]
Calculating ECDSA signature in Java as per an RFC test vector
Making mt_rand() as secure as possible
How to shorten UUID V4 without making it non-unique/guessable
Mental Poker Toolkit
Reading and Writing a SecretKey to a file
Is it safe to use a 128 bits key in HMAC-SHA256?
Man in Middle attack - Can such an attack occur if symmetric keys are used?
Avoid that repeated same messages look always same after encryption, and can be replayed by an attacker?
RSA: why does phi(phi(n)) work?
Are RSA signatures unique?
Where does makecert.exe store the digital certificate
Does a free general purpose ASN.1 Decode/Dump/Inspect program exist?
Public Private Key Encryption Tutorials
How do I obtain the public key from an ECDSA private key in OpenSSL?
Simple integer encryption
How to encrypt or decrypt with Rijndael and a block-size of 256 bits?
Compare password hashes between C# and ColdFusion (CFMX_COMPAT)
How to get "cryptographically strong" random bytes with Windows APIs?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!