Menu
I am currently using the web crypto API found in window.crypto.subtle.encrypt in Javascript. My question is, what padding does this use by default? I have been searching for a while but couldn't find any answers on this.
518
subtle. Secure context: This feature is available only in secure contexts (HTTPS), in some or all supporting browsers. The Crypto. subtle read-only property returns a SubtleCrypto which can then be used to perform low-level cryptographic operations.
The window. crypto property returns a Crypto object which is associated with the global object. This object allows web pages to run various cryptographic operations on the browser side. It has one property, which is the subtle property.
Subtle.encrypt seems to be implementing WebCrypto. Although the documentation of encrypt() or the CBC mode of e.g. Mozilla doesn't show the padding. Nor does the referenced NIST specification.
Fortunately, the referenced WebCrypto API does indicate the padding where the CBC mode is specified:
When operating in CBC mode, messages that are not exact multiples of the AES block size (16 bytes) can be padded under a variety of padding schemes. In the Web Crypto API, the only padding mode that is supported is that of PKCS#7, as described by Section 10.3, step 2, of [RFC2315].
If you follow the link then you will find that PKCS#7 is the specification of the Cryptographic Message Syntax or CMS. However, there is only one padding mode specified. This mode doesn't have a more specific name than PKCS#7 padding (padding algorithms for ECB and CBC are very simple and therefore often don't get a specific name).
Simply said, it adds 1 to 16 bytes for ciphers with a block size of 128 bits such as AES. The bytes values are identical to the number of bytes padded, so you can unpad by removing as many bytes as the last byte indicates. Because of this the padding is always applied, even if the last part of the plaintext is complete (in which case 16 bytes of padding is applied).
So you'd have
10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 // empty, zero byte message
PT 0F 0F 0F 0F 0F 0F 0F 0F 0F 0F 0F 0F 0F 0F 0F // PT means plaintext byte
PT PT 0E 0E 0E 0E 0E 0E 0E 0E 0E 0E 0E 0E 0E 0E // byte values in hexadecimals
...
PT PT PT PT PT PT PT PT PT PT PT PT PT PT PT 01 // 15-byte message
// 16-byte message, one full block of padding added
PT PT PT PT PT PT PT PT PT PT PT PT PT PT PT PT 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10
...
...
Note that padding should not be used to verify the correctness of the plaintext, that padding oracle attacks (use an authenticated mode such as GCM instead!), that padding values may not all be verified (the last byte contains enough info to unpad) and finally that you should use an implementation that does verify that the padding byte is within the indicated range.
Also note that PKCS#7 padding for AES is sometimes mistakenly (or lazily) referred to as PKCS#5 padding, for instance in the Java JCA.
166
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
