Padding (cryptography)

From Free net encyclopedia

In cryptography, padding refers to a number of distinct practices.

Contents 1 Public key cryptography 2 Symmetric cryptography 2.1 Hash functions 2.2 CBC mode 3 Classical cryptography 4 See also

Public key cryptography

In public key cryptography, padding is the process of preparing a message for encryption or signing with a primitive such as RSA. A popular example is OAEP. This is called "padding" because originally, random material was simply appended to the message to make it long enough for the primitive, but this is not a secure form of padding and is no longer used. A modern padding scheme aims to ensure that the attacker cannot manipulate the plaintext to exploit the mathematical structure of the primitive and will usually be accompanied by a proof, often in the random oracle model, that breaking the padding scheme is as hard as solving the hard problem underlying the primitive.

Symmetric cryptography

Hash functions

All modern cryptographic hash functions process messages in fixed-length blocks. Padding is appended to the final block in a predictable way that includes the total length of the message; this padding ensures that the final block is the right length, and is a key part of the security proof for this way of building hash functions, which is known as the Merkle-Damgård construction.

CBC mode

CBC mode is a popular block cipher mode of operation. It requires messages whose length is a multiple of the block size (typically 8 or 16 bytes), so messages have to be padded to bring them to this length. One method is to fill out the last block with a 1 bit followed by zero bits. If the input happens to fill up an entire block, another block is added to accommodate the padding; otherwise, the end of the input plaintext might be misinterpreted as padding. The techniques of ciphertext stealing or residual block termination avoid the need for such padding. However today, CTR mode is largely replacing CBC mode and does not have this problem.

Classical cryptography

Official messages often start and end in predictable ways: My dear ambassador, Weather report, Sincerely yours, etc. The primary use of padding with classical ciphers is to prevent the cryptanalyst from using that predictability to find cribs that aid in breaking the encryption. Random length padding also prevents an attacker from knowing the exact length of the plaintext message.

Many classical ciphers arrange the plaintext into particular patterns (e.g., squares, rectangles, etc) and if the plaintext doesn't exactly fit, it is often necessary to supply additional letters to fill out the pattern. Using nonsense letters for this purpose has a side benefit of making some kinds of cryptanalysis more difficult.

A famous example of classical padding which caused a great misunderstanding is "the world wonders".

Padding can also be used to deny an adversary knowledge of the plaintext length (by varying the amount of padding used).

Such padding is not used in modern cryptography, because modern ciphers are designed to be secure even when the cryptanalyst chooses the message to encrypt.

See also

• Russian copulation, another technique to prevent cribs
• Initialisation vector, salt (cryptography), which are sometimes confused with paddingfr:Remplissage (cryptographie)