<< | Thread Index | >> ]    [ << | Date Index | >> ]

To: cipe-l,AT,inka,DOT,de
Subject: Padding - thoughts on Gutmann response
From: Allan Latham <alatham,AT,flexsys-group,DOT,com>
Date: Thu, 25 Sep 2003 16:46:10 +0200
In-reply-to: <200309251610.26588.alatham@flexsys-group.com>
References: <200309241259.44433.rsmckown@yahoo.com> <1064496476.7652.63.camel@monster.omnifarious.org> <200309251610.26588.alatham@flexsys-group.com>

Hi all

Lets look at the padding issue with CIPE.

The first complaint is that it is "limited to 3 bits, making it unusable with 
any recent 128-bit block cipher".

The second complaint is that "makes it  impossible to disguise message 
lengths 
by padding messages to a fixed size".

Complaint number one is wrong and comes from a misreading of the 
specification. In fact CIPE pads to the next multiple of 8 bytes - making the 
message length a multiple of 64 bits as required for a 64 bit cipher running 
in CBC. It is correct that this is not suitable for a 128 bit cipher. Almost 
everyone uses Blowfish and as far as I know there are no practical attacks 
discovered against this cipher. Padding to 16 bytes would be trivial to add 
if the need arises.

Complaint two concerns traffic analysis or at least trying to help to decide 
which packets are worthy of extra attention e.g. key exchanges.

Traffic analysis is a black art and it is not appropriate to open this 
Pandora's box here - I'm not sure how many so called secure systems would 
fail if traffic analysis were the deciding criterion. What is important is to 
understand is what is being advocated here as a solution.

In order to disguise the nature of the payload all packets need to be the 
same 
length. That means you need to pad all packets to the largest possibe size. 
If you want to take the bandwidth hit then this is a trivial change to make.

Conclusion:

The padding issue is of no concern in the real world. If it bothers you that 
an attacker may be learning something about what you are doing from the 
lengths of the packets on the wire then you probably do need to hire a crypto 
specialist.

Best regards to all

Allan


<< | Thread Index | >> ]    [ << | Date Index | >> ]