To: | cipe-l,AT,inka,DOT,de |
Subject: | Padding - thoughts on Gutmann response |
From: | Allan Latham <alatham,AT,flexsys-group,DOT,com> |
Date: | Thu, 25 Sep 2003 16:46:10 +0200 |
In-reply-to: | <200309251610.26588.alatham@flexsys-group.com> |
References: | <200309241259.44433.rsmckown@yahoo.com> <1064496476.7652.63.camel@monster.omnifarious.org> <200309251610.26588.alatham@flexsys-group.com> |
Hi all Lets look at the padding issue with CIPE. The first complaint is that it is "limited to 3 bits, making it unusable with any recent 128-bit block cipher". The second complaint is that "makes it impossible to disguise message lengths by padding messages to a fixed size". Complaint number one is wrong and comes from a misreading of the specification. In fact CIPE pads to the next multiple of 8 bytes - making the message length a multiple of 64 bits as required for a 64 bit cipher running in CBC. It is correct that this is not suitable for a 128 bit cipher. Almost everyone uses Blowfish and as far as I know there are no practical attacks discovered against this cipher. Padding to 16 bytes would be trivial to add if the need arises. Complaint two concerns traffic analysis or at least trying to help to decide which packets are worthy of extra attention e.g. key exchanges. Traffic analysis is a black art and it is not appropriate to open this Pandora's box here - I'm not sure how many so called secure systems would fail if traffic analysis were the deciding criterion. What is important is to understand is what is being advocated here as a solution. In order to disguise the nature of the payload all packets need to be the same length. That means you need to pad all packets to the largest possibe size. If you want to take the bandwidth hit then this is a trivial change to make. Conclusion: The padding issue is of no concern in the real world. If it bothers you that an attacker may be learning something about what you are doing from the lengths of the packets on the wire then you probably do need to hire a crypto specialist. Best regards to all Allan