tags:

views:

85

answers:

5
+1  Q: 

Revealing the length of the plain-text?

If I have just encrypted some plain-text into cipher-text with CBC and Rijndael, is it insecure to tell the world that the original plain-text had a length of x bytes? It seems that it's always the same as the length of the cipher-text, so, I think it does not matter, but are there some block modes or ciphers where it does matter?

A: 

The length of the output is not always the same. However, if the lengths of the plain-text are similar, the length of the cipher text can be the same due to padding (Rijndael/AES is a block cipher) http://en.wikipedia.org/wiki/Padding_(cryptography)

And it is weakens your security if you tell the world the length of the plaintext, so unless there is a very good reason, i would advice against it.

Also take a look at how CBC works:

http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Cipher-block_chaining_.28CBC.29

Henri  2010-01-01 12:58:49
I need the length so that I can later strip out the null bytes caused by CBC. So, the length is stored in plain-text in the database.
rFactor  2010-01-01 13:47:33
A: 

Hi

Always send messages of the same (both before and after encyrption) length. Pad short messages, split longer ones. Reduce further the information you provide to a snooper.

Regards

Mark

High Performance Mark  2010-01-01 12:59:50
A: 

Rijndael is a block cipher, so the plain-text will be padded to a complete block. (This might be hidden by your encryption layer).

So the encrypted message text length will be indicative of the plain text length.

If you are leaking information by the message length, then you will have to do your own padding. Indeed the sending of a message might leak information, so you'll need to send no-op messages when you don't have anything to send.

Douglas Leeder  2010-01-01 13:00:53
A: 

The plain text is not typically the same length as the cipher text. The plain text is padded before encryption. If you are sending one of two different messages 'Yes' or 'No' then sending the original length is probably not a good idea. If all your messages are of the same length then it's OK to publish that length.

Mark Byers  2010-01-01 13:01:27
+4  A: 

You should use the PKCS5 padding scheme. This scheme always pads with extra information, including the number of extra bytes that have been added. Upon decryption, the last block is examined to see how many bytes should be discarded.

Information about the length of the original message is hard to suppress. Even with padding to block size, you can deduce that the original message is either n, n-1, n-2, ..., or n-blocksize+1 bytes in length. Most crypto protocols make little or no effort to hide the plaintext length.

GregS  2010-01-01 18:50:28

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security