views:

85

answers:

5

If I have just encrypted some plain-text into cipher-text with CBC and Rijndael, is it insecure to tell the world that the original plain-text had a length of x bytes? It seems that it's always the same as the length of the cipher-text, so, I think it does not matter, but are there some block modes or ciphers where it does matter?

A: 

The length of the output is not always the same. However, if the lengths of the plain-text are similar, the length of the cipher text can be the same due to padding (Rijndael/AES is a block cipher) http://en.wikipedia.org/wiki/Padding_(cryptography)

And it is weakens your security if you tell the world the length of the plaintext, so unless there is a very good reason, i would advice against it.

Also take a look at how CBC works:

http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Cipher-block_chaining_.28CBC.29

Henri
I need the length so that I can later strip out the null bytes caused by CBC. So, the length is stored in plain-text in the database.
rFactor
A: 

Hi

Always send messages of the same (both before and after encyrption) length. Pad short messages, split longer ones. Reduce further the information you provide to a snooper.

Regards

Mark

High Performance Mark
A: 

Rijndael is a block cipher, so the plain-text will be padded to a complete block. (This might be hidden by your encryption layer).

So the encrypted message text length will be indicative of the plain text length.

If you are leaking information by the message length, then you will have to do your own padding. Indeed the sending of a message might leak information, so you'll need to send no-op messages when you don't have anything to send.

Douglas Leeder
A: 

The plain text is not typically the same length as the cipher text. The plain text is padded before encryption. If you are sending one of two different messages 'Yes' or 'No' then sending the original length is probably not a good idea. If all your messages are of the same length then it's OK to publish that length.

Mark Byers
+4  A: 

You should use the PKCS5 padding scheme. This scheme always pads with extra information, including the number of extra bytes that have been added. Upon decryption, the last block is examined to see how many bytes should be discarded.

Information about the length of the original message is hard to suppress. Even with padding to block size, you can deduce that the original message is either n, n-1, n-2, ..., or n-blocksize+1 bytes in length. Most crypto protocols make little or no effort to hide the plaintext length.

GregS