Re: block ciphers and Blowfish
Re: block ciphers and Blowfish
- Subject: Re: block ciphers and Blowfish
- From: Derrell Piper <email@hidden>
- Date: Fri, 29 Mar 2002 17:31:49 -0800
On Friday, March 29, 2002, at 05:01 PM, cocoa-dev-
email@hidden wrote:
> Yes this is a property of the blowfish algorithm. There is no good
> way around it AFAIK. Putting the length of the data in front of the
> plaintext data is not a good idea though, because that would make
> cracking easier. [Mental note: Gotta document this property]
The way around it would be to use a stream cipher (e.g. RC4),
but that's not necessary and has its own set of trade-off's
that's often more ugly. A common trick is to encode the padding
length in the pad itself. Often, you're just going to know the
length from other sources. Or it may just be that you know (or
can define) that 0x1 - 0x7 (where '7' here is the cipher block
length - 1) isn't valid as the last byte.
So if len is an exact multiple of the cipher block length, or
data[len] > 0x7 (in this case), you're done. Otherwise, you
look in the last byte of the decrypted data to determine the
length of the pad. This also enables you use random length pads
(i.e., pads which are > 1 x (cipher block length - 1) bytes).
Such padding can deter chosen plaintext attacks but is rarely
used in practice.
Similarly, padding with pseudo-random data is best. But I
wouldn't worry about one byte of known plaintext relating to the
padding or the length. You've likely got far more than that in
whatever it is you're encrypting. You're better off worrying
about your keys and how they're generated / stored.
Derrell
_______________________________________________
cocoa-dev mailing list | email@hidden
Help/Unsubscribe/Archives:
http://www.lists.apple.com/mailman/listinfo/cocoa-dev
Do not post admin requests to the list. They will be ignored.