AES-CBC Padding: Why always attach 16x 0x10 pad?












3












$begingroup$


Why do we have to always attach a 16x 0x10 pad even though the last block is already at block-length?






aes cbc padding







share|improve this question









$endgroup$

















    3












    $begingroup$


    Why do we have to always attach a 16x 0x10 pad even though the last block is already at block-length?






    aes cbc padding







    share|improve this question









    $endgroup$















      3












      3








      3


      1



      $begingroup$


      Why do we have to always attach a 16x 0x10 pad even though the last block is already at block-length?






      aes cbc padding







      share|improve this question









      $endgroup$




      Why do we have to always attach a 16x 0x10 pad even though the last block is already at block-length?






      aes cbc padding




      aes cbc padding






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Jan 21 at 15:41









      NimeNime

      845




      845






















          1 Answer
          1






          active

          oldest

          votes


















          8












          $begingroup$

          You are talking about the PKCS#7 padding. There is a simple reason; assume that when the last block is full and you don't apply the padding before encryption and then send the message.



          When decrypting, the receiver needs to see a padding pattern to remove the padding. What if the last byte is 01 of the message? is it padding or the message itself? Similarly with low probability same if the last bytes are 0202, and so on.



          Instead of this, padding with 10 for an additional extra plaintext block solves the problem.




          There are no reasons to perform this particular kind of padding if the plaintext size is known in advance. It may also not be required if the size of the plaintext can be determined by other means. For instance, ASCII encoded text will generally not contain a byte set to zero, so zero-byte padding may be used if the text is not a multiple of the block size. PKCS#7 padding can however always be removed deterministically, independently of the contents of the message.



          Many modes, especially streaming modes such as the popular CTR (counter) mode and derivatives - such as the authenticated GCM mode - do not require padding at all; they operate on plaintext bytes rather than plaintext blocks.






          share|improve this answer











          $endgroup$













          • $begingroup$
            Do we attach that to every message or only on those which are the multiple of the blocksize?
            $endgroup$
            – Nime
            Jan 21 at 17:10






          • 2




            $begingroup$
            @Nime Take a look at the link in kelalaka's answer, the padding is explained. Short answer : The value of the bytes you add is the number of bytes you need to add in hexa (so 10 is only for message who are multiple of the blocksize, but other messages are also padded, with other values)
            $endgroup$
            – Faulst
            Jan 21 at 17:18








          • 1




            $begingroup$
            @kelalaka I think there is a typo in your answer, it's not PKCS1.5 padding, but PKCS#5 (or PKCS#7, depending on who you asked)
            $endgroup$
            – Faulst
            Jan 21 at 17:19






          • 3




            $begingroup$
            And corrected again, PKCS#5 is for 8 byte block ciphers only, as explained here - changed it into PKCS#7 and put some reasons down below when PKCS#7 compatible padding is not required. @Faulst No, for AES it is always PKCS#7; if you'd ask this and they'd reply PKCS#5 compatible padding they'd be wrong.
            $endgroup$
            – Maarten Bodewes
            Jan 21 at 17:50












          • $begingroup$
            @MaartenBodewes yes, it is my hex mistake :). Thanks for the nice additions.
            $endgroup$
            – kelalaka
            Jan 21 at 17:55











          Your Answer





          StackExchange.ifUsing("editor", function () {
          return StackExchange.using("mathjaxEditing", function () {
          StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix) {
          StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
          });
          });
          }, "mathjax-editing");

          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "281"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          noCode: true, onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f66646%2faes-cbc-padding-why-always-attach-16x-0x10-pad%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          8












          $begingroup$

          You are talking about the PKCS#7 padding. There is a simple reason; assume that when the last block is full and you don't apply the padding before encryption and then send the message.



          When decrypting, the receiver needs to see a padding pattern to remove the padding. What if the last byte is 01 of the message? is it padding or the message itself? Similarly with low probability same if the last bytes are 0202, and so on.



          Instead of this, padding with 10 for an additional extra plaintext block solves the problem.




          There are no reasons to perform this particular kind of padding if the plaintext size is known in advance. It may also not be required if the size of the plaintext can be determined by other means. For instance, ASCII encoded text will generally not contain a byte set to zero, so zero-byte padding may be used if the text is not a multiple of the block size. PKCS#7 padding can however always be removed deterministically, independently of the contents of the message.



          Many modes, especially streaming modes such as the popular CTR (counter) mode and derivatives - such as the authenticated GCM mode - do not require padding at all; they operate on plaintext bytes rather than plaintext blocks.






          share|improve this answer











          $endgroup$













          • $begingroup$
            Do we attach that to every message or only on those which are the multiple of the blocksize?
            $endgroup$
            – Nime
            Jan 21 at 17:10






          • 2




            $begingroup$
            @Nime Take a look at the link in kelalaka's answer, the padding is explained. Short answer : The value of the bytes you add is the number of bytes you need to add in hexa (so 10 is only for message who are multiple of the blocksize, but other messages are also padded, with other values)
            $endgroup$
            – Faulst
            Jan 21 at 17:18








          • 1




            $begingroup$
            @kelalaka I think there is a typo in your answer, it's not PKCS1.5 padding, but PKCS#5 (or PKCS#7, depending on who you asked)
            $endgroup$
            – Faulst
            Jan 21 at 17:19






          • 3




            $begingroup$
            And corrected again, PKCS#5 is for 8 byte block ciphers only, as explained here - changed it into PKCS#7 and put some reasons down below when PKCS#7 compatible padding is not required. @Faulst No, for AES it is always PKCS#7; if you'd ask this and they'd reply PKCS#5 compatible padding they'd be wrong.
            $endgroup$
            – Maarten Bodewes
            Jan 21 at 17:50












          • $begingroup$
            @MaartenBodewes yes, it is my hex mistake :). Thanks for the nice additions.
            $endgroup$
            – kelalaka
            Jan 21 at 17:55
















          8












          $begingroup$

          You are talking about the PKCS#7 padding. There is a simple reason; assume that when the last block is full and you don't apply the padding before encryption and then send the message.



          When decrypting, the receiver needs to see a padding pattern to remove the padding. What if the last byte is 01 of the message? is it padding or the message itself? Similarly with low probability same if the last bytes are 0202, and so on.



          Instead of this, padding with 10 for an additional extra plaintext block solves the problem.




          There are no reasons to perform this particular kind of padding if the plaintext size is known in advance. It may also not be required if the size of the plaintext can be determined by other means. For instance, ASCII encoded text will generally not contain a byte set to zero, so zero-byte padding may be used if the text is not a multiple of the block size. PKCS#7 padding can however always be removed deterministically, independently of the contents of the message.



          Many modes, especially streaming modes such as the popular CTR (counter) mode and derivatives - such as the authenticated GCM mode - do not require padding at all; they operate on plaintext bytes rather than plaintext blocks.






          share|improve this answer











          $endgroup$













          • $begingroup$
            Do we attach that to every message or only on those which are the multiple of the blocksize?
            $endgroup$
            – Nime
            Jan 21 at 17:10






          • 2




            $begingroup$
            @Nime Take a look at the link in kelalaka's answer, the padding is explained. Short answer : The value of the bytes you add is the number of bytes you need to add in hexa (so 10 is only for message who are multiple of the blocksize, but other messages are also padded, with other values)
            $endgroup$
            – Faulst
            Jan 21 at 17:18








          • 1




            $begingroup$
            @kelalaka I think there is a typo in your answer, it's not PKCS1.5 padding, but PKCS#5 (or PKCS#7, depending on who you asked)
            $endgroup$
            – Faulst
            Jan 21 at 17:19






          • 3




            $begingroup$
            And corrected again, PKCS#5 is for 8 byte block ciphers only, as explained here - changed it into PKCS#7 and put some reasons down below when PKCS#7 compatible padding is not required. @Faulst No, for AES it is always PKCS#7; if you'd ask this and they'd reply PKCS#5 compatible padding they'd be wrong.
            $endgroup$
            – Maarten Bodewes
            Jan 21 at 17:50












          • $begingroup$
            @MaartenBodewes yes, it is my hex mistake :). Thanks for the nice additions.
            $endgroup$
            – kelalaka
            Jan 21 at 17:55














          8












          8








          8





          $begingroup$

          You are talking about the PKCS#7 padding. There is a simple reason; assume that when the last block is full and you don't apply the padding before encryption and then send the message.



          When decrypting, the receiver needs to see a padding pattern to remove the padding. What if the last byte is 01 of the message? is it padding or the message itself? Similarly with low probability same if the last bytes are 0202, and so on.



          Instead of this, padding with 10 for an additional extra plaintext block solves the problem.




          There are no reasons to perform this particular kind of padding if the plaintext size is known in advance. It may also not be required if the size of the plaintext can be determined by other means. For instance, ASCII encoded text will generally not contain a byte set to zero, so zero-byte padding may be used if the text is not a multiple of the block size. PKCS#7 padding can however always be removed deterministically, independently of the contents of the message.



          Many modes, especially streaming modes such as the popular CTR (counter) mode and derivatives - such as the authenticated GCM mode - do not require padding at all; they operate on plaintext bytes rather than plaintext blocks.






          share|improve this answer











          $endgroup$



          You are talking about the PKCS#7 padding. There is a simple reason; assume that when the last block is full and you don't apply the padding before encryption and then send the message.



          When decrypting, the receiver needs to see a padding pattern to remove the padding. What if the last byte is 01 of the message? is it padding or the message itself? Similarly with low probability same if the last bytes are 0202, and so on.



          Instead of this, padding with 10 for an additional extra plaintext block solves the problem.




          There are no reasons to perform this particular kind of padding if the plaintext size is known in advance. It may also not be required if the size of the plaintext can be determined by other means. For instance, ASCII encoded text will generally not contain a byte set to zero, so zero-byte padding may be used if the text is not a multiple of the block size. PKCS#7 padding can however always be removed deterministically, independently of the contents of the message.



          Many modes, especially streaming modes such as the popular CTR (counter) mode and derivatives - such as the authenticated GCM mode - do not require padding at all; they operate on plaintext bytes rather than plaintext blocks.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Jan 21 at 17:49









          Maarten Bodewes

          54.9k679194




          54.9k679194










          answered Jan 21 at 15:54









          kelalakakelalaka

          8,04322350




          8,04322350












          • $begingroup$
            Do we attach that to every message or only on those which are the multiple of the blocksize?
            $endgroup$
            – Nime
            Jan 21 at 17:10






          • 2




            $begingroup$
            @Nime Take a look at the link in kelalaka's answer, the padding is explained. Short answer : The value of the bytes you add is the number of bytes you need to add in hexa (so 10 is only for message who are multiple of the blocksize, but other messages are also padded, with other values)
            $endgroup$
            – Faulst
            Jan 21 at 17:18








          • 1




            $begingroup$
            @kelalaka I think there is a typo in your answer, it's not PKCS1.5 padding, but PKCS#5 (or PKCS#7, depending on who you asked)
            $endgroup$
            – Faulst
            Jan 21 at 17:19






          • 3




            $begingroup$
            And corrected again, PKCS#5 is for 8 byte block ciphers only, as explained here - changed it into PKCS#7 and put some reasons down below when PKCS#7 compatible padding is not required. @Faulst No, for AES it is always PKCS#7; if you'd ask this and they'd reply PKCS#5 compatible padding they'd be wrong.
            $endgroup$
            – Maarten Bodewes
            Jan 21 at 17:50












          • $begingroup$
            @MaartenBodewes yes, it is my hex mistake :). Thanks for the nice additions.
            $endgroup$
            – kelalaka
            Jan 21 at 17:55


















          • $begingroup$
            Do we attach that to every message or only on those which are the multiple of the blocksize?
            $endgroup$
            – Nime
            Jan 21 at 17:10






          • 2




            $begingroup$
            @Nime Take a look at the link in kelalaka's answer, the padding is explained. Short answer : The value of the bytes you add is the number of bytes you need to add in hexa (so 10 is only for message who are multiple of the blocksize, but other messages are also padded, with other values)
            $endgroup$
            – Faulst
            Jan 21 at 17:18








          • 1




            $begingroup$
            @kelalaka I think there is a typo in your answer, it's not PKCS1.5 padding, but PKCS#5 (or PKCS#7, depending on who you asked)
            $endgroup$
            – Faulst
            Jan 21 at 17:19






          • 3




            $begingroup$
            And corrected again, PKCS#5 is for 8 byte block ciphers only, as explained here - changed it into PKCS#7 and put some reasons down below when PKCS#7 compatible padding is not required. @Faulst No, for AES it is always PKCS#7; if you'd ask this and they'd reply PKCS#5 compatible padding they'd be wrong.
            $endgroup$
            – Maarten Bodewes
            Jan 21 at 17:50












          • $begingroup$
            @MaartenBodewes yes, it is my hex mistake :). Thanks for the nice additions.
            $endgroup$
            – kelalaka
            Jan 21 at 17:55
















          $begingroup$
          Do we attach that to every message or only on those which are the multiple of the blocksize?
          $endgroup$
          – Nime
          Jan 21 at 17:10




          $begingroup$
          Do we attach that to every message or only on those which are the multiple of the blocksize?
          $endgroup$
          – Nime
          Jan 21 at 17:10




          2




          2




          $begingroup$
          @Nime Take a look at the link in kelalaka's answer, the padding is explained. Short answer : The value of the bytes you add is the number of bytes you need to add in hexa (so 10 is only for message who are multiple of the blocksize, but other messages are also padded, with other values)
          $endgroup$
          – Faulst
          Jan 21 at 17:18






          $begingroup$
          @Nime Take a look at the link in kelalaka's answer, the padding is explained. Short answer : The value of the bytes you add is the number of bytes you need to add in hexa (so 10 is only for message who are multiple of the blocksize, but other messages are also padded, with other values)
          $endgroup$
          – Faulst
          Jan 21 at 17:18






          1




          1




          $begingroup$
          @kelalaka I think there is a typo in your answer, it's not PKCS1.5 padding, but PKCS#5 (or PKCS#7, depending on who you asked)
          $endgroup$
          – Faulst
          Jan 21 at 17:19




          $begingroup$
          @kelalaka I think there is a typo in your answer, it's not PKCS1.5 padding, but PKCS#5 (or PKCS#7, depending on who you asked)
          $endgroup$
          – Faulst
          Jan 21 at 17:19




          3




          3




          $begingroup$
          And corrected again, PKCS#5 is for 8 byte block ciphers only, as explained here - changed it into PKCS#7 and put some reasons down below when PKCS#7 compatible padding is not required. @Faulst No, for AES it is always PKCS#7; if you'd ask this and they'd reply PKCS#5 compatible padding they'd be wrong.
          $endgroup$
          – Maarten Bodewes
          Jan 21 at 17:50






          $begingroup$
          And corrected again, PKCS#5 is for 8 byte block ciphers only, as explained here - changed it into PKCS#7 and put some reasons down below when PKCS#7 compatible padding is not required. @Faulst No, for AES it is always PKCS#7; if you'd ask this and they'd reply PKCS#5 compatible padding they'd be wrong.
          $endgroup$
          – Maarten Bodewes
          Jan 21 at 17:50














          $begingroup$
          @MaartenBodewes yes, it is my hex mistake :). Thanks for the nice additions.
          $endgroup$
          – kelalaka
          Jan 21 at 17:55




          $begingroup$
          @MaartenBodewes yes, it is my hex mistake :). Thanks for the nice additions.
          $endgroup$
          – kelalaka
          Jan 21 at 17:55


















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Cryptography Stack Exchange!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          Use MathJax to format equations. MathJax reference.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f66646%2faes-cbc-padding-why-always-attach-16x-0x10-pad%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          -

          Popular posts from this blog

          Mario Kart Wii

          Image
          Please consider supporting The Cutting Room Floor on Patreon. Thanks for all your support! Mario Kart Wii From The Cutting Room Floor Jump to: navigation, search Mario Kart Wii Developer : Nintendo Publisher : Nintendo Platform : Wii Released in JP : April 10, 2008 Released in US : April 27, 2008 Released in EU : April 11, 2008 Released in AU : April 24, 2008 Released in KR : April 30, 2009 This game has unused animations. This game has unused areas. This game has unused code. This game has unused objects. This game has unused modes / minigames. This game has unused graphics. This game has unused models. This game has unused items. This game has unused music. This game has regional differences. This game has a notes page This game has a prerelease article Mario Kart Wii is the sixth game in the series (not counting Arcade editions), which intro
          Read more

          What does “Dominus providebit” mean?

          Image
          5 Does "Dominus providebit" mean "The Lord will provide" or "The Lord provides"? I once had a bit of an argument with a guy who studied Latin over that. It's an inscription that appears on the rim of some old Swiss coins that I have. meaning latin-to-english-translation grammar-identification share | improve this question edited Jan 18 at 15:27 V2Blast 105 4 asked Jan 17 at 22:49 Donald K. Donald K. 26 1
          Read more

          Antonio Litta Visconti Arese

          Image
          Antonio Litta Visconti Arese I duca Litta, VII marchese di Gambolò In carica 1797 – 1820 Predecessore Pompeo Litta Visconti Arese Successore Alfonso Litta Visconti Arese Trattamento Sua grazia Altri titoli Duca Litta Conte del Regno napoleonico d'Italia Patrizio milanese Don Nascita Milano, 2 maggio 1748 Morte Milano, 14 agosto 1820 Dinastia Litta Visconti Arese Padre Pompeo Litta Visconti Arese Madre Maria Elisabetta Visconti Borromeo Consorte Barbara Barbiano di Belgioioso Religione cattolicesimo Antonio Litta Visconti Arese , I duca Litta, VII marchese di Gambolò (Milano, 2 maggio 1748 – Milano, 14 agosto 1820), è stato un nobile e politico italiano. Composizione "Il pastore svizzero" di Pietro Morlacchi, con dedica Indice 1 Biografia 2 Onorificenze 3 Araldica 4 Albero genealogico 5 Note 6 Altri progetti Biografia | Antonio Litta Visco
          Read more