Padding
Purpose
The length of a ciphertext from a stream cipher is equal to the length of the plaintext. In most cases, this is not considered an issue. However, hiding the length of a message can be desirable, and ISO/IEC 7816-4 padding can be used to do this.
The amount of padding, determined by the block size, can either be deterministic or randomised. Both have their strengths and weaknesses.
Padding to a block size much smaller than the message length leaves the approximate unpadded length largely unprotected. PADMÉ can be used to limit leakage.
Padding should be applied to the plaintext before encryption and removed from the plaintext after decryption. The amount of padding does not need to be stored.
Usage
Fill
Fills a span with padding. This can then be manually concatenated with some data.
Exceptions
buffer has a length of 0.
GetPaddedLength
Returns the required buffer size for Pad() based on the unpadded length and a block size (e.g. 16 bytes).
Exceptions
unpaddedLength is less than 0.
blockSize is less than or equal to 0.
The amount of padding is too large.
Pad
Fills a span with the data padded up to the specified block size (e.g. a multiple of 16 bytes).
Exceptions
buffer has a length not equal to GetPaddedLength(data.Length, blockSize).
blockSize is less than or equal to 0.
GetUnpaddedLength
Returns the number of bytes to slice from the end of the padded data.
Exceptions
paddedData has a length of 0.
blockSize is less than or equal to 0.
Incorrect padding.
Notes
It is very difficult to hide that cryptography is being used. For example, even if padding is done appropriately and there are no plaintext headers, X25519 public keys are distinguishable from random.
Last updated