Cryptography Reference
In-Depth Information
61 62 63 64 65 03 03 03
a b c d e
des_encrypt
can be changed simply to implement this padding scheme as
shown in Listing 2-18.
Listing 2-18:
“des.c” des_encrypt with PKCS #5 padding
// First, pad the input to a multiple of DES_BLOCK_SIZE
padding_len = DES_BLOCK_SIZE - ( plaintext_len % DES_BLOCK_SIZE );
padded_plaintext = malloc( plaintext_len + padding_len );
// This implements PKCS #5 padding.
memset( padded_plaintext, padding_len, plaintext_len + padding_len );
memcpy( padded_plaintext, plaintext, plaintext_len );
des_operate( padded_plaintext, plaintext_len + padding_len, ciphertext,
key, OP_ENCRYPT );
So, of these two options, which does SSL take? Actually, neither. SSL takes a
somewhat simpler approach to padding — the number of padding bytes is output
explicitly. If fi ve bytes of padding are required, the very last byte of the decrypted
output is 5. If no padding was necessary, an extra 0 byte is appended on the end.
Implementing Cipher Block Chaining
A subtler issue with this implementation of DES is that two identical blocks of text,
encrypted with the same key, produce the same output. This can be useful informa-
tion for an attacker who can look for repeated blocks of ciphertext to determine the
characteristics of the input. Even worse, it lends itself to
replay attacks
. If the attacker
knows, for example, that an encrypted block represents a password, or a credit
card number, he doesn't need to decrypt it to use it. He can just present the same
ciphertext to the authenticating server, which then dutifully decrypts it and accepts
it as though it were encrypted using the original key — which, of course, it was.
The simplest way to deal with this is called
cipher block chaining
(CBC). After
encrypting a block of data, XOR it with the results of the previous block. The fi rst
block, of course, doesn't have a previous block, so there's nothing to XOR it with.
Instead, the encryption routine should create a random eight-byte
initialization
vector
(sometimes also referred to as
salt
) and XOR the fi rst block with that. This
initialization vector doesn't necessarily have to be strongly protected or strongly
randomly generated. It just has to be different every time so that encrypting a
certain string with a certain password produces different output every time.
Incidentally, you may come across the term
ECB
or
Electronic Code Book
chain-
ing, which actually refers to encryption with no chaining (that is, the encryption
routine developed in the previous section) and mostly serves to distinguish
Search WWH ::
Custom Search