Unnecessary padding

Question

Unnecessary padding

Closed this issue 9 years ago · 3 comments

GoogleCodeExporter commented 9 years ago

What steps will reproduce the problem?
1. prepare a CryptoJS.enc Object with exact 16 Bytes, eg.
var message = CryptoJS.enc.Hex.parse("151b901b61e843cfe3e470b032f61698");
or 
var message = CryptoJS.enc.Utf8.parse("foobarfoobarfoob");

2. Encrypt this message with aes:
var iv  = CryptoJS.enc.Hex.parse('00000000000000000000000000000000');
var key = CryptoJS.enc.Hex.parse('1df3d19c9f90d6b11df3d19c9f90d6b1');
var encrypted = CryptoJS.AES.encrypt(message, key, { iv: iv});

3. Print the encrypted object:
console.log(encrypted.ciphertext);
console.log(encrypted.ciphertext.toString(CryptoJS.enc.Hex));

What is the expected output? What do you see instead?
I expect an 16 Bytes (128 Bits) long encrypted string. For the above example: 
"f9b2b93d5d14b44ba25954fd45a9cbf6" in hex representation.
Instead I get 
"f9b2b93d5d14b44ba25954fd45a9cbf633d86f323e5106c08eb7a02b5e6866a9". 

What version of the product are you using? On what operating system?
Mac OS X, Chrome Version 35.0.1916.114; CryptoJS 3.1.2

Please provide any additional information below.
When using ECB Mode you can see the second block in encrypted data is just a 
zero block. Shorten the message by one character produces the correct encrypted 
data.
This let me assume that there is done unnecessary padding when input data has 
exact the block size.

Original issue reported on code.google.com by johannes...@gmail.com on 27 May 2014 at 10:15

Answer 1 · 2015-07-14T18:31:03.000Z

I found the problem in padding function at calculating the number of bytes to 
add:
var nPaddingBytes = blockSizeBytes - data.sigBytes % blockSizeBytes;

To correct the problem with unnecessary padding when data.sigBytes = 
blockSizeBytes use this instead like in pad-zeropadding.js:
blockSizeBytes - ((data.sigBytes % blockSizeBytes) || blockSizeBytes);

The attached patch correct this in cipher-core.js. But the same problem exists 
also in pad-ansix923.js and pad-iso10126.js.

Original comment by johannes...@gmail.com on 27 May 2014 at 11:15

Attachments:

cipher-core_padding.patch

Answer 2 · 2015-07-14T18:31:04.000Z

Most padding schemes -- including PKCS7, ANSI.X, and ISO -- require that at 
least one bit or byte be added, always. 
(http://en.wikipedia.org/wiki/Padding_(cryptography)#Byte_padding) This is so 
that the message can later be un-padded correctly. Otherwise, it wouldn't 
always be possible to distinguish between the padding and the message.

Original comment by Jeff.Mott.OR on 27 May 2014 at 11:26

Changed state: Invalid

Answer 3 · 2015-07-14T18:31:04.000Z

Thank you for the explanation!

Original comment by johannes...@gmail.com on 28 May 2014 at 7:54