Is there any benefit to verifying PKCS#7 padding when using AES CBC and HMAC?
As I'm using HMAC to ensure integrity and authenticity of the ciphertext, is there any additional security benefit to verifying PKCS#7 padding when decrypting using AES CBC? A previous question asked Why verify Padding at all? Part of the accepted answer was: In general, use a cryptographic MAC to protect your ciphertext, and verify it first. Emit those errors. Then padding errors should not occur at all. But I note the qualifier "in general" and I also know a number of cryptography libraries do validate the padding.
In general, use a cryptographic MAC to protect your ciphertext, and verify it first. Emit those errors. Then padding errors should not occur at all.
The “in general” seems to have been used to show that commonly is performed or should be performed. I don’t think it had anything to do with the security of the scheme itself.
PKCS#7 compatible padding can range from 1 to 16 bytes for block ciphers such as AES. If your plaintext always happens to be $n * 16 + 15$ bytes in size then your padding would consist of a single byte. A single byte is never enough to guarantee integrity of the plaintext.
Padding isn’t a checksum. It doesn’t say anything about the value of the plaintext. It tells you only something about the size of the plaintext.
Even if you would be able to use padding as an integrity check then you shouldn’t use it for transport protocol security. Padding checks allow padding oracle attacks to be performed. For instance OpenSSL uses sign-then-encrypt and requires special care to avoid padding oracle attacks.
Note that modern protocols often allow modes such as CTR or authenticated ciphers. Almost all authenticated ciphers based on block ciphers are based on CTR (i.e. CCM, GCM and EAX mode are all based on CTR mode to provide confidentiality). CTR doesn’t use padding at all. So you can often avoid the use of padding pretty entirely.
This also shows that padding mode is not a requirement to validate the correctness of the plaintext. If it was, all current authenticated ciphers would fail.
Padding should not be used for verifying correctness period. It should just be used for determining the length of the plaintext.
[CHANGED] After verifying the integrity you should check all the padding bytes, if just to verify the correctness of the implementation. Another reason to check the other bytes is to avoid worrying about subliminal (covert) channels. A slight disadvantage would be that you couldn’t use the same unpadding code to handle PKCS#7 and the withdrawn ISO 10126 padding (and you should make sure you don’t break anything if you change existing code with that in mind).
It does make sense to check if the value isn’t out of range, i.e. between 1 and the block size. You don’t want to handle issues with index-out-of-range or partial information in the code surrounding the cryptographic routine.
An even better solution would be to use a mode that doesn’t require padding at all. A good candidate would be the aforementioned CTR mode of operation which turns AES into a stream cipher or one of the authenticated (AEAD) ciphers.
- Database Administration Tutorials
- Programming Tutorials & IT News
- Linux & DevOps World
- Entertainment & General News
- Games & eSport