Why can the last block contain a full block of padding in CBC Encryption?


Why can the last block contain a full block of padding in CBC Encryption?

I'm trying to understand the SSL Poodle Attack and I'm wondering why the last block of a CBC Record can be full of padding? Wouldn't that mean that the useful data was already a multiple of the key size?
Maybe I'm misunderstanding something else here, as it would seem like you can pad by any number of full blocks of padding. Just don't see why an SSL Library would do that.


Answer 1:

SSL padding always pads, using 1..blocksize bytes (8 bytes for triple DES, 16 for AES). This padding makes it deterministic independently of the value of the plaintext. It’s a padding mode similar to ISO 10126 (only the last padding byte is one less).

Other padding values – such as the zero padding performed by PHP’s mcrypt library – are also deterministic, but they require the plaintext never to end with a 00 byte value. If you know the length in advance, then you could of course use any kind of padding and just toss away the spurious bytes.

Note that padding is only required for CBC and ECB modes of operation (at least for the popular modes of operation), and that for CBC ciphertext stealing could be deployed as well. Currently CTR is becoming more popular (it is also used in most authenticated modes of encryption), and it doesn’t require padding.

Note that the Poodle attack is a padding oracle attack. This attack is not possible if the ciphertext is integrity protected. SSL however uses MAC-then-encrypt, which makes the CBC mode of operation vulnerable.

Answer 2:

Yes, we always have to pad the message. The reason is simple: How do we know if the message has a padding or not if we don’t always pad?

Let’s say we pad with adding only $0$ bits. We got the (after padding) message $0101\,1100\,0000\,0000$ and a block size of 2 bytes (16 bits). Well, what was the original message? Was it $0101\,11$? Or was it $0101\,1100$? We don’t know.

We can of course pad with one $1$ bit and then as much $0$ bits as needed. This works every time if the message size is not a multiple of the block size, but not anymore of it is exactly a multiple of the block size. We would not know if the last $1$ and $0$s are padding or part of the mssage. Because of this we need to pad even if the message is already in “perfect size”.