- changed status to open
JWE - Padding for the A128CBC and A256CBC encryption
Issue #579
resolved
The A128CBC and A256CBC algorithms encrypts data in blocks of 128 bits. If the plain text is not a multiple of 128 bits (16 bytes), the decrypted cipher text may not be the same as the original plain text due to padding used by the encryption library. This could lead to possible interoperability issues.
NIST SP800-38A Appendix A describes the problem and lists some recommended solutions.
Another suggestion was to used the padding scheme used by XML Encryption.
The Wiki page at http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Padding also decribes some solutions.
Comments (2)
-
-
- changed status to resolved
Fixed in the -02 JOSE JWE spec
- Log in to comment
This needs to be fixed in JWE.
CMS uses PKCS
#5padding assign up to 16 bytes to each message.xmlenc uses a modified PKCS
#5with random bytes except the last one.The only other real alternative is to use CBC-CS1. That however probably has less than optimal interoperability. http://csrc.nist.gov/publications/nistpubs/800-38a/addendum-to-nist_sp800-38A.pdf
The CS modes of CBC are thought to be stronger according to some papers and NIST. http://www.chiark.greenend.org.uk/~mdw/steal.pdf