AES256 CBC W3C padding scheme (instead of PKCS#7) #26
Conversation
Fixed : 기본 패딩 모드 변경 DEFAULT_PADDING -> W3C_PADDING , AesCbcSymmetricAlgorithm.cpp
|
Server implementation: readium/readium-lcp-server#111 |
|
I just see in the DRMInside commit that the inline comments (line 99 and others was not changed and seems to indicate PKCS#7 is used, which is not the case anymore. Shouldn' the comment be updated? |
|
@llemeurfr agreed. |
|
On the client side, personally I would like to be able to switch between PKCS#7 and W3C padding schemes based on some discoverable metadata, such as the URI http://www.w3.org/2001/04/xmlenc#aes256-cbc |
|
What is the advantage, for the ecosystem, of offering such a flexibility? |
|
No discernable advantage for the "ecosystem", I think, because the LCP profile strictly requires one padding scheme. At any rate, assuming DRM-Inside's code contribution passes peer-reviews and tests, do we revisit the decision to use PKCS#7? My personal opinion is that if the URI |
|
I agree that DRMInside's contrib makes us revisit the decision to use PKCS#17. The other question is: should we be able to activate the use of PKCS#7 using some discoverable metadata? My feeling is that there is no real interest in that, and that the code (which is kept in the history) can be removed from the "live" code. |
|
okay. |
|
The only difference between PKCS#7 and W3C padding is that the W3C variant does not specify which values to use to fill the padding bytes (except for the last one), while PKCS specifies that every padding byte must be equal to the padding length. Thus, while appending the padding bytes, PKCS#7 is a superset of the W3C padding. As we can see in the client PR, the critical part is relaxing the requirement that the padding bytes be the same as the length of the pad. I would thus suggest that we keep the server as is and relax the requirement on the client, which is what DRMInside already proposed. |
|
IMO, we need to consider why W3C suddenly added the padding restriction in 2002. There was no padding details before 2002 in the W3C encryption standard. But after publishing the possibility of the Padding Oracle Attack on the block cipher algorithm in 2002, W3C had instantly updated the specification as size of the padding bytes should not be described in the padding block except last byte. Key point of the padding oracle is that the last encrypted block before the PKCS#7 padding could be easily cracked, if the decryption program provides unnecessary error codes related padding. So I think that not allowing using the vulnerable PCKS#7 on both server and client side is the clear way for not only consistency of the specification, but also the security perspective. |
…ding scheme (based on readium/readium-lcp-client#26 )
…ding scheme (based on readium/readium-lcp-client#26 )
|
Now that Readium is effectively creating a fork of CryptoPP, I have submitted a Pull Request at Crypto++ to add support for the W3C padding scheme for AES-256-CBC, based on DRM-Inside's code: weidai11/cryptopp#368 |
danielweck
force-pushed
the
feature/cbc-w3c-padding
branch
from
fd77cdf to
a6843bb
Compare
|
I have successfully tested this code with EPUBs encrypted by the Go server with the existing PKCS#7 method (this works because W3C algorithm operates on the client side as a "superset" functionally-speaking) |
|
Merging this CryptoPP patch directly into the Readium LCP client lib source tree. Note that we now maintain a Crypto++ fork in "parallel" at https://github.com/edrlab/cryptopp |
|
Follow-up: weidai11/cryptopp@8a177c5 |
|
The above follow-up is merged (cherry-picked) into the EDRLab fork of CryptoPP: |
|
So, all-in, this is the CBC W3C_PADDING diff: |
In reaction to:
readium/readium-lcp-server#18 (comment)
credits @drminside
Work In Progress
This contribution involves patching Crypto++