none
System.Security.Cryptography AES, what are the last 17 bytes? RRS feed

  • Question

  • What is the Padding Mode in the AES CBC implementation of System.Security.Cryptography.

    Using a Key of 16 0x00s and an IV of 16 0x00s. The results are identical for the padding modes of "Zeros", "None", "PKCS7", "ANSIX923", and ISO10126, I encrypted a plaintext of 16 0x00s. My code pads the plaintext out with zeros to the next multiple of 16 bytes.  (I found the library throws an exception if my input text length is not a multiple of 16. )

    Here are my results:

    00000000000000000000000000000000 - Plain Text

    0000000000000000000000000000000000000000000000000000000000000000 - Plain Text with my Padding

    Crypto Text output from the modes of "Zeros", "None", "PKCS7", "ANSIX923", and ISO10126:

    66E94BD4EF8A2C3B884CFA59CA342B2EF795BD4A52E29ED713D313FA20E98DBC5C047616756FDC1C32E0DF6E8C59BB2A
    66E94BD4EF8A2C3B884CFA59CA342B2EF795BD4A52E29ED713D313FA20E98DBC5C047616756FDC1C32E0DF6E8C59BB2A
    66E94BD4EF8A2C3B884CFA59CA342B2EF795BD4A52E29ED713D313FA20E98DBC5C047616756FDC1C32E0DF6E8C59BB2A
    66E94BD4EF8A2C3B884CFA59CA342B2EF795BD4A52E29ED713D313FA20E98DBC5C047616756FDC1C32E0DF6E8C59BB2A
    66E94BD4EF8A2C3B884CFA59CA342B2EF795BD4A52E29ED713D313FA20E98DBC5C047616756FDC1C32E0DF6E8C59BB2A

    These last 16 bytes represent the PKCS7 padding mode.

    I wonder why can't I override the mode from the default?

    Even with the default padding kicked in, why does the library insist on the input text being a multiple of 16 bytes.  I thought that was what the padding was for.

     


    • Edited by DuckPaddle Monday, October 31, 2016 11:12 PM Further research
    Monday, October 31, 2016 1:54 PM

All replies

  • "The input and output must be multiples of 128bit" (block size) rule is defined in the AES algorithm itself (see FIPS Pub 197, Section 3.1) because of all the bit manipulation be used in this algorithm. Because of this padding is required when the input does not fit the blocksize.

    Usually null byte is choosen for padding because of the convenient side effect of automatic resizing in case of null-terminated string. (the type of string that marks end-of-string with a null character. Because of this the output will appear to be automatically trimmed by itself and no further processing is needed.)

    As for why you cannot override the padding, please show us your code for checking.
    • Edited by cheong00Editor Tuesday, November 1, 2016 2:24 AM
    • Proposed as answer by Kristin Xie Wednesday, November 2, 2016 5:36 AM
    Tuesday, November 1, 2016 2:21 AM
    Answerer